Helpdesk - IT guidance,
Acceptable Use Policy for University of Helsinki Information Systems
1. Purpose of this Policy
The University of Helsinki is a scientific and research community, as well as an institute of education. Although the University ceased to be a government accounting office as of 31 December 2009, it operates in accordance with the Universities Act (558/2009), Section 30 of which provides that "the confidentiality of the activities of the university shall be governed by the provisions concerning the confidentiality of the activities of authorities".
Accordingly, the University must ensure the confidentiality, integrity and usability of the data of all of its user groups, and provide a reliable and secure environment for data processing. This and other policies have been devised to help different user groups acknowledge the rights, responsibilities and obligations that are associated with their user accounts. Even unintentional negligence of responsibilities associated with the user accounts may compromise the integrity, confidentiality and availability of data belonging to the users.
This Policy shall be applied to all of the information systems owned by the University or otherwise under the responsibility of the University, and to their use, and for users, to other services for which access or user accounts have been obtained through the University. This Policy shall also apply to public workstations at the University, and to all equipment which is connected to the University network.
All IT users within the University shall comply, in addition to this Policy, with other applicable rules and guidelines issued by the University, as well as good administration practices provided for in the Finnish Administrative Procedure Act (434/2003).
2. Principles of use
The Acceptable Use Policy of the University shall be revised annually to reflect any changes made to the services or applicable legislation. The IT Management department is responsible for the monitoring and updating of the Policy.
Any breach of this Policy or other policies and guidelines concerning the use of information systems may cause the denial of access. The general principles applicable to the use of the information systems and the interpretation of the Acceptable Use Policy are as follows:
Restrictions for use
The information systems of the University are provided as tools for studying, teaching, conducting research and performing administrative tasks at the University of Helsinki. Any other use requires a separate agreement.
University information systems and the related user IDs may not be used for political activities, with the exception of university elections and the activities of political student organisations and sub-organisations, and staff unions. Commercial use, for purposes other than those related to the University, is permitted only by express authorization.
Private use is permitted to a limited extent, as long as it does not
Private files shall be kept clearly separate from material related to the basic activities of the University. Material stored in the home directory of a student shall always be considered to be private. Members of staff shall keep their private material separate from work-related material, to ensure the protection of their privacy. Private material shall be saved to separate folders labelled so that their private nature is evident (e.g. personal or private).
The responsibilities of users
All users of the information systems shall share the responsibility for the general information security of the University's systems and the data contained therein.
All users shall contribute to the general information security of the information systems. Even if an individual has no need for special protection, other users may have. Any observed or suspected information security weaknesses or breaches shall be immediately reported to the administrator or owner of the relevant information system or to the head of the relevant unit. Information security incidents shall be handled in accordance with the Information Security Policy of the University and the guidelines on handling security incidents.
The University strives to protect all users from malware, spam and attempted attacks on systems and individual workstations. All users shall contribute to these efforts by observing the relevant guidelines.
Each user shall be responsible for providing the University with their up-to-date contact information, in the event that the University needs to contact them.
The IT Department is responsible for backing up the common information systems of the University and provides users with the possibility to back up their data in any interfaced systems. The IT Services department, however, assumes no liability for damages caused by the possible destruction of files. Users are responsible for the classification of their data and for ultimately creating relevant backup copies.
Users are bound by the obligation of secrecy regarding the information content, methods of use, level of security and properties of the systems where the intended use of the systems, the policies for use, or applicable regulations so require.
Connecting to the network of the University
Only equipment that is owned by the University and that has been approved and registered by the network administrator may be connected to the network of the University. The equipment must require user authentication through, for instance, a user ID and a password, or to enable user identification by other means in exceptional situations. The equipment must maintain a usage log. Equipment shall be connected to the network in accordance with instructions issued by the IT Management department. Network elements reserved for visitors and the personal equipment of University students and staff have been marked and separated.
3. User accounts and user IDs
Users will be granted accounts on the common information systems of the University. The accounts are based on the position of each user within the University. If necessary, they may be granted to a person who is not affiliated with the University. User accounts on systems with limited access are granted separately to each user. The granting of accounts is the responsibility of the IT contact personnel.
4. Validity of user accounts
A user account shall expire after
A user ID shall be terminated when
The processing of data prior to the expiration of user accounts:
Data stored in the information systems under user IDs will be deleted 12 months after the expiration of the respective user account.
5. Maintenance of information systems
Each of the information systems of the University has a designated administrator (owner) who is responsible for the intended use, operation, contents and use of the system. The owner of the information system compiles instructions for its use and ensures that the services and use of the information systems comply with this Policy. The IT Department is responsible for the maintenance of the common information systems of the University. Information systems owned and managed by University units are the responsibility of the head of the respective unit or the individual designated by the head. Each unit shall maintain a separate list of persons in charge of the systems and their maintenance. The list shall be kept up-to-date and available to be presented to the IT Management upon request.
Administrators may supplement this Policy by issuing instructions on the use of specific devices, software and networks. Additionally, the IT industry may issue guidelines applicable to the entire University by first submitting them to the IT Management for approval.
Principal legislation governing the use of information systems (in finnish)