Data protection has an important status at Oulu University of Applied Sciences. Data about students, staff and partners is processed with care while respecting the data privacy of every individual.
Digitalisation and data networks have changed society. The operating environment for educational institutions has also changed as different network services and applications are being used in teaching and other activities. This means that data protection is even more significant. Starting from 25 May 2018, the European Union General Data Protection Regulation (GDPR) applies to all organisations that process personal data within the European Economic Area, including Oulu University of Applied Sciences.
2. Data protection for students
At Oulu University of Applied Sciences (Oamk), the processing of personal data is based on the statutory task of Oamk and the legitimate interests of students to complete their studies and use study-related benefits and services. If data about students is to be used for purposes not based on laws or legitimate interests, students must be asked separately to give their consent to this processing.
2.1 Regular data sources
Oamk obtains personal data about students and their student IDs from the Studyinfo.fi student selection register maintained by the Finnish National Board of Education. After being selected, students can independently rectify and/or supplement their data in Oamk systems, such as Peppi and Moodle. Initially, personal data is always collected from the students. In certain situations, address and contact data can be verified from public sources, such as the Population Register, and telephone numbers can be verified from telephone directory services.
2.2 Data processing
Data is processed in relation to study rights and study performance so that study points can be registered for the correct students and so that students can use their completed studies, for example, in seeking jobs and in utilising official services and study-related Oamk services, such as library and IT services.
Initially, data is processed by Student Services in its tasks, teachers to register study points, tutors, heads of degree programmes and guidance counsellors to offer counselling and advice, and other members of staff in relation to their tasks, such as IT services when solving problems. Every data processor only processes data as required in their tasks and using their personal IDs.
Separate material that contains data about students, such as individual assignments and lists of names prepared by teachers for individual study periods, is destroyed after the statutory retention period.
2.3 Accessing data
Current and former students have the right to access any data saved about them.
Customers of the Oamk library can access their data in the library customer register, regardless of whether or not they are Oamk students.
2.4 Disclosure of data
Data about students can be disclosed to the Social Insurance Institution of Finland (Kela) or other payers of social study benefits. Data about students applying for a student exchange or other international programme can be disclosed to partner institutions. With regard to study periods carried out together with other educational institutions, data can be disclosed to these partners. Data is always disclosed with the principle that only relevant data is disclosed.
Personal data about students can be disclosed for research and marketing purposes if students have given their consent to this. Current and former students can withdraw their previously given consent to the disclosure of data in their Peppi account or, after their studies, by contacting the Oamk GDPR officer or the Student Affairs Office.
Data about current and graduated students can, for an application, be disclosed for research purposes, provided that the research permission has been approved properly. Personal data obtained for research purposes must be destroyed, archived or modified so that the data subject cannot be identified after the personal data is no longer needed for research purposes.
2.5 Automated decision-making and profiling
Oamk may use automated decision-making, for example, to select students and verify individual study points. However, no automated profiling related to personal data is currently carried out. Oamk will notify students if it uses automated decision-making.
2.6 Data protection descriptions of key systems that contain student data
Peppi student information system
eExam electronic examination system
MoveOn international mobility system
Oiva student intranet
3. Data protection of members of staff and job applicants
At Oamk, the processing of personal data about members of staff and job applicants is based on the statutory task of Oamk as an employer and the legitimate interests of the data subjects in relation to employee benefits, occupational health and work-related travel. If personal data is to be used for other purposes, the data subjects must be asked to give their consent to this.
3.1 Regular data sources
Data is always collected from members of staff or job applicants. During employment relationships, members of staff can add their personal data as desired, for example, to their Heimo ID card or Moodle profile.
In certain situations, address and contact data can be verified from public sources, such as the Population Register, and personal telephone numbers can be verified from telephone directory services.
3.2 Data processing
Data is processed in relation to job-seeking or employment relationships. Data is processed by employees of HR Services, supervisors regarding their employees, and IT Services regarding the use of data systems. Data processors handle data using their personal IDs and only in relation to their tasks.
3.3 Accessing data
3.4 Disclosure of data
Data is disclosed to the Oamk subcontractor that carries out salary payment services. Data is also disclosed to occupational healthcare services and Oamk’s insurance company and travel agent. In addition, data can be disclosed upon separate request to the auditor and authorities.
3.5 Automated decision-making
Currently, Oamk does not apply any automated profiling to job applicants or members of staff. If automated profiling is used to support decision-making processes, Oamk will announce this separately.
3.6 Key databases
Heta basic staff data register
SympaHR staff personal data register
Peppi resourcing system
MoveOn international mobility system
Open OAMK registration system
4. Oamk’s partners and other parties (participants in events and competition)
Oamk collects data about its partners for communication, marketing and partnership management purposes.
4.1 Regular data sources
Oamk collects contact data about its partners. Data is obtained directly from the partners or, for example, from public websites of companies. Partnership data is collected from the CRM system.
4.2 Data processing
Data is used in stakeholder cooperation (invitations to events, bulletins, customer magazine distribution, newsletters and marketing letters, and other similar material). Register-based mailing may be outsourced, in which case contact data is disclosed to the mailing partner.
Personal data is kept confidential. Access rights to registers are limited to individuals who carry out communication tasks at Oamk.
With regard to events subject to a fee, data can be transferred to the Paytrail system.
4.3 Accessing data
Recipients of newsletters and marketing letters can request that their data be erased in conjunction with each letter.
Partners can present requests to access their data to the Oamk GDPR officer.
4.4 Disclosure of data
Data about partners can be disclosed to Oamk’s subcontractors in situations where communication tasks are outsourced.
4.5 Automated decision-making
Automated decision-making and partner profiling can be used to target newsletters and marketing letters.
5. Protecting personal data
Oamk uses proper technical, organisational and administrative safety measures to protect personal data in its possession.
6. Rights related to data protection
You have the right to access your personal data and view your personal data in our possession. Primarily, the data is directly accessible through user interfaces of systems. Possible exceptions include temporary lists, e.g. lists prepared to monitor course attendance, and registers related to CCTV systems.
You have the right to request that any incorrect and/or incomplete data be rectified. If you cannot directly rectify data in the specific service, you can request that it is rectified.
You have the right to request that your data be erased, provided that this is not in conflict with the statutory tasks of Oamk.
You have the right to request that the processing of your data be restricted, for example, in a situation where you want to restrict data processors from accessing your contact data.
You have the right to request that your data is transferred, for example, to another educational institution.
Right of appeal
You can also file an appeal with the Data Protection Ombudsman if you think that Oamk is unable to protect your personal data or if you want to ensure that Oamk is operating in compliance with data protection regulations.