User management system's privacy statement

Articles 13 and 14 of the EU General Data Protection Regulation

Data Protection Act (1050/2018)

Articles 13 and 14 of the Combined Data Subject Information Document (EU Data Protection Regulation 2016/679)

1. Controller

Seinäjoki University of Applied Sciences, SeAMK Library
Kampusranta 11, Frami F
FI-60320 Seinäjoki, Finland
+358 20 124 3000
seamk(at)seamk.fi

2. Controller’s representative

Asmo Myllyaho, Head of Property and Information Management, Seinäjoki University of Applied Sciences,
tel. +358 40 830 4262
asmo.myllyaho@seamk.fi

2a. Official responsible for the personal data file

Veli-Matti Mäkelä, Planning Official, Information Management, Seinäjoki University of Applied Sciences
tel. +358 40 830 3990
veli-matti.makela(at)seamk.fi

2b. Contact persons in matters relating to the data file

Veli-Matti Mäkelä, Planning Official, Information Management, Seinäjoki University of Applied Sciences
tel. +358 40 830 3990
veli-matti.makela(at)seamk.fi

2c. Contact details of the Data Protection Officer

Jarmo Jaskari, Data Protection Officer, Seinäjoki University of Applied Sciences
tel. +358 40 868 0680
jarmo.jaskari(at)seamk.fi

3. Name of the data file

Centralised user management system of the Seinäjoki University of Applied Sciences.

4. Purpose of processing personal data/data file use

The centralised user management system of the Seinäjoki University of Applied Sciences automatically creates the user IDs and manages them throughout their lifecycles (including changes and closures). The automation is based on the personal data obtained from primary systems.

5. Purpose of maintaining the data file

The controller’s right to keep a register of users is based on:

• The relevant connection between the controller and the data subject arising from a service relationship or a similar relationship (section 8(1)(5) of the Personal Data Act (523/1999)).
• The information stored in the data file must be protected as laid down in section 32 of the Personal Data Act.
• The controller must ensure the protection and integrity of the information systems concerning the user authorisation register and take into account other factors impacting the quality of data in accordance with good information management practices, as laid down in the Act on the Openness of Government Activities.

5a. Data content of the file

The data subjects are staff members and students of the Seinäjoki University of Applied Sciences.

The data file contains following data transferred from the primary systems of personnel administration and student administration:

Personnel

• Personnel number
• Last name
• First names
• Search name
• Type
• Work unit code
• Work unit name
• Title
• Employment end date
• Status
• Basic employment relationship
• Type of employment relationship
• Task group
• Email address
• Personal identity code
• Account
• Weekly working hours
• Degree
• Gender
• Employment start date
• Full-time/part-time
• Financial unit
• Payment number
• Employment relationship
• Employment relationship number

Students

• Student role code
• Alternative student number
• Participation in studies
• Arrival group
• Administrative group
• Attendance
• Degree programme code
• Specialisation option
• Internet disclosure permit
• Intranet disclosure permit
• Education information permit
• Location
• Marketing disclosure permit
• Last name
• First names
• Phone number
• Street address
• Post office
• Postal code
• Preferred language
• Email address
• Mobile phone
• Preferred first name
• Education
• Personal identity code
• Gender
• Study right end date
• Study completion date
• Degree programme name
• Number of attendance periods used
• Number of non-attendance periods used
• Basic education
• Crypto ID
• Student number

Log data

• The log data is based on error messages and generated users and it comprises the location of the time stamp, user ID and user object in the active directory and the first password.

5b. Information systems using the data file

• IDM user management system: centralised creation and management of user IDs.
• AD directory: management of user IDs, access rights and organisational details.
• ADAM directory: management of user data for HAKA services.
• Exchange 2010: email and calendar system.
• Microsoft Office 365: management of user IDs and access rights.
• Reportronic: relaying of staff data.
• Phone book: relaying of staff data.
• Luovari: relaying of student and staff data for providing user IDs.

6. Regular sources of data

The data is collected as transfer files from the Pegasos personnel administration system and Winha student administration system. Phone numbers are taken from the MECM system.

7. Regular disclosure of data

Data contained in the AD and ADAM directories is disclosed for internal SeAMK services and for the services of the HAKA trust network.

No log data is disclosed to third parties. However, education institutions may have the right to disclose data to the police or other authorities for criminal investigations or for investigations of information security incidents.

8. Transfer of data outside the EU or the EEA

No personal data within the meaning of the Personal Data Act is relayed or stored outside the EU or the EEA without the user’s consent. A malfunction and the resulting need for temporary data storage in accordance with the practices of the service provider may be an exception to this rule.

9. Principles of data file protection

A.      Manual material

No data contained in the system is stored or retained as paper printouts.

B.      Computer-processed data

The data stored in the file is not public. The persons processing the data are bound by a confidentiality obligation.

The servers are located in a locked and supervised data centre used by the Seinäjoki University of Applied Sciences.

The Office 365 service is located in the service provider’s data centres in the EU area, except for the Yammer service.