Information security practices

Contents

  • Data Protection Officer
  • List of Personal Data Registers
  • Personal Data Practices in the Student Union of Häme UAS
  • Member Register's Privacy Statement

Data Protection Officer

Student Union's Data Protection Officer is Deputy Executive Director Riku Kemppinen
tietosuojavastaava(a)hamko.fi, +358 44 722 1000

List of Personal Data Registers

  • JäsRek - Member Register provided by Hakosalo Software Oy.
  • Webropol - For event enrol.
  • Email lists - in Office 365 service.
  • Netvisor - Based on Bookkeeping Act. System which holds information about everyone whose been paid fees or salaries.
  • Paytrail - Payment information about membership fees paid in Paytrail.
  • Intranet - (One Drive, Sharepoint, Teams) - Files made by accounts of the Student Union, which includes infromation about projects done in the past year, meeting memos and travel expenses bills. Student Union manages own files and moves the necessary information to the archives in the internal U: Drive.
  • Internal U: Drive - Student Union's archive, where is documentary of the past years including files such as meeting memos, reports about the events, bills and other administrative files. Student Union manage archive and files which have personal data are made anonymous.
  • Register of the Partners in Cooperation - Register, which has contact information of our partners in cooperation. Register is held in Student Union's Internal U: Drive.

Personal Data Practices in the Student Union of Häme UAS

In General:

The computers and systems are used with personal user ID when persons are practising personal data. Computers virus protection is also kept updated. 

 

Only designated Student Union staff and persons elected to a position of trust as well as associations' staff and persons elected to a position of trust commissioned by the Student Union have the right to access the member register and they have been introduce with the changes the GDPR brings and they have signed an agreement about the personal data practices.

 

Member Register:

Member register is a service provided by external company, which servers are in Finland. Member register has integrations to HAMKs data system. Member gives its information by itself, which are then checked and updated from HAMKs data system. User IDs are given only to those persons, which needs personal data in their work. We have updated the GDPR standards fulfilled agreement’s data protection appendix with the company providing the service. Resigned members are deleted from the member register immediately after the resignation. Former members, which don’t pay their membership fee are deleted from the register after they are graduated from the HAMK or are no longer students in HAMK.
 

Information is not handed over from the member register to outside of the EU and ETA region. Information can be handed over in marketing purpose inside the EU and ETA region from those members, which has allowed the information to be handed over. If the member leaves that place unmarked in the membership form, we construed it that the permission haven’t been allowed.

 

Event Enrolls and Club Registers:

- Registers of clubs under the Student Union (member registers and event enrolls) are held in Student Union’s internal cloud service, which rights of use are held by the Student Union.

- Student Union’s own event enrolls are collected through webropol service. User ID’s to the webropol are given to the persons, which needs the information to organize events. User IDs to webropol are given to the Student Union from HAMK. HAMK has updated the GDPR standards fulfilled agreement’s data protection appendix with the company providing the service.

 

Student Union’s Monthly Letter delivered via Email:

Monthly letter is delivered to every student in HAMK. It is delivered through post list, which is managed by HAMK. Letters usage is based on taking care of membership relations in accordance with the Associations Act and mission of preparing students to active, aware and critical citizenship in accordance with the Act of Universities of Applied Sciences.

 

E-mail lists:

Student Union has few post lists. E-mails are deleted automatically from them if the person behind the email is not reached within couple of tries (email is not valid or postbox is full). Emails are deleted from the post lists if the person in question asks so. However if the post list is based on membership in the council of representative or some other reason, which why Student Union needs to reach the person, the email won’t be deleted.

 

Survival Kit loans:

Digital forms of the Survival Kit orders are kept in Student Union’s internal cloud service until the Kit service is paid. After this the form data is made anonymous for the archiving and the invoice/payment is kept for accounting receipt. Data kept is based on the Accountancy Act.

 

Student Cards and Student Card ordering:

- Plastic chipped student cards are ordered from Finnish card manufacturer. Order is made through member register. Data transference is based on that student wants to order studentcard to itself and gives permission to transfer it’s data to card manufacturer.

 

Personal Data Practices regarding the Election of the Council of Representatives:

Members running for the elections of the Council of Representatives gives the rights to publish candidate lists, candidate pictures, other relevant election information and election results in public to the Student Union. All publishing information, with the exception of the results, will be obtained by the candidate itself.

 

Data practices about the data of the Partners in Cooperation:

The Student Union has a partner register in the internal cloud service. The information stored there is kept the whole cooperation. Student Union’s persons who need information to handle partnerships has access to the register. The purpose of the data is to maintain cooperation.

 

Other Personal Data Practices:

- Student Union uses Netvisor as a system for financial and payroll administration. Personal data prosessing is based on Accountancy Act. System uses strong ID identification and ID is only given to those persons, which needs the information for their work. We have updated the GDPR standards fulfilled agreement’s data protection appendix with the company providing the service.

- Payroll and accounting is managed by an external company. We have updated the GDPR standards fulfilled agreement’s data protection appendix with the company providing the service.

 

Information Security Control and Arrangements Involved with it:

We follow the PDCA-model (Plan-Do-Check-Act). In all activities, we plan a safe, secure model with the information security that has agreements in order. When the systems are running, we watch and follow all the exceptions in the data protection. All the exceptions are kept record and we inform everyone who is concerned about the exception if necessary.If the exception is such that it must also be reported to the authority, the report shall be made as soon as possible. We also try to fix the problems as quickly as possible so that potential new problems will be avoided.

 

Practices of this Document:

This document is published in hamko.fi –site after 22th of May 2018 once it’s accepted in the board meeting. Chances to the document can be made without the board’s decisions. When the document is updated, we insert log file to end end of this document, which informs about the last three updates, date of the update and the reason for the update.  

 

Data Protection Officer:
Student Union's Data Protection Officer is Deputy Executive Director Riku Kemppinen
tietosuojavastaava(a)hamko.fi, +358 44 722 1000

 

Updating the Practices / Log File: