Student administration and teaching
The Ģą˝Ö±˛Ą is the data controller in the case of students’ personal data processed for teaching purposes. The university determines the purposes and means of processing personal data and is responsible for data protection pertaining to the systems and processes used. Each university employee who processes personal data during their work duties is also personally responsible for data protection. The employees must follow instructions given by the university and diligently process the personal data. The protection of students’ personal data aims at securing the students’ privacy protection.
A data privacy notice for the data subjects is available for all of the permanent processing actions for which the university is responsible at
Personal data refers to all data relating to an identified or identifiable natural person. The personal data of a student includes the student’s name, address, social security code, email, other online credentials, photograph, information on enrolment to courses, information on completed courses, exam/entrance exam replies and any other data that, alone or when combined with other data, tells something about the student. Videos, photographs and voice recordings are also considered personal data if the person can be directly identified from them.
Sensitive information includes information on the student’s health or recommendations on special arrangements (such as longer exam time), for example. Teachers must take special care when processing such recommendations on special arrangements.
Processing of personal data refers to any actions involving personal data, such as the collection, saving, rearrangement, retention, editing, modification, searching, merging, disclosure and deletion of data. For example, creating a list of students who have enrolled on a course and communicating information about the list to other teachers of the course in electronic format or by using hard copy printouts is considered the processing of personal data.
In addition to the definitions in the General Data Protection Regulation, the definitions on documents containing students’ personal data listed below are important.
The term “study attainment” (opintosuoritus) is used in the Universities Act: here, the term refers to a student’s answer in an exam, an exercise, an essay, lecture notes or any other performance that is to be evaluated. Study attainments and the grades given for them (study attainment entries) must be made in Sisu.
The Act on the Openness of Government Activities includes the term “test results of students and candidates” (oppilaan ja kokelaan koesuoritukset): pursuant to the Act on the Openness of Government Activities, a test result is a confidential document. A student’s study attainments, such as exam replies, are also usually confidential test results. In addition to traditional classroom exams, the concept of test result as laid down in the Act on the Openness of Government Activities covers exercises and homework, for example. However, the nature of a study attainment may make it partially or wholly public (a study attainment may be an art project for an exhibition, for example).
Examples of public information:
- Which student study in which line
- Transcripts of study records and the information therein (completed courses, grades, crediting, enrolment as present/absent student)
- Approved theses
- Diplomas
Examples of confidential information:
- Exam information (exam replies and similar, including exercises and skills tests, as well as related grading entries; grades and scores are public information, however)
- Any documents containing information on a verbal assessment of a student’s personal characteristics (such as assessments of the student’s behaviour, character traits or singing voice)
- Any documents containing information on a student’s health, disability, health care or social welfare customer relationship, or rehabilitation (such as applications and decisions on special study arrangements)
- Any documents on a plan on/basic data for a thesis or an academic research project or any technical development work or other development efforts or an assessment thereof, unless it is apparent that disclosing the information will not cause any disadvantages (e.g. the plan for a thesis before the thesis is complete)
- Any documents containing information on a person’s participation in an association or on their leisure activities, family life, etc.
- Any ex-directory numbers, contact details subject to an order of non-disclosure for personal safety reasons and any other contact details which the person has requested to be kept confidential for a justified reason
Source: Korkeakoulujen opintotietojen tietosuojan käytännesäännöt 2017,
Please note that personal data may not be freely published online, disclosed to anybody who requests it or stored in a location from which anybody could retrieve it, even if the personal data is public. One cannot publish the study attainments of a public figure on social media, for example. All personal data of students must be diligently processed in confidence. For example, course grades and the names of students must not be published in a manner that would make them available to third parties (such as other students attending the course). The average grade of a course or a summary of the number of approved and rejected students may be published.
The retention periods of the study data of the university’s students are partially prescribed by law, but there are even more comprehensive regulations in the university’s information control plan. See:
Study attainments obtained during a course, such as exam replies, exercises, essays and lecture notes, must be retained for six months after grading. The study attainments must be destroyed in a secure manner after this period has expired, unless a longer retention period has been confirmed. Requests for study attainments may be made if a student wishes to review all of their data, which is why it is of utmost importance not to retain the data for an overly long period of time. Suspected cheating or an appeal may prolong the retention period.
Study attainments are permanently saved in Sisu and a nationwide data warehouse. Teachers do not usually need to retain any lists containing students’ personal data after the course has ended and the grades have been saved. Furthermore, as a general rule, student data may not be used for any other purposes than the realisation of the course in question. If enrolment lists or lists including grades for study attainments are printed out or if lists of students in attendance are made in the classroom, the lists must be properly stored and destroyed once retaining the data is no longer necessary.
The results of partial study attainments completed during a course must be retained for as long as they are required to complete the course.
The processing of personal data usually has a beginning and an end. Take this into account in your actions. Try to create an operational culture where the retention periods laid down in the information control plan (TOS) are followed. Don’t forget to regularly declutter your network drives and other personal data retention locations.
Avoid creating separate Excel spreadsheets containing personal data. If creating such files is absolutely necessary to complete a work duty, make sure that the data will be deleted.
If data is collected using survey software, such as Webropol or Plone, make sure that the data will be deleted.
Avoid unnecessary printing and processing of personal data as hard copies.
The owners of information systems maintained at the university level are obligated to ensure that data retention periods are followed and archiving and deletion are appropriately arranged or provide separate instructions if a teacher needs to take any special action to ensure that these actions are appropriately arranged. If you independently process student data (by email or on a network drive), you must follow the retention periods laid down in the information control plan.
There are many definitions of learning analytics. Usually, learning analytics refers to the measuring, collection, analysis and reporting of data on learners and learning events in order to understand and optimise learning environments. A description of purpose, a risk assessment and checking that learners have been informed are always mandatory when learning analytics are used. There are separate instructions on these.
Always process personal data with care.
Whenever possible, process personal data in the system from which they originated. Do not unnecessarily transfer any personal data from the original system to Excel spreadsheets, for instance, or print any personal data on paper without a justified reason.
Always use personal data only for the purpose for which it is intended. There must be a predetermined legal basis and intended use for the personal data (which are indicated in the data protection notice). Student data is primarily processed to arrange teaching and guidance.
Always store personal data in a safe manner. Destroy any unnecessary and outdated personal data. Never retain personal data “just in case”.
Exam replies on paper must be stored in an area covered by an access control system or inside a locked cabinet in a locked room. If they are stored in an open area, they must be placed in a safe. For more information on which data may be stored and where, please see part II of the instructions on the classification and processing of confidential information,
If you notice any damage done to personal data or any suspicious activities involving personal data, such as phishing, immediately report the incident. Also report any lost or stolen computers/phones. You can report incidents
Always consider on a case-by-case basis what is a sufficient means of identifying students from the perspective of minimising the utilisation of personal data. For example, make sure that other students will not be able to connect student names with student numbers on the basis of any of the materials you distribute. Including student numbers in term papers, exercises to be subjected to a peer review or group work assignments is not necessary.
If the students need to know who else is in the course or group, reveal their names but not their student numbers.
Student requesting their own information pertaining to teaching
Usually, a student has the right to obtain information about their personal data the teacher collects and processes during a course. The students have the right to receive information about their graded written study attainments or a study attainments saved in another format, as well as on which assessment criteria were applied to their study attainments. The responsible teacher of a course is obligated to ensure that students are given an opportunity to view their study attainments and the assessment criteria that were applied to those study attainments. Usually, such requests are fulfilled as part of the teaching or student guidance.
Student wishing to exercise their right to review, correct or delete their personal data or any of the other rights pursuant to the GDPR
Such requests must be submitted to the registry office where they will be included in statistics and forwarded for processing. The registry office’s website includes a form for this purpose: /fi/yliopistopalvelut/kirjaamo.
A request can also be submitted in free form. Such free-form requests must be submitted to the registry office for information. Exercising the right to review usually requires verifying the person’s identity. If a student announces a change of address, processing it as a correction is usually not necessary, in which case the request need not be submitted to the registry office.
Someone else requests a student’s data
Do not disclose personal data to just anybody. Personal data may only be processed by people whose work duties require the processing of personal data.
The study attainments of a student are usually confidential documents, which means that information about them may only be disclosed to persons who need the information in the course of their work duties, such as other teachers of a course. Some personal data of students, such as names, the courses on which the students have enrolled or grades, are not confidential information, but the Act on the Openness of Government Activities and data protection legislation regulate the processing of such data. Hence, the personal data of the students in a course cannot be freely published online or disclosed to anybody from the personal data register. Legislation restricts when it is a question of disclosure and when it is a question of other form of surrender of information. For example, a student’s transcript of study records can be viewed by anybody, because it is a public document, but handing over a hard copy or an electronic copy to anybody is not possible.
If you receive a request for study information from a student or another party and you are unsure of how to process the request or you feel that you are not the right person to process the request, please contact the university’s data protection officer (tietosuoja(at)jyu.fi) or the university’s lawyers (legal(at)jyu.fi).
There is a form for disclosure requests on the website of the registry office. Student data may be disclosed on the basis of a research permit for academic research purposes, for example.
A student may apply for a recommendation due to diagnosed dyslexia, for example. Applications on recommendations, related health data and issued recommendations are confidential documents that include sensitive information. A student will present the recommendation to the teacher themselves if they want to use any of the personal arrangements during a course, or the matter will be processed based on a written authorisation from the student.
Information on recommendations may only be disclosed to people who need the information during their work duties, such as when arranging an exam. For example, a recommendation on an extended exam time must not be marked in a manner that would be visible to all the students in the course. Please note that you have a confidentiality obligation regarding any information you obtain in writing or orally on personal study arrangements or the health or functional capacity of a student. Recommendations or any other sensitive information must not be sent via regular email. If sending the information by email is absolutely necessary, secure email must be used.
The Ģą˝Ö±˛Ą collects course feedback with Webropol.
Teachers also have the right to collect additional student feedback on their courses. When collecting student feedback, however, data protection must always be considered, i.e. the students must be informed of the fact that their personal data will be processed (with a separate data protection notice, if necessary).
If the students or the teacher can be identified based on the feedback, it is a question of the processing of personal data. In such a case, it must be determined in advance which datasets containing personal data will be used. Furthermore, the survey must be designed in a manner which does not require the collection of any unnecessary personal data. The data may only be processed by persons whose work duties involve the processing of such feedback.
If the feedback will be published, the published information may not include anybody’s personal data without their specific consent.
If the personal data of children, such as names, photographs or video recordings, is to be processed during a course, the teachers of the course are usually not in direct contact with the day-care center or school. For example, it may be a case of wishing to photograph children who are working on a specific theme to include the photos in written coursework or analyse them with the group. In such a case, the students must be provided with detailed instructions, especially if the university requires taking photographs of the children in order to complete the course. The student must contact the day-care center/school to find out what has been agreed with the parents on photographing the children. Some schools have made agreements on photography and video recording with parents (through Wilma). If such agreements do not cover photography by a student, the student must obtain consent. The processing of personal data requires a clearly specified purpose.
In a case where the photographs will be used for purposes other than publication as part of coursework or a peer review, even if this will not take place in an open data network, a permit is required (such as a permit in Moodle for the other attendees of the course). You should also note that due to copyright, a presentation or drawing made by a child cannot be published without their guardian’s consent. The consent for photography and publication from the guardian should be obtained in writing. The child must also be willing to have their photo taken. Other issues to be taken into account include the fact that photos may only be taken in public premises, such as a yard area, but not in a dressing room, for example, and
if a specific child is being covered instead of the operation of the day-care center as a whole, more specific consent from the guardian is required for the photography and publication of the photo. In such a case, the parent should be explained the situation in more detail (the nature of the coursework) and the time when the photographs will be taken.
The child also has the right to be informed of the processing of their personal data in a manner that suits their development stage (a data protection notice in plain language).
. This includes open learning materials and open learning and teaching practices. They may also raise data protection issues.
For example, in the privacy notice for events, if the registration is done in Kongressi or Webropol and there is an appropriate link to the notice, the participant is informed about the use of photography and videoing. The necessary information can also be provided orally in a fully open event.