Skip to content

Introducing a New AI Service at the University of Oulu

Author: Jesse Korhonen | Published: 12.6.2026
Keywords: , , , , , , , ,

This page describes how a new AI service will be assessed before it can be introduced at the University of Oulu. The guidance applies when considering the use of an AI service other than one already provided or approved by the university in teaching, research, or work. The aim of the assessment is to ensure that data protection, information security, contracts, governance, technical implementation, and possible risks are considered before adoption. The processing of personal data at the University of Oulu is guided by the university’s data privacy pages, and ICT Services support the technical assessment of the implementation.

This guidance is intended especially for units proposing a service, ICT Services, experts preparing the implementation, and those responsible for research environments.

Key instructions in brief

  1. Check whether the service has already been assessed
  2. Describe the purpose of use, the users, and the data to be processed
  3. Carry out a preliminary data protection assessment if needed
  4. Contact ICT Services before introducing a new service
  5. Do not start using the service before the assessment is completed and the service is approved

When is an assessment of a new AI service needed?

This guidance applies when a new AI service is being considered within the organization and the service has not yet been approved for university use. You can check the list of AI tools assessed by ICT Services to see which services have already been aseessed and under what conditions they may be used.

This guidance applies when:

  • the service processes university data
  • the service processes personal data, research data, or other confidential material
  • the service includes agent features or automated functions
  • the service is cloud-based or runs locally on an endpoint device
  • the service is planned for a trial, pilot, or broader deployment

Step 1: Tool overview and intended use

The assessment begins by describing the basic information about the service and its intended use. At this stage, it is defined as what the tool is, what it is intended to be used for, who would use it, what benefits are expected, and whether it is a pilot, a limited trial, or a broader deployment.

  • What problem does the tool solve?
  • Does the university already have a similar approved service?
  • Is the use continuous or temporary?

Step 2: Tool classification

Next, the tool is classified based on its purpose of use, operating environment, and the risk level of the data. The classification determines how extensive the assessment and approval process must be before adoption.

Perspective Examples
Purpose of use Content-generation tool, agent-based tool, analysis or assistance tool
Operating environment SaaS service, on-prem service, service running on an endpoint device
Data risk level Public or low-risk data, internal work data, personal data, research data, confidential or otherwise highly protected data

 

Step 3: What must be clarified before deployment

After classification, the essential requirements and preconditions for deployment are clarified:

  • Data protection: Are personal data processed, what categories of personal data are involved, what is the purpose of processing, and is a preliminary data protection assessment or DPIA needed? The principles for processing personal data and the rights of data subjects at the University of Oulu are described on the university’s data privacy pages.
  • Information security: Where is the data located, is data transferred outside the EU/EEA, how is access management implemented, what integrations does the service use, and can it read files, emails, or other systems?
  • Contracts and data governance: Is the submitted data used to train the model, what terms of use apply to the service, is there an existing contract for the service, and who is responsible for the service and its governance?
  • Technical implementation: In what environment does the service run, who manages the environment, does deployment require integrations or additional permissions, and can the solution be isolated or restricted?
  • Licensing and procurement: Is the service paid, does procurement fall under the university’s process, and who can make the purchase? When acquiring licenses, the university’s procurement and approval processes must be followed; more detailed instructions can be found at https://oulu.ims.fi/. Units may not independently purchase service licenses without prior assesment by ICT Services.

Step 4: What risks are assessed during deployment

The risk assessment examines the key risks related to deployment and the need for risk management. The more independently the tool operates, the more confidential data it processes, or the more it uses external services, the more advance assesments and control measures are required before deployment.

  • Data protection risks: personal data or sensitive information ending up in the wrong service
  • Information security risks: overly broad access rights, weak access management, integration risks
  • Contract and governance risks: unclear terms of use, use of data for model training, missing contract
  • Operational risks: incorrect content, hallucinations, inappropriate use in decision support
  • Specific risks of agent tools: automated actions, file reading, API calls, expanding permissions
  • Environment risks: differences between a SaaS service, an on-prem solution, and an endpoint or research device

Step 5: Decision on the deployment path

Based on the assessment, the deployment path is chosen: light, standard, or extensive. The path determines how broad the assessment, approval, and follow-up need to be.

Light assessment

Suitable for limited use in a controlled environment when no personal data is processed and there are no agent features.

  • one dataset or one use case
  • no personal data
  • no agent features
  • limited use and low risks

The outcome may be a light assessment, a limited pilot, and monitoring. The assessment can later be expanded if needed.

Basic assessment

Suitable for situations where there are more users, internal work data are involved, and the service operates in a SaaS environment.

  • broader user group
  • internal work data
  • basic data protection and information security assesments are needed

The outcome may be a standard assessment, assesment by ICT Services, and contract and licensing clarifications. If needed, a DPIA can also be carried out, and the intended use can be restricted.

Extensive assessment

This is required when the service processes personal data or other protected data, operates in an agent-based manner, includes integrations, or is intended for broad and permanent use.

  • personal data or other protected data
  • agent-based operation
  • integrations with other systems
  • broad or permanent use

The outcome may be a broader data protection and information security assessment, a DPIA if needed, and more detailed approvals, restrictions, and monitoring.

Examples of tool assessments

Example 1: Agent-based SaaS tool

A service that operates in an external cloud service in an agent-based manner and can read files or call interfaces usually requires an extensive assessment.

Example 2: On-prem service in a controlled environment

A service that runs in a controlled on-prem environment and whose use is limited may require a light or standard assessment depending on the use case.

Example 3: Local tool running on a research device

A service used locally on a research device without personal data or agent features may require a light assessment.

Example 4: AI solution processing personal data

A service that processes personal data or supports decision-making generally requires an extensive assessment and may also require a DPIA.

Roles and responsibilities

  • The unit proposing the service describes the intended use, the need, and the planned way of using the service.
  • ICT Services assess technical suitability, governance, and the feasibility of implementation.
  • The Data Protection Officer assesses needs related to the processing of personal data. The University of Oulu’s Data Protection Officer can be reached at dpo@oulu.fi.
  • Procurement and administration participate in licensing and contract matters as needed.

What information is needed for the assessment

  1. tool name
  2. supplier
  3. purpose of use
  4. user group
  5. operating environment
  6. type of data to be processed
  7. information about agent features
  8. possible integrations
  9. information on whether this is a pilot or production use

How to move the matter forward

  • When you are considering introducing a new AI service, first complete the preliminary data protection assessment form together with your unit’s data protection support contact (Data Protection Stewards (Patio)).
  • If needed, the Data Protection Officer can be reached at dpo@oulu.fi
  • After the preliminary assessment, contact ICT Services at ict@oulu.fi. Include the information required for the assessment.
  • A new or unapproved solution must not be introduced before the required assessment has been completed.
  • If deployment requires a license, this must be clarified as part of the assessment, and the service must not be purchased directly by the unit as its own solution without prior assesment by ICT Services.

« Back

This article was published in categories English version available, All instructions, Oamk , for Oamk staff, for the University of Oulu staff, Saavutettava ohjeartikkeli, UniOulu and tags , , , , , , , , . Add the permalink to your favourites.