Data protection refers to the processing of personal data in a careful manner. Data protection concerns guidelines on best practices for the processing of personal data, and not data security per se. If personal data are collected, they must be held and processed with due care.
Diak will implement the EU’s General Data Protection Regulation (GDPR) as of 25 May 2018. The regulation applies to data that directly or indirectly identifies a person. Special attention must be paid to the storage and confidentiality of sensitive data. Sensitive data include, for example, health-related information and information about religious, political or sexual orientation.
Data protection officer
According to the GDPR, the higher education institution must have a named data protection officer. The data protection officer is responsible for monitoring the legality of the processing of personal data and assists the higher education institution in its tasks relating to data protection.
The data protection officer serves as a contact with the oversight authority and supports staff and data subjects in questions relating to the processing of personal data.
Contact information
tietosuojavastaava@diak.fi
Diak’s data protection policy binds staff and students.
Data protection policy
The Executive Group of Diaconia University of Applied Sciences (hereafter Diak) has approved this data protection policy on 27 February 2018 as a binding set of guidelines which applies to the staff and students of Diak.
General
Data protection refers to the protection of personal data and other confidential or sensitive data concerning a person.
The Data Protection Policy of Diaconia University of Applied Sciences defines what is meant by data protection and how it is implemented.
Diaconia University of Applied Sciences complies with the EU’s General Data Protection Regulation (2016/679) and the provisions of other related laws and standards.
This policy applies to all personal data held by Diak and their processing, regardless of where data are processed and by what means and arrangements.
Diak ensures compliance with this data protection policy and legislation and will monitor the currency of the policy and revise it as and when necessary.
Statements
Diak will maintain a privacy policy statement concerning its data processing practices as required by law.
The implementation of the principles is described in the privacy policy statements of Diak’s individual operational areas.
Principles and implementation of the processing of personal data
The following principles must be adhered to in the processing of personal data:
- Lawfulness, fairness and transparency
- Purpose limitation
- Data minimization
- Accuracy
- Storage limitation
- Integrity and confidentiality
Steps to implement the principles include the following:
- the processing of personal data has a lawful basis
- data subjects are provided with sufficient information about the processing of personal data
- students and employees who process personal data have completed data protection training
- data subjects are provided with effective means to exercise their rights, and their requests are responded to without delay
- risks relating to the processing of personal data are assessed from the point of view of the data subject; risks are minimised, for example, by means of pseudonymisation; and, if risks are deemed high, an impact assessment concerning data-processing is carried out
- only strictly necessary personal data are processed
- the accuracy of data is ensured
- data processing activities are documented
- data processing practices are reviewed regularly
- the principle of integrated data protection is adhered to
Diak must be able to demonstrate that the above principles concerning the processing of personal data are adhered to. Adherence to the principles is described in an annual data statement.
As an employer, Diak must ensure that all its employees understand and adhere to the principles and implement detailed processing rules and protection of special-category data (sensitive data).
Access to personal data is restricted to employees who have a legitimate need to view the data and only within the scope of the duties in question. Personal data cannot be disclosed without the individual’s consent, unless required by law.
Integrated data protection
Employees of Diak who are responsible for the specification and design of new or significantly modified systems that process personal data must give due attention to data protection and carry out necessary impact assessments.
Research, study and other projects may also require a data protection impact assessment, if the processing of personal data causes a risk to data subjects.
In research, data protection impact assessments are an essential part of the research ethics assessment process.
Responsibilities
Diak monitors compliance with data protection legislation by internal monitoring, audits, guidance and instruction. Diak produces guidelines for the necessary technical and organisational measures to be implemented by the institution’s functions.
Rights of data subjects
Diak will safeguard the rights of data subjects in accordance with the law. A data subject can request access from the controller to personal data concerning him or her, request rectification or erasure of his or her data, and restrict or block the processing of his or her data. Right to erasure does not apply to personal data which the institution processes on the basis of its statutory task, public interest or another legal obligation.
Data subjects have a right to file a complaint with the oversight authority.
Data subjects may have a right to have their personal data transferred to another system in the case of certain types of personal data.
Measures
Diak will train all its employees in the basic concepts and measures of data protection and offer more in-depth training where required.
Diak has a named data protection officer.
The data protection officer responds to questions relating to the data protection policy, compliance with the GDPR and other data protection legislation at Diak, and the processing of personal data at Diak.
In addition, the data protection officer is responsible for:
a) monitoring compliance with this data protection policy;
b) liaising with the oversight authority; and
c) upon request, providing advice about data protection impact assessments and monitoring and developing data protection practices.
Database-specific queries are dealt with by the contact desks specified in the privacy notifications and statements.
Communications to staff, data subjects and stakeholders
Information about this data protection policy and possible changes to it is published in Diak’s internal communication channels.
The Data Protection Policy of Diaconia University of Applied Sciences is effective until further notice. It is a public document and available on Diak’s external and internal websites.
Your right of access
Do you want to access your personal data held by Diak or have your data rectified or erased? You can do so by submitting your request on an electronic form. We will reply to your request within 30 days from the receipt of the form.
If your request concerns the databases of Diak Library, please see the website of the Library and Information Services for further instructions.
Privacy Statements
In the privacy statements, we describe our data protection practices in the processing of personal data in more detail and contain information about the profiling of personal data carried out by Diak. If you would like more information about profiling or prohibit profiling based on your data, please contact the Data Protection Officer directly (contact details at the bottom of the page). Please contact us primarily with Diak’s email address, if you have one.