Acceptable Use Policy

You can view the Acceptable Use Policy for the University of Helsinki on this page. The valid version of the Acceptable Use Policy and the Information Security Policy shall be made available on the website of the IT Services.
Principles of use

The Acceptable Use Policy of the University shall be revised annually to reflect any changes made to the services or applicable legislation. The IT Management unit is responsible for the monitoring and updating of the Policy.
Purpose of this Policy

The University must strive ensure the confidentiality, integrity and usability of the data of all of its user groups, and provide a reliable and secure environment for data processing. This and other policies have been devised to help different user groups acknowledge the rights, responsibilities and obligations that are associated with their user accounts. Even unintentional negligence of responsibilities associated with the user accounts may compromise the integrity, confidentiality and availability of data belonging to the users.

This Policy shall be applied to all of the information systems owned by the University or otherwise under the responsibility of the University, and to their use, and for users, to other services for which access or user accounts have been obtained through the University. This Policy shall also apply to public workstations at the University, and to all equipment which is connected to the University network.

All IT users within the University shall comply, in addition to this Policy, with other applicable rules and guidelines issued by the University, as well as take into account that Finnish Administrative Procedure Act (434/2003) and Act on the Openness of Government Activities (621/1999) are applied as decreed in Universities Act (558/2009) 30§. Any breach of this Policy or other rules concerning the use of the information systems shall be dealt with in accordance with the Information Security Policy of the University.

The valid version of the Acceptable Use Policy and the Information Security Policy shall be made available on the website of the IT Services.

Any breach or failure to observe the conditions of this Policy or other policies and guidelines concerning the use of information systems may cause the denial of access. The general principles applicable to the use of the information systems and the interpretation of the Acceptable Use Policy are as follows.

  • All users who are entitled to access must have the possibility for reasonable and appropriate use.
  • Other organisations, information systems or users within the network must not be disturbed or damaged.
  • The right to privacy must be respected.
  • Use must comply with current policies and rules and be ethically acceptable.

The publishing, transmitting or distributing of illegal material or material that is contrary to good practice, and unnecessary occupation of system resources, are strictly prohibited.

The information systems of the University are provided as tools for studying, teaching, conducting research and performing administrative tasks at the University of Helsinki. Any other use requires a separate agreement.

University information systems and the related user IDs may not be used for political activities, with the exception of university elections and the activities of political student organisations and sub-organisations, and staff unions. Commercial use, for purposes other than those related to the University, is permitted only by express authorization.

Private use is permitted to a limited extent, as long as it does not

  • interfere with other use of the system,
  • imply technical changes to the information systems of the University, and
  • conflict with the policies and guidelines applicable to a specific system or with the generally applicable policies and guidelines for use.

Private files shall be kept clearly separate from material related to the basic activities of the University. Material stored in the home directory of a student shall always be considered to be private. Members of staff shall keep their private material separate from work-related material, to ensure the protection of their privacy. Private material shall be saved to separate folders labelled so that their private nature is evident (for example: personal or private).

All users of the information systems shall share the responsibility for the general information security of the University´s systems and the data contained therein.

  • Unauthorized acquisition or attempts to acquire data contained in the information systems is prohibited. For instance, searching for and accessing data and files belonging to another user is permitted only in so far as the other user has intentionally made them public to others.
  • A user who accidentally gains access to data addressed or belonging to other users shall not make use of, store or distribute such data. All such events shall be reported to the system administrator and the user concerned.
  • User accounts shall not be used for the identification of security vulnerabilities, for unauthorized decryption or communications interception or distortion, or for invading any other systems, directories or services.

All users shall contribute to the general information security of the information systems. Even if an individual has no need for special protection, other users may have. Any observed or suspected information security weaknesses or breaches shall be immediately reported to the administrator or owner of the relevant information system or to the head of the relevant unit. Information security incidents shall be handled in accordance with the Information Security Policy of the University and the guidelines on handling security incidents.

University staff and students must pass University of Helsinki IT Security Test annually. All staff and students are resposible for taking the test on time. In case the IT Security Test is not taken nor passed before it’s deadline, the corresponding user account will be disabled and it’s use prohibited until the IT Security Test is passed with acceptable grade. There is no upper limit on how many times a user can take the IT Security Test.

The University strives to protect all users from malware, spam and attempted attacks on systems and individual workstations. All users shall contribute to these efforts by observing the relevant guidelines.

Each user shall be responsible for providing the University with their up-to-date contact information, in the event that the University needs to contact them.

The IT Center is responsible for providing the common backup system of the University and provides users with the possibility to back up their data in systems within it’s scope. The IT Center, however, assumes no liability for damages caused by the possible destruction of files. Users are responsible for the classification of their data and for ultimately creating relevant backup copies.

Users are bound by the obligation of secrecy regarding the information content, methods of use, level of security and properties of the systems where the intended use of the systems, the policies for use, or applicable regulations so require.

Only equipment that is owned by the University and that has been approved and registered by the IT Center may be connected to the network of the University. The equipment must require user authentication through, for instance, a user ID and a password, or to enable user identification by other means in exceptional situations. The equipment must maintain a usage log. Equipment shall be connected to the network in accordance with instructions issued by the IT Management department. Network elements reserved for visitors and the personal equipment of University students and staff have been marked and separated.
User accounts and user IDs

Users will be granted accounts on the common information systems of the University. The accounts are based on the position of each user within the University. If necessary, they may be granted to a person who is not affiliated with the University. User accounts on systems with limited access are granted separately to each user. The granting of accounts is the responsibility of the IT contact personnel.

  • The prerequisite for obtaining a user account is that the user agrees to comply with this Policy, as well as additional instructions and regulations governing the use of the systems. Users must become acquainted beforehand with the instructions for use of the system and the policies governing its use.
  • Each user shall be liable for any harm and damage resulting from the use of their account.
  • The use of forged identities or the user ID of another individual is prohibited.
  • User accounts are individual and may not be transferred to others.

If there is reason to suspect that a password or another identifier has come into the possession of a third party, the password must be changed or the use of the identifier must be prevented immediately. Passwords shall be changed at regular intervals and must be difficult to break.
Validity of user accounts

A user account shall expire after:

  • the user is no longer employed by or a student of the University,
  • the fixed term for which the account was granted expires, or
  • the position of the user changes in such a way that the grounds for having a user account cease to exist.

A user ID shall be terminated when

  • the user account for which it has been assigned expires
  • it is no longer required, or
  • there is justified reason to suspect that it has been misused or that the information security has been compromised.

The processing of data prior to the expiration of user accounts:

  • Members of staff shall, to the extent required to continue the performance of duties, transfer all work-related messages and files to the individual agreed on with the relevant supervisor. The same shall also apply, as applicable, to students who have been involved e.g. in research teams.
  • Prior to the expiration of their user account, each user shall personally take care of the proper transfer or removal of data under their user IDs.

Data stored in the information systems under user IDs will be deleted 12 months after the expiration of the respective user account.
Maintenance of information systems

Each of the information systems of the University has a designated administrator (owner) who is responsible for the intended use, operation, contents and use of the system. The owner of the information system compiles instructions for its use and ensures that the services and use of the information systems comply with this Policy. The IT Department is responsible for the maintenance of the common information systems of the University. Information systems owned and managed by University units are the responsibility of the head of the respective unit or the individual designated by the head. Each unit shall maintain a separate list of persons in charge of the systems and their maintenance. The list shall be kept up-to-date and available to be presented to the IT Management upon request.

Administrators may supplement this Policy by issuing instructions on the use of specific devices, software and networks. Additionally, the IT industry may issue guidelines applicable to the entire University by first submitting them to the IT Management for approval.