Data protection policy

Contents

  1. Coming into force
  2. Purpose and goals
  3. Scope
  4. Definitions
  5. Roles and responsibilities
  6. Enforcement of data protection regulations
  7. Protection of research data
  8. Protection of student data
  9. Information security
  10. Duty to report personal data breaches
  11. Training and instructions
  12. Non-compliance

1. Coming into force

This Data Protection Policy imposes obligations on the personnel, students and other members of the university community. This policy was approved by the President on 3 January 2019.

 2. Purpose and goals

The University is a hub of knowledge, learning and research. A large amount of data is continuously processed in connection with teaching, research and administrative activities at the University. The majority of such data is personal data that may be connected to an individual.

The University institution is committed to protecting the rights and freedoms of individuals. The responsibilities and obligations that are imposed on them by data protection legislation, such as the EU’s General Data Protection Regulation (GDPR), national data protection legislation and other regulations that govern the processing of personal data. 

The purpose of this Data Protection Policy is to set forth the obligations, main principles and operating models that must be followed to ensure compliance with data protection legislation.

In addition to this Data Protection Policy, the University has adopted codes of conduct and supplementary guidelines on data protection and data security, which together with this document constitute a whole. 

The purpose of this Data Protection Policy and  the supplementary guidelines is to ensure that the University complies with the GDPR, national data protection legislation and other legislation that concerns the processing of personal data and that such compliance may be demonstrated through appropriate and up-to-date documentation. 

All the members of the university community (top management, employees, students and visitors) are obligated to adhere to this Data Protection Policy and all the other practices, regulations and instructions governing data protection and information security within the University.

3. Scope

Processing personal data on behalf of the University

This Data Protection Policy shall be complied with whenever personal data is processed on behalf of the University, regardless of  where such data is stored and who owns the equipment used in the processing.

Processing personal data using the University’s resources

This Data Protection Policy must also be followed whenever personal data is processed using the University’s information, IT resources or human resources, regardless of whether personal data is processed on behalf of the University.

4. Definitions

The term personal data refers to all information relating to an identified or identifiable natural person. Personal data include, for example, name, address, an identification number, location data, an IP address, an online identifier, a photograph, dietary data, health data, or other data that on its own or combined with other data tells something about a specific individual.

Special category data (previously referred to as sensitive data) include data that reveal an individual’s racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, genetic data and biometric data that uniquely identify a natural person, as well as data concerning health or data concerning a natural person’s sex life or sexual orientation.

Pseudonymised data is data that has been processed so that the individual concerned cannot be directly identified without additional data.

Anonymised data is data that has been processed so that the individual concerned cannot be re-identified.

The phrase processing of personal data refers to, for example, collection and recording, organisation, structuring and storage, adaptation and alteration,  retrieval, consultation and use, disclosure by transmission, dissemination or making data otherwise available, alignment and combination, restriction, erasure and destruction of data.

5. Roles and responsibilities

The top management of the University is responsible for ensuring institutional compliance with data protection laws and for implementing the required monitoring activities.

The data protection officer and data protection manager shall, together with the higher education institution’s Data Protection Group, be responsible for preparing and providing guidelines and training on data protection and data security across the University. The members of the Data Protection Group shall participate in the preparation and provision of such guidelines and training in their own unit and areas of expertise.

The data protection officer shall also be responsible for providing advice and guidance on data protection, monitor compliance with the GDPR and this Data Protection Policy within the University, reporting to the top management, processing personal data breaches, and serving as a liaison between the University and public authorities in matters concerning data protection.

The data protection manager shall also be responsible for providing advice and guidance related to the security and data protection of the University's information systems and for managing reported personal data breaches.

Heads of unit shall be responsible for ensuring that their unit adheres to data protection legislation, the Data Protection Policy and the University’s guidelines on data protection and data security. While heads of unit may delegate the management of data protection issues to designated contact persons in the faculties or units, they shall nevertheless remain legally responsible for regulatory compliance. In all the units within the University, employees must be made aware of the data protection responsibilities that come with their position. In addition, heads of unit shall ensure that all employees who process personal data in the laboratories or units are aware of the University’s regulations and guidelines on data protection and data security. Heads of unit shall also ensure that all information systems used in their unit are consistent with the University's principles governing data protection, data security and enterprise architecture.

Principal investigators shall be responsible for ensuring that their project is conducted in accordance with data protection legislation, the University's Data Protection Policy and other instructions and guidelines governing data protection and data security issued by the University. They shall ensure that the processing of personal data is appropriately planned, conducted and documented and that researchers who process personal data have completed necessary data protection training before processing personal data. In addition, they shall ensure that the roles of employees (responsible person/contact person/processor) and their responsibilities and obligations are specified in detail.

Supervisors shall monitor their employees’ compliance with data protection legislation, the University's Data Protection Policy and other instructions and guidelines governing data protection and data security issued by the University. In addition, supervisors shall be responsible for ensuring that all new employees are made aware of the University’s regulations and guidelines governing data protection and data security.

Employees shall perform all their tasks in compliance with data protection legislation, the University's Data Protection Policy and other instructions and guidelines governing data protection and data security issued by the University.

Students shall perform all their tasks in compliance with data protection legislation, the University's Data Protection Policy and other instructions and guidelines governing data protection and data security issued by the University.

Unless otherwise agreed upon, students shall assume the responsibilities of data controllers when they collect personal data for their own research purposes (including practical assignments and theses). This means that students are responsible for fulfilling the obligations imposed on data controllers under data protection legislation.

An employee who is responsible for a given activity shall be assigned as the person responsible for a personal data file or processing activities. The designated person shall ensure that processing activities are planned and documented in accordance with the relevant data protection principles and that appropriate technical and organisational measures are taken to fulfil all data protection obligations.

In addition, the person shall ensure that a privacy policy for the personal data file that they are responsible for is prepared in accordance with the University's guidelines.

An employee or employees who are responsible for the administration of processing activities or a personal data file shall be assigned as the contact persons for a personal data file or processing activities. The contact person shall be responsible, among other things, for keeping personal data and related data protection documents up-to-date. The entire university community must be committed to data protection to ensure an adequate level of data protection across the organisation.

All employees, students and users of the University’s systems and services are obligated to comply with, maintain and monitor data protection and information security.

6. Enforcement of data protection regulations

6.1 Principles for processing personal data

Lawfulness, fairness and transparency: Personal data must be processed lawfully, fairly and in a transparent manner in relation to individuals.

Purpose limitations: Personal data may only be collected for specified, explicit and legitimate purposes and may not be further processed in a manner that is incompatible with those purposes.

Data minimisation: Personal data must be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed.

Accuracy: Personal data must be accurate and, where necessary, kept up to date.

Storage limitation: Personal data must be kept in a form that permits the identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed.

Integrity and confidentiality: Personal data must be processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage.

Data protection by design and by default requires that the nature and extent of processing activities are assessed on a case-by-case basis already at the planning stage before processing begins or before the means of processing personal data are changed.

The processing principles must be observed when planning new processing activities and when the extent, nature or purpose of existing processing activities or systems change. The person who is planning to process personal data shall be responsible for completing the assessment. The person responsible for a specific personal data file or processing activities shall ensure that the processing principles are observed and appropriately documented.

6.2 Enforcement of data protection regulations

The University is committed to adhering to the principles for processing personal data and the principles concerning data protection by design and by default. The proper processing of personal data requires that all members of the university community observe and satisfy the following applicable requirements:

When processing activities are planned, the principles for data protection by design and by default must be observed; the data protection principles must be observed when planning to initiate processing activities; the potential risks and consequences of processing personal data must be assessed from the point of view of data subjects; appropriate protective measures must be taken to minimise any risks associated with processing personal data; and the process of planning to initiate processing activities and the related assessments must be appropriately documented.

When processing activities are planned, the persons involved must always be aware of the basis for processing; there must always be a specific, lawful basis for processing personal data; personal data may not be processed for purposes that go beyond the original purpose for which the data were collected; personal data may not be retained for longer than necessary in relation to the purposes for which they were collected; personal data that is unnecessary may not be collected; an appropriate privacy notice must always be prepared before undertaking processing activities; processing activities must be appropriately documented (including up-to-date log data); the means of processing personal data must be regularly assessed.

If processing activities are outsourced to an external service provider, the controller must ensure that the external processor is committed to adhering to the University’s data protection and data security regulations.

Persons involved in processing activities

Access to personal data must be strictly limited to persons who process personal data in connection with their professional duties to achieve the purpose of the processing activities; the persons involved in processing personal data must be aware of their roles and responsibilities; the persons involved in processing personal data must have completed training in data protection and information security; the persons involved in processing personal data must comply with the data protection regulations.

Position of data subjects

Data subjects must be offered information on processing activities that concern them; subject access requests must be responded to without undue delay; data subjects must be provided with effective means for exercising their rights.

Before undertaking processing activities, the activities must always be planned and documented. The entire life cycle of personal data must be taken into account.

6.3 Accuracy of personal data

Data controllers must ensure that the personal data they hold about individuals is accurate and up-to-date. Each employee, student and visitor is responsible for ensuring that the personal data that they provide to the University is accurate and up-to-date.

6.4 Retention period of personal data

Personal data may generally be processed for as long as is necessary to achieve the original purposes for which the data were collected. The University stores personal data in accordance with its records management or archives formation plan, which sets forth the documents created in connection with different processes or lists the types of data held by the University and their retention periods. The basis for determining the retention period(s) must be included in the privacy policy concerning a specific personal data file or processing activity.

The retention period of research data must be specified in the research plan and data management plan and included in the privacy policy concerning the research project.

After the specified retention period ends, personal data must be destroyed or anonymised in accordance with the University’s guidelines that are in force at the time.

6.5 Data subjects’ requests to access or review personal data and other requests concerning data protection

The University has adopted procedures that facilitate the exercise of data subjects’ rights. The rights of data subjects are set forth in applicable laws and regulations.

6.6 Outsourcing the processing of personal data

As a data controller, the University may outsource some of its processing activities to an external data processor. Processing activities may only be outsourced to an external data processor that possesses sufficient technical and organisational resources to ensure that all personal data are processed in compliance with data protection laws. The person responsible for the relevant personal data file or processing activity is responsible for assessing the suitability of a proposed external processor.

This person is also responsible for ensuring that the University and external processor enter into a written agreement that sets forth the terms and conditions for processing activities. The external processor must agree to comply with the University’s data protection and data security regulations and other operational requirements. The processing of personal data must always comply with the data processing agreement.

6.7 Transfer of personal data outside the EU and EEA

Special care must be taken whenever personal data is transferred outside the European Union and the European Economic Area. Personal data may not be transferred outside the EU/EEA, unless appropriate measures are taken to protect the data from unauthorised access pursuant to data protection legislation.

7. Protection of research data

When processing activities are carried out for scientific research purposes, the principles of this Data Protection Policy must be followed while also considering the academic goals of individual research projects. In scientific research, the processing of personal data must always be based on an approved research plan.

Only personal data that is strictly necessary for the achievement of the scientific goals may be collected for research purposes. Unnecessary or excessive data may not be collected.

The lawful basis and purpose of processing personal data, the retention period of data and other details required under data protection laws must be specified in the research plan and data management plan at the planning stage before undertaking processing activities.

Information on processing activities must be included in the privacy policy concerning the research project or research materials. It is also possible to inform research subject of the processing of their personal data in some other clear and unambiguous manner. Each researcher involved in processing activities shall be responsible for providing the required information to their research subjects. In case the collection of research materials requires consent from research subjects, they must be requested to provide written consent in accordance with the University’s guidelines.

Persons who process personal data in connection with the University’s research projects must comply with the code of practice for research data, which the University has agreed to follow. Researchers must process personal data in accordance with the principles of good research practice, research ethics, scientific quality, academic integrity and the code of practice. If it is necessary to conduct an ethical review before launching a research project, the review must be completed before the collection of personal data begins.

The University is designated as the data controller of a research project, if the University defines the purpose and means of processing. This is the case in research projects that are approved by the University and conducted with core funding granted to the University by the Finnish Government or with external funding provided by an external party. In addition, the University may serve as a data processor, if the University processes personal data held by another data controller on that data controller’s behalf.

8. Protection of student data

Compliance with this Data Protection Policy is required when personal data is processed for study-related purposes. Before students start collecting or otherwise processing personal data for study-related purposes, they must specify the activities in their research plan and agree on the processing activities with their thesis supervisor or course teacher. As part of their studies, students must familiarise themselves with the University’s regulations and guidelines for processing personal data. The University may require students to complete training in data protection before processing personal data.

Unless otherwise agreed upon, students shall assume the responsibilities of data controllers when they collect personal data for their own research purposes (including practical assignments and theses). This means that students are responsible for fulfilling the obligations imposed on data controllers under data protection legislation.

Students must provide their data subjects with a privacy notice, ensure that they only collect personal data that is strictly necessary for the achievement of their academic goals and otherwise make sure that the data protection principles are observed during their research.

9. Information security

All members of the university community who are involved in processing personal data must comply with the University’s Data Protection Policy and other related rules and regulations.

10. Duty to report personal data breaches

Each member of the university community is obligated to report actal or suspected personal data breaches in accordance with the University's guidelines. Persons who notice that the processing of their personal data violates this Data Protection Policy is advised to contact the University’s data protection officer, so that action may be taken to remedy the situation. They may also appeal to the Office of the Data Protection Ombudsman to review the lawfulness of the University’s processing activities.

11. Training and instructions

All the members of the university community are expected to be familiar and comply with the University’s regulations concerning data protection and information security. Persons may be required to complete online training or other training, if their job duties or position in the university community necessitate such training.

12. Non-compliance

Failure to comply with data protection legislation may result in sanctions under civil or public law (including labour laws).

More information: dpo [at] tuni.fi