1. Background
Data protection has an important status at Oulu University of Applied Sciences. Data about students, staff and partners is processed with care while respecting the data privacy of every individual.
Digitalisation and data networks have changed society. The operating environment for educational institutions has also changed as different network services and applications are being used in teaching and other activities. This means that data protection is even more significant. Starting from 25 May 2018, the European Union General Data Protection Regulation (GDPR) applies to all organisations that process personal data within the European Economic Area, including Oulu University of Applied Sciences.
2. Data protection for students
At Oulu University of Applied Sciences (Oamk), the processing of personal data is based on the statutory task of Oamk and the legitimate interests of students to complete their studies and use study-related benefits and services. If data about students is to be used for purposes not based on laws or legitimate interests, students must be asked separately to give their consent to this processing.
2.1 Regular data sources
Oamk obtains personal data about students and their student IDs from the Studyinfo.fi student selection register maintained by the Finnish National Board of Education. After being selected, students can independently rectify and/or supplement their data in Oamk systems, such as Peppi and Moodle. Initially, personal data is always collected from the students. In certain situations, address and contact data can be verified from public sources, such as the Population Register, and telephone numbers can be verified from telephone directory services.
2.2 Data processing
Data is processed in relation to study rights and study performance so that study points can be registered for the correct students and so that students can use their completed studies, for example, in seeking jobs and in utilising official services and study-related Oamk services, such as library and IT services.
Initially, data is processed by Student Services in its tasks, teachers to register study points, tutors, heads of degree programmes and guidance counsellors to offer counselling and advice, and other members of staff in relation to their tasks, such as IT services when solving problems. Every data processor only processes data as required in their tasks and using their personal IDs.
Separate material that contains data about students, such as individual assignments and lists of names prepared by teachers for individual study periods, is destroyed after the statutory retention period.
2.3 Accessing data
Current and former students have the right to access any data saved about them.
Students have access to their study-related data in Oamk systems. If students want to access data that is not directly accessible in registers, they can present a request to access data. Former Oamk students can also present a request to access their data to the Oamk GDPR officer: tietosuoja@oamk.fi
Customers of the Oamk library can access their data in the library customer register, regardless of whether or not they are Oamk students.
2.4 Disclosure of data
Data about students can be disclosed to the Social Insurance Institution of Finland (Kela) or other payers of social study benefits. Data about students applying for a student exchange or other international programme can be disclosed to partner institutions. With regard to study periods carried out together with other educational institutions, data can be disclosed to these partners. Data is always disclosed with the principle that only relevant data is disclosed.
Personal data about students can be disclosed for research and marketing purposes if students have given their consent to this. Current and former students can withdraw their previously given consent to the disclosure of data in their Peppi account or, after their studies, by contacting the Oamk GDPR officer or the Student Affairs Office.
Data about current and graduated students can, for an application, be disclosed for research purposes, provided that the research permission has been approved properly. Personal data obtained for research purposes must be destroyed, archived or modified so that the data subject cannot be identified after the personal data is no longer needed for research purposes.
2.5 Automated decision-making and profiling
Oamk may use automated decision-making, for example, to select students and verify individual study points. However, no automated profiling related to personal data is currently carried out. Oamk will notify students if it uses automated decision-making.
2.6 Data protection descriptions of key systems that contain student data
Peppi student information system
https://www.oamk.fi/tietosuojainfo/?id=775bdec7aeb74b5eb418f5e5aefc949989de34e7
Moodle
https://www.oamk.fi/tietosuojainfo/?id=096d316bf61715f5a9b9b00ab0d277e4dd42250d
eExam electronic examination system
https://www.oamk.fi/tietosuojainfo/?id=e360856752f78ee550cd73fbe13d44d9ffbe3a7b
MoveOn international mobility system
https://www.oamk.fi/tietosuojainfo/?id=0ae23d395db882a3deb89de793c167d6d6a183e6
Oiva student intranet
https://www.oamk.fi/tietosuojainfo/?id=ecce25bb03de317d4f4178ef46de45c1d7953dca
Library system
https://www.oamk.fi/tietosuojainfo/?id=13065da555cd53bb3aa9583014cc4049017c8006
3. Data protection of members of staff and job applicants
At Oamk, the processing of personal data about members of staff and job applicants is based on the statutory task of Oamk as an employer and the legitimate interests of the data subjects in relation to employee benefits, occupational health and work-related travel. If personal data is to be used for other purposes, the data subjects must be asked to give their consent to this.
3.1 Regular data sources
Data is always collected from members of staff or job applicants. During employment relationships, members of staff can add their personal data as desired, for example, to their Heimo ID card or Moodle profile.
In certain situations, address and contact data can be verified from public sources, such as the Population Register, and personal telephone numbers can be verified from telephone directory services.
3.2 Data processing
Data is processed in relation to job-seeking or employment relationships. Data is processed by employees of HR Services, supervisors regarding their employees, and IT Services regarding the use of data systems. Data processors handle data using their personal IDs and only in relation to their tasks.
3.3 Accessing data
Members of staff can access their data in Oamk’s systems, such as Sympa and M2. If members of staff want to access data that is not directly accessible, they can present a request to access data to the Oamk GDPR officer: tietosuoja@oamk.fi. Job applicants can also present a request to access data saved about them to HR Services or the GDPR officer.
3.4 Disclosure of data
Data is disclosed to the Oamk subcontractor that carries out salary payment services. Data is also disclosed to occupational healthcare services and Oamk’s insurance company and travel agent. In addition, data can be disclosed upon separate request to the auditor and authorities.
3.5 Automated decision-making
Currently, Oamk does not apply any automated profiling to job applicants or members of staff. If automated profiling is used to support decision-making processes, Oamk will announce this separately.
3.6 Key databases
Heta basic staff data register
https://www.oamk.fi/tietosuojainfo/?id=9b998c4c0b05e9dca9b5e23e9937594a175015ca
SympaHR staff personal data register
https://www.oamk.fi/tietosuojainfo/?id=4d7a08984ba7bd36895b2470b359eda66cb3fc10
Peppi resourcing system
https://www.oamk.fi/tietosuojainfo/?id=9543a41047640956d0b7095c5cfeeb8a08eb8b53
Moodle
https://www.oamk.fi/tietosuojainfo/?id=096d316bf61715f5a9b9b00ab0d277e4dd42250d
MoveOn international mobility system
https://www.oamk.fi/tietosuojainfo/?id=0ae23d395db882a3deb89de793c167d6d6a183e6
Open OAMK registration system
https://www.oamk.fi/tietosuojainfo/?id=7ee3374b9137066f90f1afabfdb798e3bd19987f
4. Oamk’s partners and other parties (participants in events and competition)
Oamk collects data about its partners for communication, marketing and partnership management purposes.
4.1 Regular data sources
Oamk collects contact data about its partners. Data is obtained directly from the partners or, for example, from public websites of companies. Partnership data is collected from the CRM system.
4.2 Data processing
Data is used in stakeholder cooperation (invitations to events, bulletins, customer magazine distribution, newsletters and marketing letters, and other similar material). Register-based mailing may be outsourced, in which case contact data is disclosed to the mailing partner.
Personal data is kept confidential. Access rights to registers are limited to individuals who carry out communication tasks at Oamk.
With regard to events subject to a fee, data can be transferred to the Paytrail system.
4.3 Accessing data
Recipients of newsletters and marketing letters can request that their data be erased in conjunction with each letter.
Partners can present requests to access their data to the Oamk GDPR officer.
4.4 Disclosure of data
Data about partners can be disclosed to Oamk’s subcontractors in situations where communication tasks are outsourced.
4.5 Automated decision-making
Purchase, transaction and location data processed in registers can be used for profiling purposes and to target marketing and customer communication activities. The use of cookies on the website is described in a separate Cookie policy document.
Automated decision-making and partner profiling can be used to target newsletters and marketing letters.
5. Protecting personal data
Oamk uses proper technical, organisational and administrative safety measures to protect personal data in its possession.
6. Rights related to data protection
You have the right to access your personal data and view your personal data in our possession. Primarily, the data is directly accessible through user interfaces of systems. Possible exceptions include temporary lists, e.g. lists prepared to monitor course attendance, and registers related to CCTV systems.
You have the right to request that any incorrect and/or incomplete data be rectified. If you cannot directly rectify data in the specific service, you can request that it is rectified.
You have the right to request that your data be erased, provided that this is not in conflict with the statutory tasks of Oamk.
You have the right to request that the processing of your data be restricted, for example, in a situation where you want to restrict data processors from accessing your contact data.
You have the right to request that your data is transferred, for example, to another educational institution.
If you have any questions about this privacy notify, please contact the Oamk GDPR officer: tietosuoja@oamk.fi
Right of appeal
You can also file an appeal with the Data Protection Ombudsman if you think that Oamk is unable to protect your personal data or if you want to ensure that Oamk is operating in compliance with data protection regulations.
GDPR officer
Ulla Virranniemi, tel.: +358 503610769, email: tietosuoja@oamk.fi or firstname.lastname@oamk.fi