...
Act on the Openness of Government Activities 24 § states what information and/or documents are classified information. See the Classification and Storage Guide for data classification and secure storing instruction for more information on what confidential information is.
...
- The data can be viewed and processed by each member of the relevant group (including the student, e.g. in research projects)
- For example, unfinished credit or projects
Classified or secret information
- The information can only be viewed and processed by specifically authorized persons
- Exam answers and other tests, including various assignments and examinations, as well as grading marks. Note. however, grades and scores are public
- Sensitive personal information, which includes;
- Information on the verbal assessment of a student's personal characteristics
- Information on the person's state of health, disability, health care or social care clientele or rehabilitation (e.g. applications and decisions on special arrangements for studies)
- Information concerning the person's annual income or total assets, or the income and assets on which the aid or benefit is based, or otherwise describe his financial situation
Three different categories are used in the data storage and publication table. Allowed, allowed with limitations and not allowed.
- Allowed means that data in that category may be stored and / or published in the action location of that column item.
- Allowed with limitations means that certain restrictions, such as restrictions on access rights, must be taken into account when storing and / or publishing information. For example, if test runs exam results are stored in Moodle, the permissions must be restricted so that the data cannot be seen by anyone other than the data handler (teacher).
- Not allowed means that the data may not be stored or published at all in the location of that column.
Note! Copyright must be taken into account in all publications. Copyright means the author's initial exclusive right to decide on the use of his work. Meaning others do not have the right to use the work without the author's permission.
Data storage and processing on network disks and the computer's local hard disk, as well as external recorders
Action | Public information | Internal or limited use information | Confidential information | Classified/Secret Information | Note |
|---|---|---|---|---|---|
P: | Allowed | Allowed | Allowed with limitations | Not Allowed | Project manager can make request to helpdesk to create folder that is only accessible for the given users. |
S: | Allowed | Allowed | Not Allowed | Not Allowed | Open to anyone, anyone can create files for temporary storage. |
T: | Allowed | Allowed | Not Allowed | Not Allowed | Used for sharing larger files that can’t be shared through OMA. These include large video files, tutorial files etc. Students have read only access and the staff have full access. |
U: | Allowed | Allowed | Allowed with limitations | Allowed with limitations | The PUB folder on this drive is open to all members of staff. The PRIV folder is only accessible to certain named persons. New PRIV folder can be request via helpdesk. |
W: | Allowed | Allowed | Not Allowed | Not Allowed | Used for applications that can’t be run directly from network drives. Users have read only rights. |
Z: | Allowed | Allowed | Allowed | Allowed | The Z network drive is a secure storage location for staff. This drive is regularly backed up. |
\\share-courses | Allowed | Allowed | Not Allowed | Not Allowed | |
\\share-archive | Allowed | Allowed | Not Allowed | Not Allowed | |
Work computer’s local hard disk or memory | Allowed | Allowed | Allowed | Allowed with limitations | Data stored on the computer's hard disk or memory will not be backed up by IT Services. Instead, the responsibility for backups lies solely with the owner of the computer, unlike with network disks. For this reason, data should not be stored or kept solely in the local memory of the computer. If data is lost from the device, it cannot be recovered without a backup. The hard disk is suitable for temporarily storing sensitive information, such as recording an interview on Zoom. After temporary storage, it's recommended to move the data to your personal home drive or another platform that allows for secure storage of sensitive data. |
Save to phone or tablet (security code must be enabled on the device) | Allowed | Allowed | Allowed with limitations | Not Allowed | |
External memory devices (memory sticks, hard disks, CDs) | Allowed | Allowed | Allowed with limitations | Allowed with limitations | Confidential & Classified information must be password protected in external recorders. |
Public computer or home computer | Allowed | Not Allowed | Not Allowed | Not Allowed | Public computers or a device shared by the family is not secure enough to process sensitive information. A common username on a home computer does not prevent other family members from accessing data stored on the computer, but family members should have separate usernames to use the computer. If the computer has separate user IDs, then the storage practices of the student's personal computer's hard disk apply to the use of the computer. |
The hard drive/storage space of the student's personal computer, which is not shared | Allowed | Allowed | Allowed | Allowed with limitations | Data stored on the computer's hard disk or memory will not be backed up by IT Services. Instead, the responsibility for backups lies solely with the owner of the computer, unlike with network disks. For this reason, data should not be stored or kept solely in the local memory of the computer. If data is lost from the device, it cannot be recovered without a backup. The hard disk is suitable for temporarily storing sensitive information, such as recording an interview on Zoom. After temporary storage, it's recommended to move the data to your personal home drive or another platform that allows for secure storage of sensitive data. After transferring the data, promptly delete the temporary information from your device. |
Data storage and processing in information systems and cloud services
Action | Public information | Internal or limited use information | Confidential information | Classified information | Note |
|---|---|---|---|---|---|
Public www-websites | Allowed | Not Allowed | Not Allowed | Not Allowed | |
Oma.Metropoliawebsite (intranet) | Allowed | Allowed | Not Allowed | Not Allowed | In addition to the staff, students also read Intranet. |
Peppi | Allowed | Allowed | Allowed | Allowed | |
Amme | Allowed | Allowed | Allowed | Allowed | |
Moodle | Allowed | Allowed | Allowed | Allowed with limitations | The information can only be viewed and processed by specifically authorized persons. |
HR-system | Allowed | Allowed | Allowed | Allowed with limitations | The information can only be viewed and processed by specifically authorized persons. |
Metroarch | Allowed | Allowed with limitations | Allowed with limitations | Allowed with limitations | Metropolia has its own server Metroarch, which is intended especially for storing and processing sensitive data from RDI-projects. Access rights can be granted to the material on the server for project employees both inside and outside of Metropolia. |
Google products: Drive, Classroom, Blogger, Docs, Meet, Sites, Photos, Slides, Form | Allowed | Allowed | Allowed | Not Allowed | Note! Google product family includes several applications that are subject to the same data storage and processing guidelines as the listed services. |
Microsoft 365 products: OneDrive, Onenote, Sites, Stream, Teams, Planner, Stream, Whiteboard, Sharepoint, Yammer | Allowed | Allowed | Allowed | Not Allowed | Note! Microsoft product family includes several applications that are subject to the same data storage and processing guidelines as the listed services. |
Promid | Allowed | Allowed | Allowed | Not Allowed | |
Zoom | Allowed | Allowed | Allowed | Allowed with limitations | All personal interviews that are going to be recorded should be done by using ZOOM program only. |
Information and case management software | Allowed | Allowed | Allowed | Allowed | |
| Wihi | Allowed | Allowed | Allowed | Allowed | Wihi is a system for managing and communicating the thesis process. |
E-form | Allowed | Allowed | Allowed | Allowed | |
HelpDesk | Allowed | Allowed | Allowed | Not Allowed | |
ARC-system | Allowed | Allowed | Allowed | Not Allowed | |
Youtube | Allowed | Allowed with limitations | Not Allowed | Not Allowed | |
Social media channels: Facebook, Instagram, TikTok | Allowed | Not Allowed | Not Allowed | Not Allowed | Note! The same data storage and processing guidelines apply to all social media channels. |
Sending of material
Action | Public information | Internal or limited use information | Confidential information | Classified information | Note |
|---|---|---|---|---|---|
Metropolia e-mail internal communication | Allowed | Allowed | Allowed | Allowed | |
Metropolia e-mail external communication | Allowed | Allowed with limitations | Allowed with limitations | Allowed with limitations | You should use the secure mail solution whenever you send emails that contain personal data, sensitive data or otherwise confidential data if the recipient email address is outside Metropolia. |
...
Letter | Allowed with limitations | Allowed with limitations | Allowed with limitations | Allowed with limitations | The contents of the letter post must not appear outside the letter |
Printing of material and disposal of papers and other material
Action | Public information | Internal or limited use information | Confidential information | Classified information | Note |
|---|---|---|---|---|---|
Printing of materials | Allowed | Allowed | Allowed | Allowed | |
Paper material disposal, normal trash bin | Allowed | Not Allowed | Not Allowed | Not Allowed | |
Paper material disposal secure trash bin | Allowed | Allowed | Allowed | Allowed | All confidential and classified paper documents should be disposed in security trash bins. |
...