Data Protection Statement Concerning User Management, Access Authorization Management, and Log Management at the University of the Arts Helsinki
Articles 13 and 14 of the EU General Data Protection Regulation. Informing a data subject. Drafted on May 17, 2018; Updated on December 15, 2020
1. Entity and person in charge of processing personal data
Chief Information Officer Mari Nyrhinen
E-mail address: firstname.lastname@example.org, telephone: +358 40 704 4296
2. Contact persons for handling personal data
IT Manager Erik Paalanen
E-mail address: email@example.com, telephone: +358 50 435 7356
3. Register name
User and access authorization management system and logs
4. What are the purpose and the legal basis for processing personal data?
On the basis of the Universities Act, the mission of the University of the Arts Helsinki is comprised of teaching, research, and artistic activities. Universities are autonomous, which ensures the freedom of science, of art, and of highest education. Their autonomy also entails the right to make decisions on matters related to their internal administration. The Act also states that the university community comprises teaching and research staff, other staff and students.
In order to be able to organize its teaching, research, and artistic activities in practice and to arrange its internal administration, the University needs to process the data on people belonging to the university community and to maintain up-to-date information on the people entitled to use the various services of the University. The user and access authorization management system of the University processes data on the teaching and research staff, on the other staff, on students and on people otherwise engaged in contractual relationships with the University for the aforementioned purposes.
In practice, the user and access authorization management system performs the following among others:
- creating University user ID’s and e-mail addresses at the start of a contractual relationship or of a study right
- placing users on the basis of their respective areas of responsibility or study rights in pre-determined user groups via which they have access to the disk resources or e-mail distribution lists as required by their duties
- creating, on request, e.g. master users for various systems so that data management can maintain group information
- managing the life-span of a user’s access right so as to shut a user ID at the end of a contractual relationship or study right or while certain suspicions on the misuse of the rules of use of the University or data security are being looked into
- forwarding of data on active users to the enrolment services used by the University in such a manner that students, staff members, and other users of the University’s services have access to the electronic tools intended for them and that their right to use these means expires when their user ID is shut
- in data management, checking a user’s personal data i.e. when it is necessary to establish a person’s relationship with the University and when a user has been unable to change his or her password or to activate his or her user ID in the suomi.fi service
- the administrators of user groups can see the members of the groups they maintain and are able to delete and add users in/from their group (they can see the user’s name)
The purpose of the processing of personal data in user management and log data systems in accordance with this data protection statement is to enable the processing of personal and other data situated in the other data systems of the University of the Arts Helsinki, to supervise and monitor data security, to clarify failure situations, to prevent and look into infringements of data security, and to make usage analyses. Information stored in the user management and log data systems has been either logically or physically separated from information in other data systems, is thus situated in entirely separate data systems and on separate servers and is not used for any other measures than the aforementioned system supervision and clarification measures.
The data processing as described above is mainly based on the general interest of the University. For certain support functions, the grounds for processing are comprised of the legitimate interest of the University as controller and of the legitimate interest of the users themselves based on which the data required for the functioning of the user management and log data system is processed for the aforementioned purposes. In this case, general interest means the right of the University to perceive, to prevent, and to look into error situations and the unintentional and intentional data protection deviations occurring in its data systems in order to ensure its continued activities as well as to avoid and minimize damages. Additionally, the legitimate interest of the University means the right to monitor the use of data systems containing personal data and other confidential information, the access to such data, and any adding, modifying, and erasure thereof. Such control and user access measures are necessary also to ensure the rights and legal safeguards of the data subjects themselves and the implementation of good practice in data processing.
Use of log data is regulated by the University’s maintenance rules and log rule as well as by legislation currently in force. We do not make use of automated decision-making and profiling as referred to in the Data Protection Regulation as regards user, access authorization and log management.
5. What data do we process?
In the user management systems, University users’ personal data are processed. These include:
- Basic information on a data subject such asname, position or title, social security number, person or student number, user ID, e-mail address(es), study subject code, contact language, telephone number, and postal address;
- the start and end of the access right
- the data subject’s role (student/staff), responsibility area, and adherence to user groups;
- the data subject’s person-specific IDs in the systems linked with user management
A social security number is necessary for a user’s reliable identification in tending to matters regarding a person’s user ID for instance.
In addition to the personal data of University end-users, the personal data targeted in logging and stored in the University data systems and in the personal registers comprised thereof are also processed in the log data systems. The data security of these registers and of personal data processing has been described in the respective data protection statements of each register and of each type of personal data processing available in the listed announcements of the UniArts website.
In addition to that, the user management and log data system processes the personal data of the users who use the system itself (University staff and students as well as third-party support persons and moderators). Data used in these cases include data on the user’s log-ins and communications (e.g. user ID and password, IP address, session ID, and routing data), device data (e.g. a MAC address or a device ID), access level into the log system (i.e. how the user in question can watch, modify and/or erase logs), the log data watched, modified, and erased by him or her, and the time stamp and ID data related to these measures.
6. Where do we get information?
We automatically get user information into the user management from the contractual data stored into the HR system (for staff members) and from the student data system (for students).
User group information is updated in part automatically and in part manually on the basis of change requests from the main users of the University systems or from other persons entitled to request changes.
Changes into a user’s basic information are made into the HR or study management system and then manually in the data management into the user and access authorization management system (name and the change of e-mail address occurring in connexion with the name change).
As a rule, personal data in log systems are obtained from the University’s other data systems in which data are stored from the regular data sources mentioned in the University’s data protection statements. Additional data on the users of the user management and of the log data system are obtained from the data gathered and entered into the system in connection with the creation of user rights as well as from the data collected during use on both users and their equipment.
7. To whom do we disclose and transfer data, and do we transfer data outside the EU or the EEA?
The employees of the data management who perform maintenance work if needed on the register i.a. on the basis of requests made by administrators are entitled to use the University’s user and access authorization management register.
Data on active users are transferred at regular intervals into certain University systems partially administered by service providers outside the University with which data protection has been ensured by concluding agreements on processing personal data. Personal data are not transfered outside the EU or the EEA if this is not needed in order to ensure technical implementation. In this case, the University sees to it that its subcontractor has committed to the EU Commission standard clauses on the processing of personal data and/or is party to the EU–US Privacy Shield data protection arrangement.
The University of the Arts Helsinki is a member of the HAKA trust network and of the eduGAIN trust network as are the other Finnish institutions of higher education. In the services of these trust networks, the user gives his or her consent upon login to disclosing data to the service that he or she logs into while deciding whether he or she wishes to agree to the disclosure of data every time or only when the data content is changed. A user can also withdraw his or her consent if he or she so wishes.
We do not disclose data in the user and access authorization register to parties other than partners engaged in contractual relationships with the University for user identification or for collecting data for authorities as well as for institutions of education engaged in the GÉANT Code of Conduct.
8. How do we protect data and how long will we keep them?
Personal data pursuant to this data protection statement are stored in the user management and log data systems for as long as their data content or other information attached thereto is of use for the purpose in question. In practice, data can be needed e.g. to look into data protection infringements or data security breaches, which is why data are kept on file at least during the time needed for looking into them and for establishing the legitimate interest of the University. This is determined on the basis of the period for filing suit for these measures under penal law. In data protection offences and infringements and in consequent claims for damage, the periods for filing suit and for prosecuting vary from two to five years.
Personal data needed for looking into failure situations and for making use analyses are stored in the user management systems for a few months as of the expiry of an access right and in the log data systems generally for a period of 2–3 months as of their entering.
When use of personal data for the purposes described above is no longer possible after the expiry of their storage period, the data are automatically erased from the user management and log system. Some data may be unintentionally saved in the backup copies made from the University services. These are, however, regularly erased in accordance with the backup copy schedule.
Technically and administratively, the data security of the user management and of the log data systems has been organized in accordance with the best practices in the field. Data stored into the user management and log data system are stored into a logical entity separate from the rest of the data system as well as on physically separated servers and network drives, which makes it not possible to access the user management and log data system or to alter data therein with the same user IDs and access rights as with the actual data systems. The server devices of the user management and log datasystem are protected both by software and physically with firewalls, data protection software, hardening, passwords, and access control. The machine rooms in which the servers are physically situated are locked and subject to access control. Access to the user management and log data systems has been restricted in such a way that access rights have been created in the system only for persons to whom it is imperative to access user management and log data as part of their duties.
9. With whom can you get in touch?
All questions on the processing of personal data as described in this data protection statement are to be asked by getting in touch with the contact person named in Point two who will, in case of need, forward the matter to the data protection officer. In case you feel that your rights are not respected, you may get directly in touch with the Uniarts Data Protection Officer.