Log management systems' privacy statement

Articles 13 and 14 of the EU General Data Protection Regulation

Data Protection Act (1050/2018)

Articles 13 and 14 of the Combined Data Subject Information Document (EU Data Protection Regulation 2016/679)

1. Controller

Seinäjoki University of Applied Sciences, SeAMK Library
Kampusranta 11, Frami F
FI-60320 Seinäjoki, Finland
+358 20 124 3000
seamk(at)seamk.fi

2. Controller’s representative

Asmo Myllyaho, Head of Property and Information Management, Seinäjoki University of Applied Sciences,
tel. +358 40 830 4262
asmo.myllyaho(at)seamk.fi

2a. Official responsible for the personal data file

Jarkko Välimäki, Planning Officer, Seinäjoki University of Applied Sciences
jarkko.valimaki(at)seamk.fi

Veli-Matti Mäkelä, Planning Official, Information Management, Seinäjoki University of Applied Sciences
tel. +358 40 830 3990
veli-matti.makela(at)seamk.fi

2b. Contact persons in matters relating to the data file

Jarkko Välimäki, Planning Officer, Seinäjoki University of Applied Sciences
jarkko.valimaki(at)seamk.fi

2c. Contact details of the Data Protection Officer

Jarmo Jaskari, Data Protection Officer, Seinäjoki University of Applied Sciences
tel. +358 40 868 0680
Tietosuojavastaava(at)seamk.fi

3. Name of the data file

Log management systems’ privacy statement

4. Purpose of processing personal data/data file use

A log is a document of the occurrence of an event at a particular moment in time. A log exists for a predefined purpose for a predefined period of time. Logs and their processing are needed in both exceptional and normal situations. In normal situations, logs are needed to monitor the continuity of operations and for practical statistics. In abnormal situations, logs are needed to normalise the situation and to identify the parties involved, the extent of the impact and the causes of the events.

The information provided by the logs helps to ensure the legal security of system administrators and users, to optimise system and network operation and to identify security and other anomalies.
The content of the logs is defined in the system-specific log card and may contain personal data, such as a person’s name or login ID.

5. Purpose of maintaining the data file

The processing of personal data is based on the public interest and the exercise of public authority and is a statutory task of public administrations.

According to Section 17 of the Data Management Act, a public authority must ensure that the necessary log data are collected on the use of its information systems and the disclosure of data from them, if the use of the information system requires identification or other log-in. The purpose of log data is to monitor the use and disclosure of data contained in information systems and to detect technical errors in information systems. Log data may be used for incident and security breach investigations.

5a. Data content of the file

The categories of personal data processed are staff, students and other stakeholders using Seinäjoki University of Applied Sciences IT services.

Log data processed.
The log data produced are system-specific. Log data can be divided into the following categories:

  • error and warning logs
  • communication log
  • security log
  • system log
  • access control log
  • access and change log
  • transaction log
  • maintenance log

The log files store some identifying information (e.g. username, email address, IP address, MAC address) and personal data in connection with the use of the following services:

  • communication services
  • access control to applications and online services
  • network access control and connections
  • operating system and application logs

The retention periods for log data are as follows:

  • The retention period for logs of systems and services containing personal and financial data is 60 months (5 years) – this also applies to logs of logins and access to these systems.
  • The retention period for logs of other systems and services is 24 months (2 years).
  • However, the retention period for error and warning logs is six months (6 months)

Legislation, the information contained in the systems, customer and government requirements, and any contracts may affect the retention periods of log data.

 

5b. Information systems using the data file

  • SIEM system
  • Financial management system
  • Human resources management system
  • Student management system

6. Regular sources of data

The sources of log data are various IT systems: communication devices, servers, workstations, information systems, databases, applications. These systems generate log data when they are used. The data is collected automatically and there is no obligation for the data subject to provide personal data.

7. Regular disclosure of data

As a rule, personal data is not disclosed to third parties. However, in the event of a security breach or in the context of a criminal investigation, there may be a right to disclose data to the police or other authorities.

8. Transfer of data outside the EU or the EEA

No data stored in the file is transferred outside the EU or the EEA.

9. Principles of data file protection

A.      Manual material

There is no manual record of the logbook.

B.      Computer-processed data

Data maintenance is protected by means of an AD code and password. The data entered in the system is accessible to a specific group of users provided with access rights. The database is protected by means of a server user IDs and passwords.