These instructions intended for teaching staff describe the most common situations where the teacher is responsible for protecting the personal data of students when organising a course.
The processing of student personal data in teaching must comply with the relevant legislation and university policies. The General Data Protection Regulation of the EU sets the minimum requirements for processing personal data in the EU countries. Other key statutes are the Universities Act (558/2009) andthe Act on the Openness of Government Activities (621/1999).
For additional information on the General Data Protection Regulation, see: https://inside.aalto.fi/display/ITServices/Data+Protection (requires sign-up with Aalto user identification) and information for students, see: https://into.aalto.fi/display/contact/Privacy+notice
2 Definitions related to data protection in teaching and processing study-related data of students
The controller of the personal data processed for teaching purposes is Aalto University. The university as an organisation is responsible for defining the purposes and means of processing personal data and ensuring data protection in the systems and processes used. Everyone who processes personal data as part of their work, such as a teacher, has a responsibility to protect the data and must comply with the related university guidelines. By protecting the personal data of students we wish to protect their privacy.
Personal data means any information relating to an identified or identifiable natural person. Student personal data include the student’s name, address, ID, e-mail address, other online identifier, photograph, course registration details, information on completed courses or any other information which on its own or when combined with another piece of information tells something about the student.
Sensitive data are data such as student health data and any details of personal study arrangements such as a recommendation on extending exam time. Teachers usually do not process sensitive student data in their work. Processing sensitive data is allowed only under very specific circumstances.
Processing personal data means any operation or set of operations which is performed on personal data or on sets of personal data, such as collection, recording, organisation, storage, adaptation or alteration, retrieval, combination, disclosure or destruction. For instance, creating a list of the students registered for a course and communicating the list to the other teachers of the course as well as storing an electronic or paper copy of it are all means of processing personal data.
In addition to the definitions set forth in the General Data Protection Regulations, the definitions in the following documents are relevant for student personal data.
The Universities Act (558/2009) uses the term study attainment.
Study attainment means, in these instructions, an exam response, assignment, essay, lecture diary or other assessed item produced by the student. Study attainments and their grades (study attainment entries) are marked in the Aalto student register (student information system). Courses may consist of several components, in which case the study attainment is entered into the student register only when all the course components have been completed in the requisite manner.
The Act on the Openness of Government Activities (621/1999) uses the term test results of students and candidates.
Pursuant to the act, test results are secret documents. Usually also study attainments such as exam responses constitute test results that are to be kept secret.
3 Publicity and storage period of study-related data
The provisions on the publicity and secrecy of study-related data are set forth in the Act on the Openness of Government Activities.
The special categories of data or sensitive data such as the students’ data concerning health referred to in the EU General Data Protection Regulation are secret data also pursuant to the Act on the Openness of Government Activities (621/1999). Course study attainments such as examination responses, assignments, essays and lecture diaries are usually secret documents. Not all personal data are secret under the Act on the Openness of Government Activities. For instance, results of the evaluation of study attainments, such as the total score in exams or the final course grade, are public information under the act. As results are also personal data, however, they cannot be freely published online or disclosed to any other members of the Aalto community than those who need it for their work duties. All personal data related to the student is to be processed confidentially and with care. See Student information requests by other parties.
Some of the periods for which study-related data is to be stored by the university are defined in legislation. A comprehensive description of the storage periods is provided in the Aalto University data management plan.
Study attainments completed during a course such as examination responses, assignments, essays and lecture diaries must be stored for a minimum of 6 months after their grading is complete. As a rule, study attainments must be destroyed no later than 1 year after the year the course has ended, unless a longer storage period has been approved by Aalto University or is necessary for a legitimate reason.
The final results of course grading or study attainment entries are stored in the student register (currently Oodi) permanently.
The evaluation results of course components must be stored for as long as they may be used towards the course in question pursuant to the degree regulations or curriculum. A longer storage period may be set for the evaluation results of course components by local agreement.
4 Processing study-related data in digital learning environments and by digital tools
Aalto University uses a variety of digital learning environments and teaching tools, many of which involve processing student personal data.
WebOodi is the principal course registration tool. From WebOodi, the teacher receives a list of the students registered for his or her course and as necessary, any background information necessary for organising the course, such as information that the student has completed the course prerequisites.
The course evaluation results may also be transmitted to the student register via WebOodi.
MyCourses is a learning environment used by the teachers and students of a given course. Each new course has to be created a new workspace on Mycourses, and any existing workspaces originally set up for a discontinued course are not to be re-used.
The data of students registered for a course are automatically transmitted from Oodi to MyCourses.
Persons who have been assigned user rights as a course teacher or assistant have access to the student data in the workspace. When assigning teacher-level user rights to a workspace, make sure that all those with teacher-level rights have a work-related reason for having access to student attendance details and activities in the workspace, as well as to study attainments with grading details. As a rule, there is no justifiable reason for students in a given course to have access to the study attainment details of others attending that course, and the students’ rights to access any other types of personal data of their fellow students should be kept to a minimum. For group work and peer assessed assignments, students should be given access only to such personal data of other students as is necessary for the assignments, see under Sharing a student’s personal data with other students in the course.
Notifying students of the results of exams and other study attainments should be done in accordance with the MyCourses instructions titled ‘Publishing grades’. See also Notification of examination grades and evaluation results on other study attainments for related instructions.
If you print lists of study attainments or their grades from a workspace, or save them on your computer and/or forward them to the student register, see instructions under Careful processing of study-related data during and after the course.
4.3 Other electronic teaching tools
Other tools used in online teaching include Panopto, wiki, Turnitin, blogs.aalto.fi, OpenLearning, Presemo, Microsoft Office tools, course feedback system, Exam. Before using any teaching tool, you should familiarise yourself with its data protection instructions. If you would like to process personal data using other services than those recommended by Aalto IT, you must first consult firstname.lastname@example.org .
5 Careful processing of study-related data during and after the course
Always process personal data carefully. Whenever possible, process personal data in the information system to which it was originally entered. Do not transfer personal data outside the original system, such as to Excel sheets, if not necessary. Store personal data securely. Destroy any unnecessary and outdated personal data. Do not store personal data just in case.
The course teacher-in-charge is responsible for making sure that study attainments and the results of their evaluation, if not submitted to MyCourses or to the student register (currently Oodi) during the course, are stored safe from third-party access in accordance with the instructions given by the unit organising the teaching. If you are unsure about the guidelines of your unit, contact the manager of academic affairs of your school.
Data related to course registration and to activities during the course that are saved in MyCourses are stored in the information systems for the retention period specified in the Aalto University records management plan. Consider the situations in which you would need to retain a separate list of students’ personal data after the end of a course, if all of the necessary information is already saved on MyCourses.
Keep documents containing students’ personal data in places with an adequate degree of information security (e.g. in an Aalto secure network folder). See that the data is destroyed once its storage is no longer necessary. Paper documents containing students’ personal data must be disposed of in a confidential waste bin.
Report any accidents or suspicious activity relating to personal data – Act swiftly. The best way to correct a mistake or counteract a threat is to tell about it immediately. Time is critical for minimising the damage.
If you notice any gaps in the data security of WebOodi, MyCourses or other information systems, or notice that personal data has been accidently made available to a third party through the actions of yourself or another person, or otherwise leaked, report it at once to Aalto University data security at: email@example.com .
6 Notification of examination grades and of evaluation results on other study attainments
Examination grades and the results of assessing other study attainments are reported in a secure network provided by Aalto University for this purpose, such as in a MyCourses space. Student examination results may only be reported in way that includes the student number without the student’s name or other personal data, or else in some other way where no student is directly identifiable from the list of the examination results. The recommended method is to communicate each student’s grades to the student directly, and to communicate to the whole class only a summary of the number of passes and failures according to grade.
Report student-specific grades only to the student alone whenever possible. If you notify all of the students of their results using the whole list of grades, do so by student number alone. If you publish the list on MyCourses, make sure the page is accessible only to the students of the course.
7 Sharing a student’s personal data with other students in the course
Minimise the personal data
Consider always what means would be sufficient to identify the student and be also in accordance with the principle of minimising the processing of personal data. Take care to ensure that other students will not be able to connect student names with student numbers on the basis of the material you distribute. It is not necessary to indicate a student number in seminar work, peer-assessed assignments or group work that is distributed to students.
If students in a course need information on other participants in the course or in a group, give them the student names, but never the student numbers.
8 Using email as a means of communication in teaching
Transfer personal data securely – Be sure of the recipient. If you send sensitive or otherwise secret personal data by email, remember to send messages as an encrypted email or material as an encrypted attachment.
Advising and giving feedback to students by means of your aalto.fi address to theirs is permitted by default, as is the sharing of information between Aalto teachers on matters concerning students. If the information in the email is sensitive (concerns a student’s health status, for example) or otherwise secret (e.g. contains a student’s responses to an examination), then one must be particularly careful with the data.
9 Requests for data or documents relating to teaching or study attainments
9.1 Students requesting their own information
In general, a student has the right to obtain all of his or her personal data that was collected and processed by a teacher for a course. Students have the right to obtain information about their own graded study attainments that have been recorded in writing or otherwise, as well as about the application of the evaluation criteria to their study attainments. The teacher in charge of the course is responsible for ensuring that students are reserved an opportunity to acquaint themselves with their own study attainments course and the application of the evaluation criteria to those attainments.
9.2 Student information requests by other parties
Do not release personal data to just anyone. Personal data may only be processed by persons whose job descriptions include such duties.
As a rule, study attainments are documents that must be kept secret and information on them may be released to no one except those who need it for their work duties, such as the teachers of a course. Some of the personal data of students, such as student names, information on course registration, and course grades, is not information that needs to be kept secret; however, the Act on the Openness of Government Activities (621/1999) and other data-security legislation do regulate the processing of such data. Therefore, the personal data on students in a course may not be published freely online or released to any enquirer.
If you receive a request for information concerning a student’s personal data from another student or from some other party and you are uncertain about how to process the request, contact the legal counsel, Learning Services.
10 The processing of data related to personal study arrangements
Students may apply for a recommendation from their school for personal study arrangements if necessary, for example, for diagnosed dyslexia. Applications for a recommendation as well as any attachments containing previously given recommendations or information on the student’s health status are confidential and contain sensitive personal data. Students who wish to have personal arrangements present the relevant recommendation to the course teacher themselves.
Information about recommendations may be given only to employees who need the information for their work duties, in order to organise examinations, for example. Secrecy obligations also apply to cases where one has received, either orally or in writing, information relating to personal study arrangements or to a student’s health status or functional ability. Recommendations and other sensitive information may not be sent by ordinary email. If the emailing of such information is necessary, it must be sent in encrypted form.
11 Student feedback and its processing
Aalto University has a centralised course feedback system. Coursefeedback.aalto.fi
Teachers may also collect other feedback on their courses from students. When collecting student feedback, the following data-protection matters must be observed.
The feedback constitutes personal data if either the teacher or the student can be identified on its basis. In such cases, the intended use of the data material should be defined in advance. Feedback questionnaires must also be designed in a way that prevents the unnecessary collection of personal data. The data may be processed only by an individual whose work duties include the processing of the data. The responses may be stored no longer than is necessary for the activity, and no more than five years in any case, after which the responses must be destroyed in a data-secure manner.
If the collected feedback is to be published, no personal data may be contained in the published information without the consent of the person(s) concerned.
For questions concerning data security and education, teachers may contact: Anna Johansson, Legal Counsel, Learning Services, firstname.lastname@example.org.