Categorizing confidential documents and information on the basis of confidentiality is an important part of information life-cycle. Once the information has been classified, the information can be stored and / or published on a suitable place, such as a network disk, a local disk of a computer, external recorders, an information system or a cloud service. The owner and / or processor of the data is responsible for classifying the data.
Act on the Openness of Government Activities 24 § states what information and/or documents are classified information. See the data classification and secure storing instruction for more information on what confidential information is.
The purpose of the data classification and storage model is to clarify where data can be published and stored. The classification template allows you to identify which category your data belongs to. For example in a research project, which does not deal with classified information or sensitive personal data, the information is confidential. Once the data category has been identified you can check the material storage table for the locations where this data can be securely stored or published.
Public information
Internal or limited use information
Confidential information
Classified or secret information
Note! Copyright must be taken into account in all publications. Copyright means the author's initial exclusive right to decide on the use of his work. Meaning others do not have the right to use the work without the author's permission.
Action | Public information | Internal or limited use information | Confidential information | Classified/Secret Information | Note |
|---|---|---|---|---|---|
P: | Allowed | Allowed | Allowed with limitations | Not Allowed | Project manager can make request to helpdesk to create folder that is only accessible for the given users. |
S: | Allowed | Allowed | Not Allowed | Not Allowed | Open to anyone, anyone can create files for temporary storage. |
T: | Allowed | Allowed | Not Allowed | Not Allowed | Used for sharing larger files that can’t be shared through OMA. These include large video files, tutorial files etc. Students have read only access and the staff have full access. |
U: | Allowed | Allowed | Allowed with limitations | Allowed with limitations | The PUB folder on this drive is open to all members of staff. The PRIV folder is only accessible to certain named persons. New PRIV folder can be request via helpdesk. |
W: | Allowed | Allowed | Not Allowed | Not Allowed | Used for applications that can’t be run directly from network drives. Users have read only rights. |
Z: | Allowed | Allowed | Allowed | Allowed | The Z network drive is a secure storage location for staff. This drive is regularly backed up. |
\\share-courses | Allowed | Allowed | Not Allowed | Not Allowed | |
\\share-archive | Allowed | Allowed | Not Allowed | Not Allowed | |
Work computer’s local hard disk or memory | Allowed | Allowed | Allowed | Allowed with limitations | Data stored on the computer's hard disk or memory will not be backed up by IT Services. Instead, the responsibility for backups lies solely with the owner of the computer, unlike with network disks. For this reason, data should not be stored or kept solely in the local memory of the computer. If data is lost from the device, it cannot be recovered without a backup. The hard disk is suitable for temporarily storing sensitive information, such as recording an interview on Zoom. After temporary storage, it's recommended to move the data to your personal home drive or another platform that allows for secure storage of sensitive data. |
Save to phone or tablet (security code must be enabled on the device) | Allowed | Allowed | Allowed with limitations | Not Allowed | |
External memory devices (memory sticks, hard disks, CDs) | Allowed | Allowed | Allowed with limitations | Allowed with limitations | Confidential & Classified information must be password protected in external recorders. |
Public computer or home computer | Allowed | Not Allowed | Not Allowed | Not Allowed | Public computers or a device shared by the family is not secure enough to process sensitive information. A common username on a home computer does not prevent other family members from accessing data stored on the computer, but family members should have separate usernames to use the computer. If the computer has separate user IDs, then the storage practices of the student's personal computer's hard disk apply to the use of the computer. |
The hard drive/storage space of the student's personal computer, which is not shared | Allowed | Allowed | Allowed | Allowed with limitations | Data stored on the computer's hard disk or memory will not be backed up by IT Services. Instead, the responsibility for backups lies solely with the owner of the computer, unlike with network disks. For this reason, data should not be stored or kept solely in the local memory of the computer. If data is lost from the device, it cannot be recovered without a backup. The hard disk is suitable for temporarily storing sensitive information, such as recording an interview on Zoom. After temporary storage, it's recommended to move the data to your personal home drive or another platform that allows for secure storage of sensitive data. After transferring the data, promptly delete the temporary information from your device. |
Action | Public information | Internal or limited use information | Confidential information | Classified information | Note |
|---|---|---|---|---|---|
Public www-websites | Allowed | Not Allowed | Not Allowed | Not Allowed | |
Oma.Metropolia website (intranet) | Allowed | Allowed | Not Allowed | Not Allowed | In addition to the staff, students also read Intranet. |
Peppi | Allowed | Allowed | Allowed | Allowed | |
Amme | Allowed | Allowed | Allowed | Allowed | |
Moodle | Allowed | Allowed | Allowed | Allowed with limitations | The information can only be viewed and processed by specifically authorized persons. |
HR-system | Allowed | Allowed | Allowed | Allowed with limitations | The information can only be viewed and processed by specifically authorized persons. |
Metroarch | Allowed | Allowed with limitations | Allowed with limitations | Allowed with limitations | Metropolia has its own server Metroarch, which is intended especially for storing and processing sensitive data from RDI-projects. Access rights can be granted to the material on the server for project employees both inside and outside of Metropolia. |
Google products: Drive, Classroom, Blogger, Docs, Meet, Sites, Photos, Slides, Form | Allowed | Allowed | Allowed | Not Allowed | Note! Google product family includes several applications that are subject to the same data storage and processing guidelines as the listed services. |
Microsoft 365 products: OneDrive, Onenote, Sites, Stream, Teams, Planner, Stream, Whiteboard, Sharepoint, Yammer | Allowed | Allowed | Allowed | Not Allowed | Note! Microsoft product family includes several applications that are subject to the same data storage and processing guidelines as the listed services. |
Promid | Allowed | Allowed | Allowed | Not Allowed | |
Zoom | Allowed | Allowed | Allowed | Allowed with limitations | All personal interviews that are going to be recorded should be done by using ZOOM program only. |
Information and case management software | Allowed | Allowed | Allowed | Allowed | |
| Wihi | Allowed | Allowed | Allowed | Allowed | Wihi is a system for managing and communicating the thesis process. |
E-form | Allowed | Allowed | Allowed | Allowed | |
HelpDesk | Allowed | Allowed | Allowed | Not Allowed | |
ARC-system | Allowed | Allowed | Allowed | Not Allowed | |
Youtube | Allowed | Allowed with limitations | Not Allowed | Not Allowed | |
Social media channels: Facebook, Instagram, TikTok | Allowed | Not Allowed | Not Allowed | Not Allowed | Note! The same data storage and processing guidelines apply to all social media channels. |
Action | Public information | Internal or limited use information | Confidential information | Classified information | Note |
|---|---|---|---|---|---|
Metropolia e-mail internal communication | Allowed | Allowed | Allowed | Allowed | |
Metropolia e-mail external communication | Allowed | Allowed with limitations | Allowed with limitations | Allowed with limitations | You should use the secure mail solution whenever you send emails that contain personal data, sensitive data or otherwise confidential data if the recipient email address is outside Metropolia. |
Letter | Allowed with limitations | Allowed with limitations | Allowed with limitations | Allowed with limitations | The contents of the letter post must not appear outside the letter |
Action | Public information | Internal or limited use information | Confidential information | Classified information | Note |
|---|---|---|---|---|---|
Printing of materials | Allowed | Allowed | Allowed | Allowed | |
Paper material disposal, normal trash bin | Allowed | Not Allowed | Not Allowed | Not Allowed | |
Paper material disposal secure trash bin | Allowed | Allowed | Allowed | Allowed | All confidential and classified paper documents should be disposed in security trash bins. |
Tietojen luokittelu ja tallennus tietoturvallisesti