Data protection for teachers

If social interaction is an integral part of completing and grading a course, such interaction can be realised also via a video link, when necessary. When organising teaching remotely via a video link, use the online conference services provided by the University.

As a rule, keeping their video feed on should be voluntary for students. However, if the nature of the teaching requires social interaction on lectures or in an examination regardless of their being organised remotely, students must be informed of such interaction and the utilisation of video in advance. Students should be reminded of how they can personally control their privacy (for example, by adjusting the camera angle or by using background images provided by the services used).

The same rules apply to recording remote teaching sessions as to recording lectures in general.

Students have the right to access data concerning them, the right to request the rectification of their personal data and, in certain cases, the right to request the erasure of their data (if the data are unnecessary or their storage is not required by the University’s archiving plan or by law).

Requests for information or other requests pertaining to personal data submitted by students must be answered within 30 days.

If the request for information pertains to data stored in the student records, students can contact the records directly at registrar@helsinki.fi.

If you receive a study-related data request from a student or other person and you are uncertain about handling the request as prescribed by law, please contact the legal counsel specialised in academic affairs at lakipalvelu-opintoasiat@helsinki.fi.

Sisu is the recommended tool for course registration.

If you print out registration lists from Sisu or record attendance on students, please retain such information appropriately and dispose of it in due course (confidential waste container) once it no longer needs to be retained.

If you maintain attendance lists on students, consider which details are necessary. To individualise students, it is sufficient to use their student numbers; personal identity codes are not necessary. Personal identity codes should not be unnecessarily included in documents as a rule.  

A new Moodle platform should be created for each new course rather than using an old platform and the information it contains.

Once a course has evaluated, you should delete from Moodle any data that are no longer needed if their storage is not essential. In general, deleting student-related entries regularly is recommended if their storage is not warranted for operational reasons.

When providing access rights for teachers to a Moodle course site, please note that all those who are granted such rights should have work-related reasons to access information on student attendance and assignments.

If you wish to print out lists of information on course completion or assessment from Moodle and save them on your computer and/or transmit them to the student records, please see the section on the periods and conditions for retaining study-related documents.

In accordance with the archiving plan, completed examinations and seminar work are stored six months, after which they must, as a rule, be destroyed. In general, personal data must not be stored for longer that is necessary for their purpose of use, unless their storage period has been defined in the University of Helsinki archiving plan or in legislation. 

The storage periods of documents related to teaching are specified in the University's archiving regulations. 

Other resources used in web-based teaching include wiki sites, educational videos, OneNote and other Office tools. Please use only University's systems in teaching. If social media is to be used in teaching (e.g. WhatsApp or Facebook groups), this should be voluntary to students and must be discussed and agreed with the students. 

Other supporting tools for teaching activities

If personal data concerning students is collected, they must be notified of the processing of their data. Most of the data collected is associated with normal teaching activities which is covered in the university data protection notice and requires no separate notification. If data concerning students significantly outside the scope of normal teaching activities is collected, they must be told, for example, why the data are being collected, what the data are used for, what the legal grounds are for their processing, to whom the data are disclosed and how long they are stored. In this, you can utilise the University’s template data protection statement (available on Flamma), which includes all the relevant information to be shared.

As a rule, student guidance and the provision of feedback to students via email are both permitted, as is the exchange of information between teachers in matters related to students. Particular care must be taken with sensitive or confidential information included in an email message, use encryption when needed.

Personal identity codes must always be encrypted if sent via email. Examination results and student numbers can be sent via normal email, whereas information on student health and personal issues must be encrypted. In addition, when sending examination questions and answers via email before an examination, the message must always be encrypted.

Which information can be sent by regular email, and when should encrypted mail be used? Detailed instructions for the secure use of email

Ensure information security and data protection when processing personal data. For example, access to course areas in Moodle can be restricted to students registered for the course only, using a course key that cannot easily be deduced. If the subject of teaching includes more sensitive data, students must be reminded of an obligation of confidentiality and instructed in the viewing and/or processing of confidential material. 

If the purpose of a course assignment is not for students to provide sensitive information about their life, you can mention this when giving the assignment. If you are concerned about data protection, you can contact the legal counsel specialised in academic affairs.

Social and healthcare services data in teaching

If you use customer data produced in the social services and healthcare sector as teaching material or for producing such material, please note that you need a data permit as stipulated in the Act on the Secondary Use of Health and Social Data. Data permits are requested from either the controller of the data file disclosing the data or, in the case of several controllers of data files, from the Health and Social Data Permit Authority Findata.

With a data permit, customer data can be processed to produce teaching material for students pursuing a profession in the social services and healthcare sector, if necessary for the purposes of teaching. As a rule, data should be used only in anonymised form. The use of identifiable data is permitted only if anonymous use is not possible due to the rarity of the case, the nature of the teaching or another similar factor.

Behind this link you will find the Patient in Education-guide (in Finnish).

Teachers can record their teaching (audio or video) by informing students of the recording and its purpose in advance, provided no interaction with students is required during the lecture. Students must be informed of the recording and its purpose in advance so that they can impact in whether their voice or image can be recorded. In the case of video recording, the camera angle must be adjusted so that students do not appear in the recording when not necessary.

If the teaching involves a great deal of discussion and requires participation from students, or if you otherwise wish to record video and audio where students appear, you must obtain consent from the students (see more in ‘Notification of data processing’). As a rule, consent must be entirely voluntary, and declining to consent must not have any negative consequences. In other words, the recording of video or audio should not be a prerequisite for completing a course, unless necessary due to the nature of the course or for assessing the completed course.

Examination results, seminar papers, assignments, essays, lecture journals and similar work must be disposed of after being retained for six months. Master's theses are stored permanently, bachelor's theses for five years. 

As a rule, study-related documents (excl. theses and dissertations) are confidential.

Study-related documents are recommended to be stored in Moodle rather than as files on the teacher’s computer. If you have collected and saved lists of student assessment on your computer (e.g., in table format), please regularly check that you do not preserve such information for more than six months.

Comprehensive information on the time periods for retaining study-related documents is available in the archiving plan. Please note that if information is stored in the student records or library collections, a degree programme administrator or an individual teacher need not retain such information.

Announcement of examination results

Examination results must be published, in accordance with the Regulations on Degrees and the Protection of Students’ Rights, on the University’s internal site and, if necessary, the noticeboard of the relevant unit.

When publishing examination results, it is enough to publish result distribution, students can see their individual grade from the study information system. If you need to publish individual grades to a wider group, results must be published alongside student numbers so that students are not directly identifiable on the results list 

Always consider how to individualise a student based on the principle of minimising personal data. In the case of, for example, registration for courses and completion of examinations, a student number is sufficient to individualise a student; a personal identity code is not needed. Personal identity codes should not be unnecessarily included in documents in the first place.

Student numbers are used for example, for publishing course and examination grades, and they serve as students' identifiers when their direct identification is not necessary. It should be take into account, whenever possible, that other students cannot link a student number to a particular student. For example, student numbers need not be included in seminar or peer reviewed assignments distributed to other students or in group work. 

NOTE! The use of a student number is not a completely reliable means of anonymization or pseudonymization, as the student number is not secret information. For example, you should not unnecessarily disclose information about students, even by student number, without their consent.

Anonymous student feedback can be collected (taking in to account research ethics). Surveys must be designed so that no unnecessary personal data are collected. 

If feedback allows the identification of either a teacher or a student, the feedback includes personal data. In such cases, the purpose of using the feedback need to be determined and informed in advance.

The feedback can be processed only by persons whose work involves the right and responsibility to process student feedback.

Student responses can be retained until this is no longer necessary for the purposes it was collected. The responses must then be securely disposed of. It must be taken into account that collected data may include confidential information. Use secure bins when needed

If feedback is published, it cannot include data that can be linked with individuals without permission from the relevant individual.

Applications for individual arrangements, together with information on student health, are confidential documents and include sensitive personal data.

Sensitive and confidential health information must be retained separately from other personal data. If the information is retained in paper form, it must be kept in a separate folder in a locked filing cabinet or facility. If the information is retained in electronic form, it must be reliably protected with a password or other means so that it can be accessed only by employees whose duties include the processing of sensitive information. Email messages including health information must be encrypted.

Sensitive information must be deleted once the legal grounds for their processing have ceased to exist. Unnecessary information must be securely erased so that it does not end up in the hands of third parties.

Members of University staff can only process personal data that they need in their work tasks.

More information about data protection of individual arrangements

Who is the controller and who is responsible for the processing of personal data

The controller is the one who is responsible for processing personal data. The controller defines the purposes and means of collecting and processing personal data. For theses, this is usually the student jointly with the university. When writing a thesis, personal data is processed for the purposes defined by the student and with the means decided by the student, but because theses are carried out due to university studies, and in some cases the thesis supervisor may influence in the decisions what personal data is collected and what methods are uses. Therefore, the student and the university are jointly responsible for personal data.

Although students are mainly responsible for the daily activities of processing personal data, supervisors' task is to support and guide students in the processing of personal data. The University has an important role in informing students about the responsible and legal processing of data. This means that supervisors should explain matters relating to the processing of personal data before students begin work on their thesis. 

As an exception to the joint controllership, the University of Helsinki serves as the controller of personal data if the thesis is completed under an employment contract with the University and/or as part of a research project at the University. The University may also be considered the controller of personal data on a case-by-case basis if the person conducting the research does so under the close supervision of, or in a close relationship with the University (the University has played a deciding role regarding the processing of personal data).

If completed thesis contains personal data, the University of Helsinki is the controller of personal data after the thesis has been submitted to the University for assessment and archiving. 

Main legislative points to consider 

Recognise roles: Who is the controller of the data file (usually the student jointly with the university), and who are the data subjects? 

Define the purpose of processing personal data as well as the personal data required:

• What is the topic of the thesis, and why are personal data collected?
• Which data need to be collected (minimise the amount of data collected)?
• Define the purposes of using data in advance: must personal data be included in the end result of research, i.e., the thesis?
• Is it possible that there will be interest in using the data later, for example, for other research purposes? 

Define the legal grounds for processing personal data:

• Master’s and equivalent theses: The processing of personal data is based on public interest (“scientific research carried out in the public interest”).
• Lower-level theses: The processing is based on consent (if data is collected directly from the research subject) or legitimate interest (if data is collected from other sources). If legal basis is legitimate interest, an interest balance test must be carried out and assessed what are the benefits of the research and what potential negative effects may occur to the research subject due to their participation to the research.

Consider how to minimise potential risks to data subjects through, for example: Pseudonymisation of data, minimisation of collected data, restriction of storage periods, use of secure services and systems. 

Inform data subjects: A link to the data protection statement template can be found in the data protection guidance for researchers (Flamma).

Useful links

• Data protection guide for researches (Flamma)
• Ethical review board in the humanities and social and behavioural sciences 

For further information on study-related data protection, please contact lakipalvelu-opintoasiat@helsinki.fi. 

For research related questions, University staff (teachers and supervisors) can contact the legal counsels for research (researchlawyers@helsinki.fi)