IT Services

Acceptable Use Policy for University of Helsinki Information Systems

1. Purpose of this Policy

The University of Helsinki is a scientific and research community, as well as an institute of education. Although the University ceased to be a government accounting office as of 31 December 2009, it operates in accordance with the Universities Act (558/2009), Section 30 of which provides that "the confidentiality of the activities of the university shall be governed by the provisions concerning the confidentiality of the activities of authorities". 

Accordingly, the University must ensure the confidentiality, integrity and usability of the data of all of its user groups, and provide a reliable and secure environment for data processing. This and other policies have been devised to help different user groups acknowledge the rights, responsibilities and obligations that are associated with their user accounts. Even unintentional negligence of responsibilities associated with the user accounts may compromise the integrity, confidentiality and availability of data belonging to the users.

This Policy shall be applied to all of the information systems owned by the University or otherwise under the responsibility of the University, and to their use, and for users, to other services for which access or user accounts have been obtained through the University. This Policy shall also apply to public workstations at the University, and to all equipment which is connected to the University network.

All IT users within the University shall comply, in addition to this Policy, with other applicable rules and guidelines issued by the University, as well as good administration practices provided for in the Finnish Administrative Procedure Act (434/2003).
 Any breach of this Policy or other rules concerning the use of the information systems shall be dealt with in accordance with the Information Security Policy of the University.
The valid version of the Acceptable Use Policy and the Information Security Policy shall be made available on the website of the IT Services.

2. Principles of use

The Acceptable Use Policy of the University shall be revised annually to reflect any changes made to the services or applicable legislation. The IT Management department is responsible for the monitoring and updating of the Policy.

General principles

Any breach of this Policy or other policies and guidelines concerning the use of information systems may cause the denial of access. The general principles applicable to the use of the information systems and the interpretation of the Acceptable Use Policy are as follows:

• All users who are entitled to access must have the possibility for reasonable and appropriate use.
• Other organisations, information systems or users within the network must not be disturbed or damaged.
• The right to privacy must be respected.
• Use must comply with current policies and rules and be ethically acceptable.
• The publishing, transmitting or distributing of illegal material or material that is contrary to good practice, and unnecessary occupation of system resources, are strictly prohibited.

Restrictions for use

The information systems of the University are provided as tools for studying, teaching, conducting research and performing administrative tasks at the University of Helsinki. Any other use requires a separate agreement.

University information systems and the related user IDs may not be used for political activities, with the exception of university elections and the activities of political student organisations and sub-organisations, and staff unions. Commercial use, for purposes other than those related to the University, is permitted only by express authorization.

Private use

Private use is permitted to a limited extent, as long as it does not

• interfere with other use of the system,
• imply technical changes to the information systems of the University, and
• conflict with the policies and guidelines applicable to a specific system or with the generally applicable policies and guidelines for use.

Private files shall be kept clearly separate from material related to the basic activities of the University. Material stored in the home directory of a student shall always be considered to be private. Members of staff shall keep their private material separate from work-related material, to ensure the protection of their privacy. Private material shall be saved to separate folders labelled so that their private nature is evident (e.g. personal or private).

The responsibilities of users

All users of the information systems shall share the responsibility for the general information security of the University's systems and the data contained therein.

• Unauthorized acquisition or attempts to acquire data contained in the information systems is prohibited. For instance, searching for and accessing data and files belonging to another user is permitted only in so far as the other user has intentionally made them public to others.
• A user who accidentally gains access to data addressed or belonging to other users shall not make use of, store or distribute such data. All such events shall be reported to the system administrator and/or the user concerned (Act on the Protection of Privacy in Electronic Communications, Chapter 2, Section 5).
• User accounts shall not be used for the identification of security vulnerabilities, for unauthorized decryption or communications interception or distortion, or for invading any other systems, directories or services.

All users shall contribute to the general information security of the information systems. Even if an individual has no need for special protection, other users may have. Any observed or suspected information security weaknesses or breaches shall be immediately reported to the administrator or owner of the relevant information system or to the head of the relevant unit. Information security incidents shall be handled in accordance with the Information Security Policy of the University and the guidelines on handling security incidents.

The University strives to protect all users from malware, spam and attempted attacks on systems and individual workstations. All users shall contribute to these efforts by observing the relevant guidelines.

Each user shall be responsible for providing the University with their up-to-date contact information, in the event that the University needs to contact them.

The IT Department is responsible for backing up the common information systems of the University and provides users with the possibility to back up their data in any interfaced systems. The IT Services department, however, assumes no liability for damages caused by the possible destruction of files. Users are responsible for the classification of their data and for ultimately creating relevant backup copies.

Users are bound by the obligation of secrecy regarding the information content, methods of use, level of security and properties of the systems where the intended use of the systems, the policies for use, or applicable regulations so require.

Connecting to the network of the University

Only equipment that is owned by the University and that has been approved and registered by the network administrator may be connected to the network of the University. The equipment must require user authentication through, for instance, a user ID and a password, or to enable user identification by other means in exceptional situations. The equipment must maintain a usage log. Equipment shall be connected to the network in accordance with instructions issued by the IT Management department. Network elements reserved for visitors and the personal equipment of University students and staff have been marked and separated.

3. User accounts and user IDs

Users will be granted accounts on the common information systems of the University. The accounts are based on the position of each user within the University. If necessary, they may be granted to a person who is not affiliated with the University. User accounts on systems with limited access are granted separately to each user. The granting of accounts is the responsibility of the IT contact personnel.

• The prerequisite for obtaining a user account is that the user agrees to comply with this Policy, as well as additional instructions and regulations governing the use of the systems. Users must become acquainted beforehand with the instructions for use of the system and the policies governing its use.
• Each user shall be liable for any harm and damage resulting from the use of their account.
• The use of forged identities or the user ID of another individual is prohibited.
• User accounts are individual and may not be transferred to others.
• If there is reason to suspect that a password or another identifier has come into the possession of a third party, the password must be changed or the use of the identifier must be prevented immediately. Passwords shall be changed at regular intervals and must be difficult to break.

4. Validity of user accounts

A user account shall expire after

• the user is no longer employed by or a student of the University,
• the fixed term for which the account was granted expires, or
• the position of the user changes in such a way that the grounds for having a user account cease to exist.

A user ID shall be terminated when

• the user account for which it has been assigned expires,
• it is no longer required, or
• there is justified reason to suspect that it has been misused or that the information security has been compromised.

The processing of data prior to the expiration of user accounts:

• Members of staff shall, to the extent required to continue the performance of duties, transfer all work-related messages and files to the individual agreed on with the relevant supervisor. The same shall also apply, as applicable, to students who have been involved e.g. in research teams.
• Prior to the expiration of their user account, each user shall personally take care of the proper transfer or removal of data under their user IDs.

Data stored in the information systems under user IDs will be deleted 12 months after the expiration of the respective user account.

5. Maintenance of information systems

Each of the information systems of the University has a designated administrator (owner) who is responsible for the intended use, operation, contents and use of the system. The owner of the information system compiles instructions for its use and ensures that the services and use of the information systems comply with this Policy. The IT Department is responsible for the maintenance of the common information systems of the University. Information systems owned and managed by University units are the responsibility of the head of the respective unit or the individual designated by the head. Each unit shall maintain a separate list of persons in charge of the systems and their maintenance. The list shall be kept up-to-date and available to be presented to the IT Management upon request.

Administrators may supplement this Policy by issuing instructions on the use of specific devices, software and networks. Additionally, the IT industry may issue guidelines applicable to the entire University by first submitting them to the IT Management for approval.

Principal legislation governing the use of information systems (in finnish)

• Archives Act (831/1994)
• Personal Data Act (523/1999)
• Act on the Openness of Government Activities (621/1999)
• Act on the Protection of Privacy in Working Life (759/2004)
• Criminal Code (39/1889, Chapter 35, Sections 1–2; Chapter 38, Section 2; Chapter 38, Sections 3−4; Chapter 38, Section)
• The Constitution of Finland (731/1999, Sections 10–12)
• Act on the Protection of Privacy in Electronic Communications (516/2004)
• Copyright Act (404/1961)
• Universities Act (558/2009)

Attachments

• Acceptable Use Policy for Information Systems (PDF)

29.02.2012