The purpose and scope of the regulations

Diaconia University of Applied Sciences (hereafter Diak) aims to provide good, safe opportunities for information system and data network use, appropriate for a higher education institution.

Diak’s external image and its status in the data network community are linked to its own actions as a user of data communications. To ensure good and safe working conditions, all users and administrators must know their rights and obligations when using information systems and data networks.

In a network environment, abuses that focus on and take advantage of information technology are a major security risk, and every user’s careful and responsible action is an essential part of the defence against them. The purpose of these regulations is to define the rights and obligations of system users and administrators and to instruct users on safe practices.

These regulations apply to the use of all information systems and data networks controlled by Diak and connected to the Diak communications network including services made available by or authorised by Diak. The computer systems referred to here include the Diak communications network, Diak server systems and clients, personal and public computers in Diak premises, peripheral equipment, and, where applicable, phones and other mobile devices used as part of an information system or data network.

Information management services are responsible for the maintenance of Diak’s shared information systems and data networks. In information services, personnel with main user authority are called administrators.

The expert in charge of Diak information management, with jurisdiction over information management, is appointed by the rector’s current delegation decision.

Information management services can provide guidelines on the use of peripheral equipment, software, networks, and email, which supplement these regulations.

Current versions of regulations and guidelines are published in Diak´s staff intranet and in Learning Platforms / student intranet, under information management services.

1. Diak staff, and Diak degree and exchange students who have registered as either present or absent, have the right to use Diak information systems in their Diak-related work or studies. Continuing education and Open Studies students, and students of other universities studying at Diak, may be granted access rights if the prescribed course of study requires it.
2. The above-mentioned use of information systems requires a license, which is granted for a specified period by information management services. The license applies to general access rights. It covers the right to log on to the Diak data network and to public servers and services available on or via the network, as well as an email address and associated storage space.
3. The general license permits the use of available information systems for personal data processing and transmission, in moderation and in compliance with these regulations, if it does not interfere with professional duties or Diak functions. The person in charge of information management services will decide on other use or restrictions.
4. In special circumstances, information management services may grant greater rights than the general license for specifically identified information systems.
5. To access in Diak network the user must be identified reliably to ensure appropriate usage authorisation. For this reason, Diak applies authentication based on username and a password. Upon receipt of a license, the user engages to comply with current Diak regulations and with guidelines provided by information management services on the use of information systems. The user name and password are personal and may not be given to others under any circumstances. In addition, the user has no right to pass on to others any access rights to software and data that may be attached to these identifiers. Each user is responsible for all use occurring under his or her personal identifier. The use of other person´s user ID is prohibited, also upon the user´s own request.
6. Permission is required from information management services before attaching devices to Diak information systems or the Diak data network unless other provisions have been made for specific networks or systems. The provided guidelines must be followed when attaching devices.
7. Access rights for students on degree courses end upon graduation, when their right to study expires. The access rights of continuing education and Open Studies students end when the relevant course ends. The access rights of Diak staff end on termination of service.
8. When access rights have ended, unnecessary user-related information will be removed from the information system. Student records are archived in electronic format permanently for statistical purposes.
9. According to EU GDPR setting the user has a right at any time to request all information about itself that is saved in Diak’s information systems. Diak must fulfil this request without undue delay and the latest within 30 days and securely provide the information to the user.
10. If there is incorrect information about the user saved in Diak’s information systems the user has a right to request this information to be corrected.
11. User has the right to lodge a complaint to a supervisory authority in case they feel the controller has violated their rights detailed in this document.

Rights and obligations for authorized use

11. The license provides the right to use information systems, subject to rules and regulations. The use of software installed on systems and clearly intended for general use is also permitted. Everyone should always use only his or her own personal user name.
12. While using information systems, the user must comply with laws, regulations, and provided guidelines, as well as good manners. The user should be aware that provisions on the use of information technology exist, for instance, in the Telecommunications Act, Personal Data File Act, Copyright Act, and Act on the Protection of Privacy in Working Life, as well as in the Criminal Code. Systems must be used carefully, sensibly, and with respect for privacy. Users should consider data security issues in their own activities. Users are solely responsible for the content, legality, and appropriateness of their email messages and other documents.
13. Users of information systems must consider other system users. Both Diak information systems and external data communications should be used with moderation. No harm or hindrance may be caused to other users, organizations, or information systems.

Prohibited use

14. The unauthorized, wrongful use of information systems is prohibited.
15. It is forbidden to use Diak information systems for purposes other than those permitted above. It is specifically forbidden to:

• use Diak’s own data network or other data networks accessible through Diak without a license
• attempt to enter the system with a user name that does not belong to the user, or to exceed the powers or evade the restrictions on use attached to the user’s own user name
• allow an unauthorized person to see or use data, access to which is based on a specific license, apart from the normal disclosure of information for authorized purposes
• search for or use known or new security vulnerabilities in information systems, or use these to demonstrate or test their existence
• use system components or features that are clearly not intended for general use
• install for general use programs that appear to be part of the system’s normal operation.
• monitor or analyse network traffic
• prevent or falsify the normal creation of log data or other evidence of use
• prevent the operation of systems and programs that protect information systems, such as a firewall or virus protection, or circumvent them
• use Diak’s information systems to obtain, store, or distribute illegal materials, or for any other illegal activity
• search for, read, use, store, or distribute data belonging to another user without their permission
• send email messages as undirected mass postings, or contrary to the express prohibition of the recipient, or transmit or relay ads, malware, or chain letters liable to hinder data communications
• interfere directly or indirectly with computers, data communications, or other users’ activity, for instance by wasting or overloading the capacity of machines or the network
• use offensive language or send, distribute, present, or store written, visual, or other offensive material for general use.
• to create personal accounts to online services using Diak’s e-mail or username.

16. It is also forbidden, without separate permission from information management services to

• to install privately acquired or licensed programs on Diak computers
• distribute the resources of your own or a shared workstation on the net, or launch other net services on a workstation
• install on the system your own continuously or independently running service processes
• copy programs on the system for your own use, with the exception of public domain programs.

The user’s responsibility

17. Diak is responsible for technical security of its information systems and data network. It is user’s responsibility to use information systems and network securely and behave according to good manners. Diak will not be liable for damage or loss to the user or any third party resulting from the misuse of Diak information systems.
18. Diak is not responsible for the legality of material made publicly available by users except on websites related to Diak tasks. Users must themselves ensure, for example, that material does not infringe copyrights. Information management services can supply separate guidelines on how material protected by copyright may be published on websites related to Diak tasks.
19. Every user is jointly responsible for the security of information systems. Users are required to report evidence of information system security breaches and safety violations, including attempted violations, to Diak information management services. Reports should be made without attracting attention.

Administrator rights

20. Diak has legal authority to collect and process log data, identification data, and location data related to the use of information systems. Diak takes care of the security and confidentiality of this data. (Information Society Code 917/2014). http://www.finlex.fi/en/laki/kaannokset/2014/en20140917.pdf Original in Finnish:  http://www.finlex.fi/fi/laki/alkup/2014/20140917 and  Act on the Protection of Privacy in Working Life http://www.finlex.fi/fi/laki/kaannokset/2004/en20040759;  original in Finnish: http://www.finlex.fi/fi/laki/ajantasa/2004/20040759
21. To combat data security breaches and eliminate any disruption of data security, the administrators have the right to take necessary measures to ensure data security. This may be done, for instance, by blocking the transmission or reception of email messages, by removing malware that threatens data security from messages, and by undertaking other comparable technical measures.
22. Administrators have the right to control, restrict, and regulate the use of information systems connected to the Diak data network whenever this is necessary due to load monitoring, software or system upgrades, fault resolution, protection of systems, or other maintenance tasks.
23. Administrators have the right to access or otherwise intervene in a user’s files and network traffic, without the permission of the user, if clarification of a system disturbance requires it, or if there is reason to suspect criminal activity or other system abuse. Intervention in email content is allowed only by technical means in order to verify and remove a message, if there are reasonable grounds to suspect that the message contains a criminal computer program or that the message may be used for criminal disruption of data communications. Such measures will be terminated as soon as they no longer meet the conditions mentioned above. Access to other user files and network traffic requires the user’s permission.
24. When performing the above actions and other tasks, administrators will respect individual privacy and the confidentiality of messages, and avoid restricting those more than is necessary for the security of the network or communications service.
25. To ensure security and the trouble-free operation of data processing, Diak has the right to filter or restrict traffic and messages on the Diak communications network. This kind of filtering can be based, for example, on programmatic analysis of message content, and it may prevent material from reaching its recipient. Traffic may also be restricted based on a computer’s address.
26. Administrators are subject to an obligation of confidentiality.
27. Diak has the right and obligation to take measures to prevent illegal activities.

Processing rules for user-owned data

28. When an employee is absent from work and no other employee is handling a matter at the same time, Diak has the right to access messages in staff email folders that pertain to Diak, relate to Diak tasks, and are essential to Diak’s operations, as well as other comparable data related to Diak tasks on home directories or other Diak data storage media. In order to handle this task, Diak has the right, using the header, sender, or recipient data from the employee’s emails or other data, to clarify whether these are electronic material intended for the employer, within the meaning of relevant law. (Information Society Code 917/2014.)
29. To discover and open the material referred to above, the permission of the employee concerned should normally be sought. Material may also be used without permission if it is important and indispensable for Diak’s operations, delay must be avoided, and permission cannot be obtained in a reasonable time owing to the employee’s business travel or illness, or because the employee is unable to handle work tasks for some other unexpected reason, nor can the sender of the message be contacted in order to clarify the content of the message or have it resent to an address chosen by Diak. In such cases, the director of the competence area, or the Rector/Executive Director, can order the administrator to find and open the material.
30. Opening of the above-mentioned email messages or other material will be performed by the employee’s superior as representative of the employer, with the help of the system’s administrator and in the presence of another person. The participants will prepare and sign a record of the procedure, which will specify the material opened, why it has been opened, the opening date, the persons opening the material, and who has been given data from the opened material. The record will be provided to the employee. The content of opened material must be kept confidential from third parties.
31. The employee must ensure that confidential personal messages are clearly distinguishable from messages belonging to the employer, by saving them to a different folder.
32. The opening or reading of confidential personal messages or documents is prohibited. Email intended for another person should be forwarded to the correct recipient whenever possible. An obligation of secrecy applies to messages intended for others and obtained in this fashion.
33. The user’s email folders, other documents, and home directory will be deleted when the user’s computer access rights expire. Diak will not accept, forward, or store email arriving for the user’s email address, or any other documents, after termination of the user’s access rights.
34. Before termination of service, an employee should delete personal data from Diak information systems, and leave email messages and other documentation belonging to Diak for Diak’s use.
35. The user must open encrypted emails related to Diak duties as they arrive.

Other regulations

36. Email may be used with the administrator’s permission for mass mailing related to Diak’s own communication needs. Email lists maintained by Diak may be used only by Diak employees in the performance of their duties, unless other instructions have been given for the use of the list.
37. The space available for the user’s email messages and home directory, and the size of incoming messages, may be limited. If the user does not comply with restrictions on storage space, the administrator is entitled to delete the user’s documents, in which case the user will be notified without delay. Documents might have to be temporarily moved to another location without separate notice.
38. Users must log out of a session when leaving the immediate vicinity of a device. Even on devices in locked areas, users must not remain logged in, for example, overnight. Any user discovering an open session that has been either forgotten or left open due to a fault, must close the session immediately, or ask the administrators to close it.

Misuse and its consequences

39. Misuse of information systems means any activity that is not consistent with these regulations or which violates laws, such as the Personal Data Files Act, the Act on the Protection of Privacy in Electronic Communications, the Act on the Protection of Privacy in Working Life, the Telecommunications Act, the Copyright Act, or the Criminal Code or Decrees, or Diak regulations and guidelines.
40. Diak enforces the observation of these regulations. Cases of misuse will be handled in the first instance by Diak’s own clarification and control measures. When misuse is suspected, administrators have the right to prohibit or restrict the use of systems during analysis and investigation. Additionally, the following measures may be taken in cases of misuse:

• The user may be contacted for clarification when misuse is suspected;
• The Rector/Executive Director, director of the competence area, or personnel manager will give the person responsible for misuse a written or oral notice; and will apply usage restrictions or prohibitions for a fixed period or until further notice;
• Misuse by persons not in the service of Diak, such as students, will be handled according to the Act on Universities of Applied Sciences and The Government Decree on Universities of Applied Sciences (1129/2014) and Diak degree regulations;
• Costs related to clarification of cases of misuse will be charged to the person responsible for the misuse;
• The matter will be referred to the authorities, possibly for police investigation.

Validity of regulations

41. Diak can change the regulations without personal notice to users. Changes to the regulations can enter into force immediately. The person responsible for information management services will monitor the need to update the regulations.
42. These regulations will come into effect immediately and repeal the rules and regulations given before.