The purpose of this personal data policy is to define the main principles, responsibilities and procedures that will be followed when personal data is processed at the university.
General instructions for secure processing of personal data
A quick guide to the data protection and data security of personal data processing activities:
- Check whether your work involves the processing of personal data and follow the instructions provided in this guide on the processing of personal data. Personal data is a wide-ranging concept. Any data that can be connected to a person or that can be used to identify a person either directly or indirectly is considered personal data (e.g. name, personal identification number, phone number, credit card number, photo, etc.).
- Remember that privacy protection is a fundamental right. Remember to always be careful when processing personal data regardless whether the data is in digital, oral or printed form, and remember to ensure that the data does not fall in the hands of any third parties. The university’s activities involve the processing of data that falls under different levels of data security. Be especially careful when processing secret personal data (e.g. sensitive data such as health data). The quick data classification guide (see the appendix below) will help you assess the level of data security that the data that you are processing requires and which IT services are required to achieve the necessary level of data security. For more detailed instructions on data classification, see the page Data protection practices in Aalto.
- Whenever possible, process the data in its original data processing system – Avoid transferring the personal data outside the original system, for example to an excel spreadsheet, for no particular reason. Personal data should always be processed in its original data processing system because the system can also save a log of the processing that was done to the personal data. If it is necessary for you to process the personal data outside its original system, see special instruction 1 below.
- When you are about to initiate a project that involves the processing of personal data (e.g. a new service), plan the entire lifecycle of how the personal data will be processed (collection, utilisation, modifications, destruction) before you begin collecting any personal data, and remember to document the results of the planning process
- Minimise personal data - Think very hard about what personal data you will need to collect and store (e.g. avoid the unnecessary processing of personal identification numbers).
- When you are about to start a new project (e.g. a research project) remember to inform the persons whose data will be collected before you begin collecting any personal data. The information that needs to be given to potential data subjects is described in detail in the relevant legislation. This is why we recommend using the right templates when informing data subjects in research projects and other activities.
- Process the personal data only in connection with its intended purpose - The processing of personal data must always be done for a predefined justification and purpose, and you can check the justifications that are in accordance with the EU General Data Protection Regulation.
- Destroy any unnecessary and expired personal data – Do not store personal data “just in case”. Remember to take into account the storage periods specified in the Information Management Plan for personal data as well.
- Store all personal data in a secure manner - Not on your desk but in a locked cabinet, on Aalto’s network drives with limited access, or in encrypted form on a laptop or external memory drive such as a memory stick. See our Top 10 data security tips for encryption. Do not give the personal data to just anyone - Personal data may be processed only by those whose work tasks involve the processing of personal data.
- Keep the personal data up-to-date - Only correct data can be considered useful data.
- Be careful when transferring personal data – Always check that the recipient is who they say they are. If you intend to send any confidential or secret personal data by email, remember to send the message as an encrypted email message or include the data as an encrypted attachment (Do not send any passwords by email). If you plan to send any personal data outside Aalto University, remember that the transfer of personal data outside the EEA region includes special conditions, see special instruction 3. Remember to also ensure that you have the right to transfer the personal data (information on the transfer of personal data is included in the data protection notice or otherwise and that you have agreed on the terms of how the personal data is to be processed with the recipient, see special instruction 4.
- If any damage or suspicious activity has occurred in connection to any personal data, notify [email protected] – Act quickly. The best way to fix an error or prevent a threat is to tell about it immediately. Time is of the essence when preventing any further damage.
Special instructions on the processing of personal data
Take note of these special instructions when processing personal data in the following situations:
If you are required to process confidential or secret personal data in an Excel spreadsheet, Word document or other form of document outside the original data processing system:
- Always process the personal data on Aalto University workstations or using services where Aalto University and the service provider have signed the appropriate valid agreements (see the quick guide to classification).
- Never transfer any personal data or registers containing personal data to any personal devices or cloud services.
- If you intend to send confidential or secret personal data by email, encrypt the personal data by using for example the Encrypt button found in the Aalto University Outlook.
- Always use Aalto University’s VPN connection when connecting to any Aalto University services from an external network.
All laptops that are used in Aalto University must have encrypted hard drives. The laptops may contain confidential and secret data from the university’s network drives and user activities, and the laptops must feature an adequate level of protection. The laptops that are managed by IT Services have encrypted hard drives. If you wish to check whether the hard drive of your laptop has been encrypted, contact the IT service desk, servicedesk.aalto.fi
Personal data may be transferred outside the EEA region if the EU Commission has decided that the third country in question can ensure an adequate level of data protection (transfer on the basis of a decision on the adequacy of data protection), by signing an agreement with the recipient using the templates provided by the EU Commission, or to the United States under the so-called Privacy Shield agreement. Further information: The transfer of personal data outside the EEA region.
If any personal data is transferred to an external service provider for processing (e.g. outsourcing or SaaS), a written data processing agreement must be made on the processing of the personal data (see the data processing agreement template).
Read more detailed instructions on how personal data is to be processed in the different functions of the university, how data is classified, how long data may be retained, and data security practices related to daily work. And remember: if you don’t know something, just ask! ([email protected]; [email protected]; legal and ITS services).