Processing of personal data in the context of the University's case management

This privacy notice describes the personal data processed in the following systems:

  • case management system (Asta)
  • University of Turku e-services
  • electronic archive (Asta archive)
  • electronic meeting environment (UTUmeeting)
  • information management system 

The case register of the University of Turku is maintained in the case management system Asta, and the register stores the official case management data, documents, and related metadata. An official document is defined in Section 5, Paragraph 2 of the Act on the Openness of Government Activities.

The maintenance of the case register is mandatory for the University under Section 25 of the Act on Information Management in Public Administration (906/2019) and the Act on the Openness of Government Activities (621/1999).

From the case management system, documents are transferred for signing to an electronic signature service and the processing of personal data in this system is described in its own privacy notice. 

 

1. Purpose of processing data and the University's logical case register

The case management system Asta is intended for monitoring case management and therefore metadata describing the process and the identification of the documents is stored in the system. Documents received and drafted in the course of case management, such as decisions, contracts and instructions, may contain personal data. Personal data is collected only to the extent necessary to verify the authenticity of the process or document. The purpose of registering the case management is not only to ensure the verifiability, efficiency and due process of the University's official case management, but also to ensure transparency and access to information for citizens.

The case management system has an integrated e-service, where a person can initiate a case and follow the progress of their case. The service requires strong authentication. The form used in the e-service is transferred from the service to the case management system Asta when the user submits it for processing. You can log in to the e-service using the University of Turku username or Suomi.fi login.

An electronic archive is also integrated into the case management system. If a document is retained for more than 10 years, it is transferred from the case management system to the electronic archive for storage. In addition, data from other University systems that are to be stored and archived for a longer period are transferred to the electronic archive.

UTUmeeting is an electronic meeting environment connected to the Asta meeting management system and acts as a tool for the meeting participants. In an electronic meeting environment, meeting participants can view, for example, meeting agendas, attendance records, annexes and other supporting materials. The above-mentioned materials and the necessary information about the meeting participants (e.g. email address and University username) will be transferred from Asta to UTUmeeting for meeting management. The UTUmeeting data will be deleted at the latest five years after the end of the meeting.

The University's personnel process the data in the various systems within the limits of their job description and access rights. The correct processing of personal data is supported by  an information management plan, which describes the retention periods for University documents. The University's logical case register is formed by several information systems and registers. Cases and documents are registered and stored in the case management system (Asta) or in another information system, such as the study record system (Peppi). The information management plan also details which documents should be registered and in which information systems the different documents are managed. For more information on information management plans, please see the following section 1.1 Guideline on information management at the University – information management plan.

 

1.1 Guideline on information management at the University – information management plan

The University's information management plan (available in Finnish language) describes the information generated by the University's case management, regardless of the information system used to process the matter and documents.

The information management plan is an up-to-date description of the University's case management tasks and the related documents. The description includes the different steps of case management, the owners of the task processes, the documents related to the case management, the information systems involved in the case management, and the basic metadata of the documents.

Basic metadata includes, for example: retention period of documents, whether personal data is included, and initial document publicity or secrecy.

The information management plan is maintained in the University's information management system. The system provides process control and default metadata to the case management system and the electronic archive. In addition, the registrar adds document-specific metadata as the case progresses. 

 

2. Personal data processed in the context of case management and the retention periods

The case management does not systemically collect confidential personal data, but it may be included in the documents if it is necessary for the processing of the case.

The processing and registration process generates personal data, which may include the following information:

  • the author of the document (the coordinator responsible for the document)
  • the initiator of the case and, where applicable, the parties involved (name of the organisation or the person's first and last name)
  • the sender of the document or representative (name, email address, address if any, and organisational details)
  • information on the coordinator of the document/case
  • actor (registrar, decision-maker, technical compiler of meeting documents)
  • user group, user, role (name, username, email address, supervisor)
  • the person signing the document (name, job title, email address, telephone number)
  • recipient of the document, distribution of the document (name, email address, possible address)

In the administration of the user IDs of different systems, the following information about users is processed:

  • First name and last name
  • Email address
  • AD identification
  • Organisational unit
  • Supervisor
  • Membership of the organ and role in the organ (e.g. chairperson)
  • Social security number

In addition to the personal data contained in the user management and metadata, the documents processed in case management, e-services, electronic archive, and UTUmeeting contain personal data required by the context of the matter. However, personal data is only ever collected and stored to the extent necessary to verify the authenticity of the process or document and to ensure the verifiability, efficiency and due process of the University's official case management as well as transparency and access to information for citizens.

The retention periods for personal data are indicated for each document in the University's information management plan (see section 1.1. Guideline on information management at the University - information management plan, which can be obtained upon request from the University's Registry (see section 4 Contact information).  Documents and the personal data they contain are stored, archived or destroyed in accordance with the information management plan. The archiving of personal data is possible for archiving purposes in the public interest, for scientific and historical research, or for statistical purposes. Documents and data stored for more than ten years will be transferred to the electronic archive.

3. Basis for processing data

The registration of cases and related documents is based on the Act on Information Management in Public Administration 906/2019.

The University's right to process personal data as controller is based primarily on the performance of a task carried out in the public interest, the execution of public authority compliance with the controller's legal obligations. In certain cases, the right may also be based on a contract, the protection of vital interests of the data subject or another natural person, or the legitimate interests of the controller or a third party. The registration of case management is a prerequisite for the processing, retrieval, organisation and archiving of electronically generated data in accordance with access rights. 

Laws and regulations governing the processing of personal data:

  • Universities Act
  • Act on Information Management in Public Administration
  • EU General Data Protection Regulation, Finnish Data Protection Act
  • EU Regulation on electronic identification and trust services for electronic transactions in the internal market and repealing Directive 1999/93/EC (eIDAS Regulation)
  • Act on the Provision of Digital Services
  • Act on Strong Electronic Identification and Electronic Trust Services
  • Act on Electronic Services and Communication in the Public Sector
  • Administrative Procedure Act
  • Act on the Openness of Government Activities
  • Archives Act

The basis for the collection of personal data is indicated in the University's information management plan (see section 1.1 Guideline on information management at the University - information management plan, which can be obtained upon request from the University's Registry (see section 4. Contact information). 

4. Contact information

 

UNIVERSITY OF TURKU

Records Services

Yliopistonmäki

FI-20014 Turun yliopisto, Finland

kirjaamo@utu.fi

tel. +358 29 450 5126

 

5. Source of data

The personal data processed in the case management register is obtained from the involved parties or from the coordinator preparing the matter as part of their duties at the University. When the concerned party identifies themselves in the Suomi.fi service, their name and social security number are transferred from the population information system or the University's access rights management. The transfer of information is based on the performance of a task carried out in the public interest.

 

6. Disclosure of data

Data is not regularly disclosed outside the University. Upon request, individual documents can be disclosed in accordance with the law (see section 8.)

For example, public meeting documents and decisions may be published on the University's website, where personal data is limited to the necessary personal data (e.g. person's name and job title).

The documents that are signed electronically are transferred from the case management system to the UTUsign service, where the information required for the signature request is transferred as well as the document to be signed. Once signed, the document is returned to the case management system. Signature requests and their documents are deleted from the UTUsign system when the signature request is completed.  For more information about UTUsign, please see its privacy notice.

 

7. When applicable, information about transfer of data to a third country or an international organisation 

The e-service uses Microsoft's Azure whose services are mainly provided within the EU. Limited access to the data is available from outside the EEA. The legality of such transfers of personal data is based on the European Commission's decision on the adequacy of data protection in the United States when data is transferred to a certified company in the United States, such as Microsoft. Microsoft is committed to complying with the transfer mechanisms and safeguards set out in the GDPR for any transfers of data to third countries.

For case management, electronic archives, the information management plan, and UTUmeeting, personal data is processed on the University's own servers.

 

8. Publicity, confidentiality and information requests

University documents are public in accordance with the Act on the Openness of Government Activities, unless they are expressly declared confidential by law. Public documents may contain personal data and may be disclosed or made available for inspection in accordance with the provisions of Sections 13 of the Act on the Openness of Government Activities and Section 16 of the Data Protection Act (1050/2018).

Confidential information and personal data can only be disclosed if the recipient of the disclosure has a right to access the information based on the Act on the Openness of Government Activities or other legislation. The conditions of confidentiality applicable to University documents are Article 21 of the Patent Cooperation Treaty (PCT) and Section 24, Paragraphs 1–32 of the Act on the Openness of Government Activities. The Data Protection Regulation, the Data Protection Act and the Act on the Openness of Government Activities apply to the processing of personal data.

For more information, see the University's description of document publicity.

 

9. Rights of the data subject 

You can make requests concerning the rights of the data subject to kirjaamo@utu.fi.

 

9.1 Access to your own data

  • You have the right to know what personal data is being processed about you and what data has been stored about you.

  • You may submit an information request to the University. In such cases, the following procedure will take place:
    The University will submit the requested information as soon as possible without undue delay. The requester must provide a separate proof of their identity if they are asked to do so. The deadline for disclosing the information or additional information related to the request is one month from receiving the request. If the information request is complex and wide-ranging, the deadline may be extended by two months.
    The information is generally provided free of charge. If you request several copies, a fee based on administrative costs will be collected. If the information request is clearly without basis or unreasonable or you submit information requests repeatedly, the University may collect the administrative costs caused by the delivery of the information or entirely refuse to deliver the information. In such cases, the University must justify the decision it has made.
    If the University does not deliver the information, a written statement on the matter will be provided to you. In connection with this, you will be informed of your right to legal remedies, for example, of your right to submit a complaint to the supervisory authority.

     

9.2 Right to rectification

  • You have the right to demand that any erroneous, inaccurate or deficient personal data that applies to you is corrected or supplemented without undue delay. In addition, you have the right to demand the removal of any unnecessary personal data that applies to you.

  • If the University does not approve the correction request, a written statement is provided on the matter specifying the reasons due to which the demand was not approved. In connection with this, you will be informed of your right to legal remedies, for example, of your right to submit a complaint to the supervisory authority.

     

9.3 Right to erasure

  • Based on the legal basis for the processing of the data, you may have the right to demand the erasure of your personal data from the register. This right does not apply to such cases where the processing of personal data is necessary due to a legal obligation or the exercise of the official authority vested in the University of Turku. The storage and erasure of data is conducted in accordance with the University’s information management plan (TOS) and statutory data storage periods.

     

9.4 Right to object to processing

  • Based on a personal and special situation, you have the right to object the processing of your personal data at any time when the legal basis for the processing is the completion of a task concerning the public interest, the execution of public authority or the University’s legitimate interest. In such cases, the data may only be processed further if an especially and justified reason can be presented for the processing of the data.

  • You have the right to object to the processing of your personal data for direct marketing purposes for no special reason and at any time.

     

9.5. Right to lodge a complaint with the supervisory authority

  • You may submit a complaint to the supervisory authority if you feel that the processing of your personal data violates the EU’s General Data Protection Regulation (EU) 2016/679. In addition, you also have the right to exercise other administrative appeal methods and legal remedies. For more information, see www.tietosuoja.fi.
  • Contact information of the Data Protection Officer at the University of Turku: dpo@utu.fi.

  • You also have the right to bring an action against the controller or organisation processing the personal data if you feel that your rights have been violated due to the fact that the processing of the personal data has not been done in accordance with the General Data Protection Regulation.

     

9.6 Further information

  • The use of the service creates log entries which are used for ensuring the information security of the service, developing the technology of the service, and for detecting, preventing or investigating technical faults or errors (917/2014, Sections 138, 141, 144, and 272). The logs are retained for these purposes for the required time period and they will not be used for any other purposes.

  • The principles of personal data security are described on a separate page: https://www.utu.fi/en/privacy/data-security-description