Skip to content

Rules of use (UO)

Keywords: , , , , , , , , , , , , ,

The contents of this instruction:

Rules of IT service use

In brief

  • These binding rules concern all users. Including you.
  • These rules apply to the use of all of the university’s IT services, hardware, software and networks.
  • The university authorises users to access its IT services by granting user IDs (user accounts) or making services available.
  • Every user is personally responsible for all use of the services with his/her user ID.
  • The provided IT services are intended for work- and study-related use.
  • They may also be used for personal purposes within reason and in keeping with laws and good practices.
  • Other users’ privacy and ownership of information must be respected at all times.
  • Use of the services for any commercial or propagandistic purposes is forbidden.
  • Unauthorised use is forbidden.
  • Use of services is monitored, and breach of these rules will be sanctioned.

Further specifications to these rules are provided below.

Rules of IT Service Use as a whole

The Rules of IT Service Use bind and obligate all members of the university community, users of IT
services and systems, and all units of the University.

These rules apply to all of the University’s IT services and hardware, and the use thereof, also
including services made available or authorised by the University. Examples of such services are
CSC’s services HAKA, Funet, etc. Some of the University’s services are cloud services and in addition to these rules and service provider’s own terms of use, Terms of cloud service (to read this, log in with your university account) apply to the use of them.

Usage authorisation

Usage authorisation is granted by issuing a user ID or making the service available

Authorised users are allowed to use the university’s IT services. Compliance with the Rules of IT
Service Use is a prerequisite for authorisation.

  • The scope of usage authorisation depends on the user’s status and tasks (roles) at the
  • one person may have several roles.
Usage authorisation is granted for a fixed term

The authorisation expires when

  • the person is no longer a member of the university community
  • the granted fixed term user ID expires
  • the person’s role changes, and the new role does not make him/her eligible to use the IT

Usage authorisation can be restricted if there is justified reason to suspect that information security
has been compromised or the services have been abused.

The user must remove all personal e-mails and files from the system before the expiry of his/her
usage authorisation. The user account is automatically turned off 14 days after expiry of the usage
authorisation and receiving email is blocked. The University will delete all files and mailbox contents
when 12 months have passed since the expiry of the user ID or usage authorisation. University staff
members, as well as students who have worked in research teams or participated in other such
activities, must transfer all work-related messages and files to the person specified with the

All users must uninstall any software based on employee or student licenses from their home
computers when their employment or study right ends.

User ID

  • Users are identified (authenticated) with the user ID (user account)
  • every user must have an individual ID for all IT services that require authentication.
Group IDs can be granted upon request for special purposes

The use of group IDs can compromise the confidentiality of information. For example, in the case of
using an administrator-level group ID in order to use special software in a computer lab.

  • The user who applies for a group ID is responsible for the distribution of the ID
  • group IDs may only be used for the purpose specified in the application and granted permit
  • every group ID user is responsible for his/her actions conducted using the ID.
Every user is personally responsible for his/her user IDs

User accounts must be protected using strong passwords and complying with other instructions. If
there is reason to believe that a password or other account details have been compromised, the
password must be changed or the use of the compromised element must be prevented immediately.

  • Never dispose or lend your username and password to other persons
  • each user is responsible for all actions conducted using his/her ID
  • users are financially and legally liable for any damage or loss caused using their ID
  • the use of another person’s ID is forbidden, even upon the user’s own request.

Users’ rights and responsibilities

The IT services are intended for work- and study-related use

The University’s IT services are intended to serve as tools in tasks related to studies, research,
teaching or administration.

Small-scale private use is allowed

Small-scale private use refers to such actions as private e-mail conversations and online service use.
However, private use must never

  • disturb other use of the system
  • breach the rules and instructions of IT service use.
Commercial or propagandistic use is not allowed

Special permission for these purposes can, however, be applied from IT Management.

  • Commercial use is only allowed in cases assigned by the University
  • use for pre-election campaigns or other political activities is only allowed in conjunction with
    the University’s elections and activities of the Student Union, student organisations or trade
  • all propagandistic use is forbidden
  • unnecessary consumption of resources is forbidden.
Laws must be observed
  •  Material that is illegal or against common manners must not be published or distributed.
Everyone is entitled to privacy

The right to privacy, however, does not cover all work-related material that is in an employee’s

  • All materials that are in students’ possession are deemed to be private.
  • Staff members must clearly separate their private materials from work-related ones e.g. create a directory entitled “Private”. This rule also applies to students working for the University.
Information security is everyone’s responsibility

Any detected or suspected breaches or vulnerabilities in information security must be immediately
reported to Campus ICT support service: ict (at)

  • Personal passwords must never be disclosed to anyone
  • everyone is obligated to maintain the secrecy of any confidential information that may come
    to one’s knowledge
  • abuse, copying and distributing other users’ private information is forbidden.

As a precaution, the University is entitled to restrict or revoke the right to use its IT services.

Setting up unauthorised services is forbidden

Only devices approved by the University may be connected to the IT network. Only services
authorised by the University may be produced using the university’s IT networks.

Bypassing information security mechanisms is forbidden

Usage rights must never be used for any illegal or forbidden activities, such as searching for
vulnerabilities in information security, unauthorised decryption of data, copying or modifying
network communications, or unauthorised access to IT systems.

Parts and features of IT systems that are not clearly made available for public use – such as system
administration tools or functions prevented in system settings – must not be used.

Phishing for information and deceiving users is forbidden

Cheating and unauthorised acquisition of information is forbidden.

Other clauses


These Rules of IT Service Use become effective 20.11.2013 and replace the earlier version of
corresponding rules. After the date specified above, all new IT services must be produced according
to these rules.

Change management

These rules will be reviewed when needed to ensure that they comply with all valid services and
laws. Any significant changes to these rules are addressed according to the co-operation procedure.

The information security officer makes decisions concerning change needs.

Information about changes is distributed using the regular communication channels, never

Exceptions from the Rules of Use

Permission for exceptions from the Rules of Use can be granted for compelling reasons upon a
written application. Exceptional permits are granted by the CIO. The permits may include additional
terms and conditions, restrictions and responsibilities.


Compliance with the Rules of Use is overseen by the IT department, owners of services and IT
services, as well as supervisors within their job descriptions. Breaches of the rules lead to sanctions
according to the Consenquences of IT Service Abuse.

E-mail rules

In brief

Every e-mail user has one or more roles

  • There are slightly different rules, for example, for staff members and students.

All rules must be obeyed

  • Use different passwords in the university services and in external services
  • apply thorough consideration before using the university e-mail address for private purposes
    (see Rules of IT Service Use)
  • if you mistakenly receive e-mail intended for someone else, forward the message to the correct
    recipient, and inform the sender of the mistake
  • remember that the privacy of correspondence also applies to e-mail
  • make sure you have enough free space in your mailbox
  • don’t distribute spam
  • don’t leave any private messages in the university mailbox when your user rights expire.

Staff members

  • Always use the university e-mail address for work-related correspondence
  • send confirmations to e-service messages without any delay
  • don’t transfer or automatically reroute workrelated e-mail to external e-mail accounts
  • keep your private and work-related messages separated, also the sent ones
  • make sure your e-mail is monitored during your absence
  • if you use an out-of-office message, instruct recipients to use the organisation address
  • only use e-mail encryption methods supported by the University
  • if you are about to leave the University’s employ, transfer all e-mail messages that are relevant for the organisation to the correct persons responsible users before your user rights expire.


  • Use primarily the university e-mail account for study-related purposes
  • for receiving university’s announcements to the correct email address always inform your address to
    the university’s services and information systems that you use
  • when you contact university through email, remember always to inform your name and contact information in a message
  • all messages sent and received in the role of a student are private
  • if you have an employment contract with the University, you are also bound by the staff members’ rules; moreover, you must keep your work- and studyrelated e-mail clearly separated.

Mailing list owner

  • Keep the list up to date (correct, valid addresses, brisk moderation)
  • request the deletion of your list when it is no longer in use.


  • Make sure that all relevant organisation addresses are available
  • make sure that the organisation addresses are used in your unit’s communications
  • appoint users responsible (with deputies) for monitoring the organisation addresses.

Organisation address owner

  • Establish procedures for message handling, back-up and informing other handlers
  • change the password of the organisation e-mail account regularly, and always after an e-mail
    handler (who knows the password) leaves the organisation.

Further specifications to these rules are provided below.

E-mail rules as a whole

These e-mail rules concern all users of the university’s e-mail systems. The parts aimed at university staff members concern all of the University’s units, their employees and other users in corresponding positions (such as scholarship-funded researchers and emeritus/emerita professors). The rules also concern all users responsible for e-mail systems.

The e-mail rules comply with the currently valid laws and regulations.

The sender is responsible for making sure that the message delivery has been successful. Particularly crucial messages should be sent well before the deadline, and the recipient should be asked to confirm receipt.

Privacy of correspondence also applies to e-mail

If a user receives an e-mail message intended for another person, the unintended recipient is obligated to maintain the secrecy of the message and refrain from utilising its contents or the knowledge of its existence.

  • According to the Administrative Procedure Act (434/2003), Section 21, a document delivered
    by mistake and dealing with administrative matters beyond the recipient’s competence shall
    be transferred to the authority deemed to be competent, and the sender of the document
    shall be informed about the transfer; if such a transfer is not possible, the message shall be
    returned to the sender and deleted from the university’s e-mail system
  • all other received messages intended for another user must be returned to the sender.

The forwarding and returning obligation does not concern messages containing malware or spam.

E-mail addresses

The organisation address is an official e-mail address

The organisation address is used for official matters and service provision.
The organisation address is formed according to a certain formula, for example:

  • university-level:
  • unit-level:
  • role-level:
The work e-mail is a personal e-mail account provided for work-related use
  • Example:
  • Work e-mail messages are related to both the work e-mail account and the user’s job.
  • As default, the University considers e-mail messages received to the work e-mail account to
    be private messages.
  • In outgoing e-mail messages, the organisation address or the work e-mail address formed from
    the user’s name must be given as the sender’s address.
The study e-mail is a personal e-mail account provided by the University for its students
  • Example:
  • The study e-mail account is primarily intended for study-related use.
  • The University considers students’ e-mail messages to be private messages.
  • The sender’s address in outgoing e-mail messages is the study e-mail address formed from the student’s name.
  • The student can forbid the publishing of his/her e-mail address outside the University.

Every e-mail service user is personally responsible for keeping his/her mailboxes clean and ensuring that the reserved space does not run out.

The University determines the e-mail addresses and their format

Various domain-based addresses related to certain roles are used at the University of Oulu, for

  • organisation addresses could be of the format
  • staff members’ addresses could be of the format
  • students’ addresses could be of the format
Staff and student e-mail addresses are formed from the user’s name

If another user with exactly the same name joins the University, the original user’s e-mail address
may be changed. A person who first receives an address of the format
forename.surname@(student.) can keep it, and for the namesakes an address is of the format
forename.middle name’s first letter.surname@(student.)

Use of e-mail and e-mail addresses

  • The name-based address must be used as the personal e-mail address
  • the organisation addresses are used in the university’s communications
  • the organisation address or work e-mail address must be used in work-related matters.

The handling and archiving of e-mail messages received to the organisation or work e-mail account
are governed by the Act on the Openness of Government Activities and the university’s archive
creation plan.

  • It is forbidden to transfer or automatically route e-mail messages from the organisation or
    work account outside the University; this is due to reasons related to information security,
    data protection and information management; in addition, it may constitute a breach of the
    Personal Data Act
  • if a received message contains a confirmation request or is part of an e-service (1), the
    message handler must send the confirmation immediately
  • only e-service systems are allowed to use automatic receipt confirmations.
Organisation addresses have owners

The owner must make sure that messages received in the organisation address are handled on a
regular basis and according to the archive creation plan, even when the owner is absent.

  • E-mail messages received in the organisation account belong to the employer
  • the address owner must respond to any received messages immediately
  • the response must indicate that it is a reply to a message sent to an organisation address
  • organisation addresses must not be used for personal communications.
Messages related to work e-mail accounts are treated as private messages
  • The University can retrieve and open an employee’s e-mail messages in certain cases and
    certain ways as defined in separate guidelines: Retrieving and opening an employee’s e-mail
  • work-related e-mail messages sent by employees must, when applicable, clearly indicate
    whether they are official statements related to work or the employee’s personal opinions
  • when responding to applications or other such matters related to public administration, the
    response message’s reply address must be an organisation address

    • instead of changing the reply address, the sender can be advised to use the
      organisation address in the future
    • the original message and the response are transferred to the organisation address
      for archiving
    • If you are not aware of the suitable organization address you can check it from
      Campus ICT ict(at)

The e-mail account provided by the University can be used for private purposes within the
limitations set forth in the university’s Rules of IT Service Use.

  • Employees must clearly separate their personal and work-related e-mail messages, both
    those received and sent
  • if a user is both a student and a staff member, the e-mail messages related to each role must
    be clearly separated from each other.
External e-mail service must not be used for university-related tasks

Access to external e-mail services from the university network can be technically restricted, if such
services are deemed to form a major data security risk.

Use personal auto replies with caution

Auto replies entail a risk of spam flow, but if one is nevertheless deemed necessary, it should advise
the recipient to contact the relevant organisation address.

E-mail must be monitored even during absence

One option is to close the mailbox (for example, during long leaves of absence). The recommended
practice is to instruct clients to use the respective organisation address for all contacts.

The e-mail account is fixed-term

Personal messages should not be left in the university mailbox when the usage right expires.

Employees must agree with their supervisor on the transfer of work-related messages to another
user within the university organisation. If an employee resigns from his/her duties before the expiry
of the employment contract, the employee, or his/her supervisor, can request the discontinuation of
incoming e-mail immediately.

E-mail messages can be encrypted

All applications used for encrypting organisation- and work-related e-mail messages must be
supported and implemented by the University.

  • If a received organisation- or work-related e-mail message is encrypted so that only the
    recipient can decrypt it, the message must be decrypted immediately after receipt; this rule
    does not apply to messages containing malware or spam
  • after decrypting, the message can be encrypted again so that all handlers can open it.

In terms of information security, non-encrypted e-mail can be compared to a postcard.

Mailing lists have owners

The owner must keep the list moderated, regularly check that it is up-to-date and remove any
redundant addresses from the list.

  • The list owner is responsible for maintaining and removing joint mailing lists.
  • Personal mailing lists are each user’s own responsibility.

A mailing list forms a person register and, hence, it may be subject to confidentiality obligations and
separate limitations of disclosure. If such rules apply, use the blind carbon copy (bcc) function in
order to keep the list’s addresses hidden from recipients.

Mass mailing and sending/forwarding chain letters is forbidden

Exceptions to this rule can be made upon separate decisions.

Service provision and administration

System administration can intervene in e-mail traffic

in order to secure the service level or safety of the e-mail system. Such interventions, as well as email usage monitoring and log-keeping, are governed by separate instructions.

E-mail is checked and filtered

All e-mail traffic goes through an automatic content analysis, based on which

  • messages and attachments containing malware are automatically deleted
  • the delivery of harmful, oversized or numerous attachments can be restricted.

In addition, filtering and deletion without notification can be applied to messages

  • sent from known spam servers
  • classified as spam based on the automatic content analysis.
The e-mail address no longer works

The e-mail address no longer works when the usage authorisation has expired. Messages sent to a user whose e-mail account is no
longer valid will not be delivered; longer valid will not be delivered; instead, an automatic message is sent to inform the sender about
the expiry of the address. When an e-mail account expires, all its re-routing arrangements also
become invalid.

Other clauses


These e-mail rules become effective 20.11.2013 and replace the earlier version of corresponding

Change management

These rules will be reviewed when needed to ensure that they comply with all valid services and
laws. Any significant personnel-related changes are addressed according to the co-operation
procedure. The IT Director makes decisions concerning change needs.

Information about changes is distributed using the regular communication channels, never

Deviations from the e-mail rules

Permission for exceptions from the e-mail rules can be granted for compelling reasons upon a
written application. Exceptional permits are granted by [the IT Director]. The permits may include
additional terms and conditions, restrictions and responsibilities.


Compliance with the e-mail rules is overseen by the IT services. Breaches of the rules lead to
sanctions according to the Consequences of IT service Abuse.

Rules of wlan use in brief

The wlan connections that have been built in the connection of the network of the university have been meant for the on the university working or studying persons’ use. The use rule of the wireless local area networks of the University of Oulu applies to the use wlan with the cordless data terminal equipment (for example a smart phone, tablet, laptop).



« Back

This article was published in categories English version available, All instructions, for the University of Oulu staff, for the University of Oulu students, accessible content, UniOulu and tags , , , , , , , , , , , , , . Add the permalink to your favourites.