You may apply this guideline, together with the guideline Information Classification Based on Content and Considerations for the Processing of Personal Data, to services that are commonly and widely used at the university of Oulu and Oamk. You may process confidential information in services procured by the university, unless legislation, a contract, or the data owner imposes restrictions on the processing of the information. In addition, organisational units may create their own information‑handling instructions for services used within their unit.
It is important to note that the information classification does not determine whether information is public or confidential under the Act on the Openness of Government Activities. The classification is based on the potential harm that the disclosure of information of each class to unauthorised parties could cause to the university.
When personal data is involved, in addition to harm to the university, the risk to the individuals concerned is also assessed.
The Act on the Openness of Government Activities (Finlex, in Finnish) separately defines documents that must be kept confidential. Guidance on confidentiality under the Act is provided outside of this instruction (See Patio: Publicity of documents for more).
- Processing Information Assets in Contractual Services Managed by the University
- Processing Using Contractual AI Services
Processing in Non‑Contractual Cloud Services- Processing on University Workstations, Network Drives, USB Drives, or Other Devices
- Sending Information by Email and Other Methods
- Remote Access to Information Assets
Processing Information Assets in Contractual Services Managed by the University
| Environment | Open (5W) | Internal (4G) | Confidential (3Y) | Confidential restricted (2A) | Secret (1R) | Restrictions and notes |
|---|---|---|---|---|---|---|
| OneDrive for Business (More info: personal storage spaces/a>) |
Allowed | Allowed | Allowed | Allowed | Not allowed | Ensure access rights are limited only to those authorised to handle the data. |
| Google account for education -Google Drive (contractual Google Drive) | Allowed | Allowed | Allowed | Not allowed | Not allowed | Ensure access rights are limited only to those authorised to handle the data. |
| Other contractual external cloud service | Allowed | Allowed | Allowed | Not allowed | Not allowed | Ensure access rights are limited only to those authorised to handle the data. |
| Microsoft SharePoint, Teams, or other workspace restricted to an internal university group (More info: Shared storage) | Allowed | Allowed | Allowed | Allowed | Not allowed | Ensure access rights are limited only to those authorised to handle the data. |
| O365 MS Dynamics | Allowed | Allowed | Allowed | Not allowed | Not allowed | Ensure access rights are limited only to those authorised to handle the data. |
| Microsoft Viva Engage | Allowed | Allowed | Not allowed | Not allowed | Not allowed | |
| CSC IDA Service (More info in Patio: Research storage) | Allowed | Allowed | Allowed with restrictions | Allowed with restrictions | Not allowed | Intended for long‑term storage of completed research data and raw data. Store confidential data in pseudonymised form. |
| CSC Allas | Allowed | Allowed | Allowed with restrictions | Allowed with restrictions | Not allowed | Suitable for large data volumes.
With restrictions: Store confidential data in pseudonymised form. |
| CSC SD services | Allowed | Allowed | Allowed | Allowed | Not allowed | Designed specifically for processing personal data and other sensitive information. |
| Eduuni workspaces (More info: Shared storage) | Allowed | Allowed | Allowed with restrictions | Allowed with restrictions | Allowed if encrypted | With restrictions: non‑university members may need non‑disclosure agreements. Encryption: protect data using encryption (see File encryption) tor use the “Restricted access” subclass for Secret‑class data, which encrypts the file. |
| CSC ePouta service | Allowed | Allowed | Allowed | Allowed | Not allowed | ePouta is intended for processing sensitive research data. Not intended for long‑term storage; data is not backed up. |
Processing Using Contractual AI Services
| Environment | Open (5W) | Internal (4G) | Confidential (3Y) | Confidential restricted (2A) | Secret (1R) | Restrictions and notes |
|---|---|---|---|---|---|---|
| Microsoft Copilot | Allowed | Allowed | Allowed | Not allowed | Not allowed | In Copilot for M365, processing of 2A and 1R classes is technically blocked. |
| Other contractual AI tools | Allowed | Allowed | Allowed | Not allowed | Not allowed | Users must ensure they do not input data outside permitted classes into AI services. |
Processing in Non‑Contractual Cloud Services
| Environment | Open (5W) | Internal (4G) | Confidential (3Y) | Confidential restricted (2A) | Secret (1R) | Restrictions and notes |
|---|---|---|---|---|---|---|
| Storage in public consumer cloud services (e.g. Dropbox, Google Drive, iCloud, OneDrive) | Allowed | Not allowed | Not allowed | Not allowed | Not allowed | Not allowedProcess work‑related data using M365 cloud services. |
| Processing in public consumer AI services (e.g. ChatGPT) | Allowed | Not allowed | Not allowed | Not allowed | Not allowed | Use contractual AI tools for work‑related data. Note that consumer AI providers often use collected usage data to develop their models without restrictions. |
Processing on University Workstations, Network Drives, USB Drives, or Other Devices
| Environment | Open (5W) | Internal (4G) | Confidential (3Y) | Confidential restricted (2A) | Secret (1R) | Restrictions and notes |
|---|---|---|---|---|---|---|
| University‑managed staff workstation (More info: Personal storage) | Allowed | Allowed | Allowed | Allowed | Allowed encrypted with restrictions | Staff laptops are encrypted. Encryption: protect data using encryption or use the “Restricted access” subclass for 1R data, which encrypts the file automatically in M365. With restrictions: keep data on the workstation for as short a time as possible and transfer it to the intended service promptly. |
| University network drive – personal K drive (More info: Personal storage) | Allowed | Allowed | Allowed | Allowed | Allowed if encrypted | Encryption: protect data using encryption or use the “Restricted access” subclass for 1R data, which encrypts the file automatically in M365. |
| University network drive – shared S and Y drives (More info: Shared storage) | Allowed | Allowed | Allowed | Allowed | Allowed if encrypted | Ensure access rights are limited appropriately. Encryption: protect data using encryption or use the “Restricted access” subclass for 1R data, which encrypts the file automatically in M365. |
| USB flash drive or external USB disk (More info: Personal storage) |
Allowed | Allowed if encrypted | Allowed if encrypted | Allowed if encrypted | Allowed if encrypted | Encryption: Use encrypted media and/or file encryption or use the “Restricted access” subclass for 1R data, which encrypts the file automatically in M365. |
| University mobile phone or mobile device | Allowed | Allowed | Allowed | Not allowed | Not allowed | Ensure access rights are limited appropriately. |
| Home computer or other device not managed by ICT | Allowed | Not allowed | Not allowed | Not allowed | Not allowed | Process work‑related data only on employer‑provided and managed devices. |
Sending Information by Email and Other Methods
| Environment | Open (5W) | Internal (4G) | Confidential (3Y) | Confidential restricted (2A) | Secret (1R) | Restrictions and notes |
|---|---|---|---|---|---|---|
| Remote access | Allowed | Allowed | Allowed with restrictions | Allowed with restrictions | Allowed with restrictions | With restrictions: Use secure printing (the default method when printing documents) or a personal printer. Note that a paper printout is also an information asset! |
Remote Access to Information Assets
| Environment | Open (5W) | Internal (4G) | Confidential (3Y) | Confidential restricted (2A) | Secret (1R) | Restrictions and notes |
|---|---|---|---|---|---|---|
| Remote access | Allowed | Allowed with restrictions | Allowed with restrictions | Allowed with restrictions | Allowed with restrictions | With restrictions: Use only a university computer and a university‑provided secure connection (see Secure connection). |
« Back
This article was published in categories All instructions, Oamk , for Oamk staff, for the University of Oulu staff, Saavutettava ohjeartikkeli, UniOulu and tags data protection class, sensitivity classification, data classification, data classification model, file classification. Add the permalink to your favourites.