1. The Purpose and Aims of the Personal Data Policy
The university is a center for knowledge, learning and research where information is constantly being processed. In research, teaching and services, the vast majority of this information is related to living people - and is thus personal data. According to the Aalto University Code of Conduct, as verified by the Board of Aalto University on 14.06.2017, Aalto University (henceforth referred to as “the university”) is committed to protecting an individual’s rights and freedoms when their personal data is being processed by the university.
The purpose of this personal data policy is to define the main principles, responsibilities and procedures that will be followed when personal data is processed at the university. In addition, to further ensure the protection of data at the university, there are codes of conduct and other forms of instruction in place that, combined with this data policy, form a cohesive whole.
The aim of this data policy is to ensure the university’s compliance to the demands set by the EU General Data Protection Regulation (GDPR), national data protection legislation and other legislation that relates to the processing of personal data. In addition, the aim of this policy is to ensure that this compliancy is demonstrable with documentation.
2. Obligation to Observe the Personal Data Policy
All members of the Aalto community (management, employees, students and academic visitors) are required to observe the personal data policy, information security policy and other university rules, guidelines and endorsed practices related to data processing and information security. If the processing of personal data is done on behalf of the university, this data policy must be observed regardless of where the data is being stored and who owns the equipment used in processing activities. The personal data policy must also be observed whenever the university’s information systems or other information technology resources are being used for the processing of personal data.
Data protection means assuring the privacy and trust of an individual (data subject) and protecting personal data against unauthorized processing. The processing of personal data must always be done for a specified purpose and on a lawful (specified by GDPR Article 6) basis.
Information security means the technical and organizational measures taken to protect information, services, systems and communications.
A controller means the natural or legal person which, alone or jointly with others, determines the purposes and means of the processing of personal data.
Personal data means any information concerning an identified or identifiable natural person. Personal data is, or can be, for instance, a person’s name, address, social security number, location data, IP address, other network identification, photograph, dietary information, medical information or other information that, either by itself or when combined with other information, forms knowledge about a specific person.
Sensitive (special categories of) personal data means data that reveals racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person's sex life or sexual orientation.
Pseudonymized data means data that has been processed in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information.
Anonymized data means data rendered anonymous in such a way that the data subject is no longer identifiable.
Processing means, for instance, collection, recording, organizing, structuring, storage, adaptation, alteration, retrieval, combination, as well as transmission and destruction of data.
Privacy notice (GDPR Article 13 and 14) is the information given to the data subject, including but not limited to the legal basis for processing, the purpose of processing, what information is being gathered and the data subject’s rights.
Records of processing activities (GDPR Article 30) is the controller’s internal documentation regarding the processing operations performed on personal data or sets of personal data under their control.
4. The Principle of Public Access
In addition to legislation regarding the protection of personal data, the university is bound by the Act on the Openness of Government Activities (621/1999). According to the principle of public access, all information held by the university is public unless otherwise decreed. The publicity of personal data is thus determined by this legislation. The legislation also applies to the divulgence of personal data from the university’s personal data registers. In accordance with the Act on the Openness of Government Activities, the university may be required to divulge information that includes personal data to third parties.
5. Roles and Responsibilities in the Execution of Data Protection
The university management carries the university-wide responsibility for data protection. The management is responsible for the university's personal data protection policy, adopting of university-level guidelines and the organization and resourcing of data protection development. The university’s Data protection officer and Chief information security officer are responsible for planning and offering university-wide training and instruction on data protection and information security. To do this, they will receive assistance from the members of the university’s data protection team, who will, each in accordance with their personal areas of expertise and responsibility, participate in the planning and execution of training and instruction.
The head of department and head of service unit are responsible for ensuring that their department or service unit complies with personal data legislation and this personal data policy. The heads of department or service unit may delegate personal data protection management to the data protection contact for a service unit, department or project, but legal responsibility will still remain with the delegating manager.
All the departments and service units of the university must specify the responsibilities and roles of their employees in different roles (register responsible/register contact person/administrator/user) of data processing for each personal data register, and ensure that all employees of the department or service unit that process personal data have been properly trained in the university’s data policy and processing protocol. A department or service unit head must ensure that all information systems used in the area of the university under their management comply with Aalto University’s privacy, information security and system architecture principles. Superiors must enforce the university’s data protection and information security policies and protocols.
The person responsible for the associated function related to a specific register should usually be named as person responsible for said personal data register. Such person must ensure that all processing of personal data under their supervision is done in accordance with the personal data principles and all required technical and organisational protocols are followed.
The person or persons responsible for the practical management of a personal data register shall be named as contact person for said personal data register. This can be, for example, the administrator of the register. This contact person is responsible for keeping the personal data register and its data protection documentation up to date and for using the register for conducting university tasks.
The principal investigator is in charge of ensuring that this personal data policy and all relevant data protection legislation is observed in all research conducted under their supervision. In addition, she/he is responsible for ensuring that all researchers processing personal data have participated in training in the proper protocols for doing so before engaging in processing activities. The principle investigator of a research project must specify the roles and responsibilities of their employees in different roles (register responsible/register contact person/user) where they relate to personal data processing as is appropriate for the research project and the research data register in question.
The university’s data protection officer is responsible for providing information and guidance on matters related to personal data, supervising the observation of this data policy and data protection legislation in the university and reporting any deviations thereof to the university leadership. The data protection officer functions as the contact person for the university in matters relating to the relevant supervisory authority, the Data Protection Ombudsman.
The university’s chief information security officer is responsible for the security of the university’s data systems and giving information and guidance in matters related to information security. In addition, they are responsible for managing reported security deviations.
Every employee and student at the university and every user of the university’s services is obligated to participate in the realization, upkeep and surveillance of data protection, for example by following given guidance and by notifying to the information security team on every detected endangerment of information security or data protection.
6. Personal data processing at the university
Personal data related to people working in cooperation with the university, such as previous and current students, previous and current employees, research participants, applicants, alumni and partners, is processed at the university. This personal data must be processed in accordance with this personal data policy and according to accepted protocol, in which the processing purposes and bases by which the university processes and stores said data are defined.
The university may be required to process sensitive personal data, such as information relating to an employee’s illness in conjunction with sick leave or information relating to disability in conjunction with auditorium reservations. The processing of sensitive personal data in research requires a statement from the university’s Research ethics board.
7. The Realization of Data Protection at the University
7.1 Planning of Personal Data Processing and the Basic Principles of Data Protection
The entire cycle of data processing must be planned before data is gathered or before any meaningful changes are made to information systems.
All processing of personal data must be done in accordance with the following basic principles:
- there must be a lawful basis for processing;
- the persons whose data is being processed must be given sufficient information on the processing of their data;
- the processing purpose must be defined and processing restricted to the processing purpose;
- information security rules are observed when processing personal data;
- employees and students who process personal data have completed data protection training;
- the person whose data is being processed must be given effective means of exercising their rights, and their requests are reacted to without delay;
- the risks related to the processing of personal data are surveyed from the point of view of the person whose data is being processed, and the risks are minimized - for example through the use of pseudonymization - and a data processing impact assessment is done if risks are high;
- personal data is processed only when necessary;
- the correctness of data is ensured;
- the principle of privacy by design is followed;
- processing activities are documented;
- personal data is stored only as long as required for the processing purpose;
- processing protocol is assessed at regular intervals.
In practice realization of privacy by design means amongst the other things the following:
University personnel in charge of defining or planning new or substantially changed information systems that process personal data will take into account the protection of personal data and conduct any necessary risk and impact assessments. Similarly, risk assessments must be conducted in research, study and other projects and appropriate organizational and technical solutions must be chosen to ensure the realization of personal data protection within the project. A research, study or other project may also require a personal data impact assessment. The impact assessment of personal data gathered for research purposes is part of the research ethics evaluation process.
Information regarding employees and students, applicants, alumni, sponsors, service users, individuals accessing the university’s website, or other data subjects must be processed only by those whose work description includes the processing of said data. Accessibility and viewing rights to information systems will be defined and given only to the individuals who need the information contained within the system to perform the tasks given to them.
Processing of the personal data of students and applicants by employees must be done in accordance with the code of conduct on data protection in field of learning and teaching, to which the university is committed. Similarly, in research, the personnel handling the personal data should comply with the codes of conduct on data protection in research, to which the university is committed.
7.2 Information of Processing
The person responsible of a personal data register must ensure that the information required by the GDPR regarding data processing activities will be published on the university’s website or otherwise given to the data subjects in the form of a privacy notice. Each register responsible is also responsible for ensuring that there is an internal records of processing activities for each personal data register.
7.3 Ensuring Accuracy of Personal Data
Personal data registers must be accurate and kept up to date. To ensure the accuracy of information related to the employees of the university, each employee is responsible for keeping all personal information given to the university for the purposes of payroll and any other information up-to-date and accurate. During their term of employment, the employee must inform the university of their information as directed by human resources (for example: changes in bank account number and address should be made through the Personec ESS system). To ensure that personal data registers related to students remain up-to-date and accurate, students must update their information at least once every academic year. The updating of other data registers should be agreed upon with the data subjects or kept up to date utilizing public registers (such as the Population Information System).
7.4 Personal Data Retention
The personal data is retained as stated in the Aalto University data control plan. The data control plan includes a list of different kinds of processes and the documents and information created throughout them, and their:
- retention period or the criteria used to determine that period,
- statutory publicity information or confidentiality information, specific legal provision that confidentiality is based on and the confidentiality period,
- personal data status,
- information system where the data is stored at,
- specifying information on the publicity status, retention or archiving of the document group.
When the retention period specified in the data control plan has ended, the documents must be destroyed safely and in accordance with the protocol given for destroying of data.
The retention period for research data is defined in the research plan and the data management plan. The retention period is stated in the privacy notice of the research project.
7.5 Outsourcing Personal Data Processing
As controller, the university can outsource certain parts of its data processing activity to a third party. To be chosen to process personal data controlled by Aalto, a third party must comply with the demands set by GDPR and follow good data processing protocol. A written agreement will be drafted between the university and the third party processor. This agreement (data processing agreement (DPA)) will define the subject and purpose of the processing as well as other information required by GDPR legislation.
7.6 Automated Decision-Making
Automated decision-making is data processing, which is based solely on automated processing that has legal effects concerning a person. Decisions related to a person or evaluation of a person’s work will not be conducted automatically. Instead, a member of the university’s staff will, for example, supervise an automated evaluation process or exam results will be decided upon by an exam board.
8. Data Protection in Research and Studies
8.1 Processing of Personal Data in Research
For data processing related to scientific research, the academic aims of the research will be taken into account whilst observing the principles set out in this personal data policy. Data protection and information security requirements shall be taken into account in a research plan and a data management plan. The data subjects are informed of the most central aspects of processing in a clear and understandable manner and personal data processing information required by legislation is given to the data subjects. Researchers are responsible for informing data subjects.
People who process personal data in a research project must follow the code of conduct on the protection of personal data in research, to which the university is committed. All researchers within the university must process personal data according to the best practices of the field in accordance to the European Code of Conduct for Research Integrity. Required ethical pre-evaluation must be done before data gathering is commenced, following instructions given by TENK (The Finnish National Board on Research Integrity) and the university.
The processing of personal data in research must also be limited to the minimal amount required to achieve the academic goals of the project. In addition, data must be pseudonymized or anonymized whenever possible.
8.2 Processing of Personal Data as Part of Studies
Personal data processing in conjunction with studies shall be done in accordance to the basic principles set forth in this personal data policy. The student must agree upon processing personal data in their research project with their thesis supervisor or the professor in charge of their course before the collection or other processing of personal data can begin. The student must, as part of their studies, be introduced to the data processing protocol in place at the university, and it is recommended that they participate in the university’s data protection training before processing personal data. The student must provide participants of the study with a privacy notice, respect the principle of data minimization and otherwise ensure the realization of the basic principles for good processing practice in their research project.
9. Information Security
Every employee and student within the university who processes personal data must ensure that, where any data processed by them is concerned, the personal data is stored securely and not given to third parties by accident or on purpose in an unlawful manner. Integrity, confidentiality and usability will be strived towards with both technological and procedural means. Everyone within the university that processes personal data is responsible for ensuring the realization of this integrity, confidentiality and usability.
The foundation for data protection (integrity and confidentiality) will be set by the university data management code. The procedures that must be followed to prevent data from falling into the hands of a third party are described in this code. Among other things, this code includes instructions for encrypting data in different situations. The code applies to data in all its forms, including but not limited to information systems, documents, printed text, backup files, etc. Storing classified information in an information system requires that the information system fulfill the criteria for the confidentiality level of the information.
10. Data Breaches and Data Protection Violations
A data breach is an event that endangers the integrity, confidentiality or usability of services or information of the university. Everyone within the university is obligated to report a data breach. Data breaches include but are not limited to a misplaced or lost memory or other device, or a significant malicious software occurrence. A suspected or confirmed data breach must be immediately reported by contacting the university’s information security team, for instance by using the email address security(at)aalto.fi, or in another manner in keeping with instructions given by the information security team. The team handles all data breach or privacy breach notifications related to the university and assists in solving them, for instance by blocking possible data breaches.
According to the GDPR, if a breach occurs and if the breach is likely to result in a risk to the rights and freedoms of data subjects, the university’s data protection officer must notify the Data Protection Ombudsman of the breach without undue delay and not later than 72 hours after being made aware of it. If a data breach that is likely to result in a high risk to the rights and freedoms of data subjects occurs, the data protection officer will notify the affected persons without undue delay.
11. Processing Personal Data Outside the EU and the European Economic Area
The university transmits data outside of the EU and the EEA to countries that do not offer data protection that complies with the GDPR only when this can be done in compliance with the GDPR. All persons processing personal data on behalf of the university must ensure that the level of security provided by, for instance, any cloud storage services they use is in accordance with the level required by the GDPR.
12. Access and Other Requests by Data Subjects
The GDPR provides rights to data subjects. These rights include right of access, and, with certain restrictions, concerning for example research data, the right to rectification, right to erasure and right to restrict processing. The university has an electronic protocol in place for handling requests for access, review, rectification and erasure of personal data. This protocol is administrated by the data protection officer.
13. Training and Guidance
The university strives to ensure that its staff is aware of the responsibilities placed upon them by data protection legislation and for providing training and guidance. Every member of the university staff must familiarize themselves with data protection guidelines. A web course or other training shall be completed before processing personal data on behalf of Aalto University can be required when necessary for work duties.
Training material, codes of conduct, guidelines, privacy notices, and other personal data protection material will be made public on university website.
14. Breaches of Personal Data Policy
The use of information systems that contain personal data is supervised with technical measures such as the gathering of log data and user management solutions. If data privacy is suspected or confirmed to be compromised due to a breach of data policy, the situation will be investigated without delay and measures will be taken against the person responsible in accordance with the nature of the breach.
Any person who finds that this personal data policy has not been followed in the processing of personal data shall contact the university’s data protection officer by email dpo(at)aalto.fi. Data subject also has the right to take the matter of the university’s processing activities’ legality to the attention of the Data Protection Ombudsman.
15. Approval and Review of Personal Data Policy
The university’s president has approved this policy regarding data protection to be binding for the staff, students and other members of the university community from 25.5.2018 onwards. The university’s data protection officer is in charge of ensuring that the policy stays up to date and it is reviewed to assess possible amendment requirements.