Processing of personal data, Pupil register for Finnish-language basic education

Date of publication: 25th of April 2023

1. Data controller

City of Espoo

2. Person responsible for the register

Director of Basic Education  

3. Contact person of the register

Principals/school directors are responsible for tasks related to the register as regards the schools that they manage. The data subject can contact a principal/school director to receive more detailed information about the register or their own rights.

4. Data Protection Officer

tietosuoja@espoo.fi

5. For what purpose will personal data be processed?

• Organisation of teaching and taking care of tasks that arise from the education provider’s relationship with the pupil. 

• The register is used for compiling statistics for the City of Espoo. When statistics are compiled, the data are processed anonymously. 

• Disclosure of statutory pupil numbers of schools for Government data collection purposes. 

The Finnish Education Unit uses the following city-level systems and electronic environments in which pupils’ and potentially guardians’ personal data are processed:  

• school administration system Primus and Kurre (includes Wilma, which is the browser-based user interface of Primus and Kurre)  
• work environment Google Workspace for Education  
• work environment Microsoft O365 (includes OneDrive, Teams, amongst others) 
• school library system Axiell Aurora
• digital learning materials Edustore 
• digital assessment tool Lukuseula
• mobile device management Apple School Manager/Lightspeed. 

The purposes for which personal data related to the organisation of teaching is processed in the aforementioned systems and environments are specified in greater detail below. 

Personal data may also be processed in school-specific applications used in teaching. The data subject can contact a principal/school director to receive more detailed information about the register or their own rights.  

For the purpose of organising basic education, personal data may also need to be processed outside of the aforementioned systems/environments, e.g. to support assessments conducted by teachers, prepare school transportation decisions, organise school lunch (special diets), manage swimming lessons at swimming pools (name lists), organise school trips or camps, produce surveys, and to perform duties laid down in the Act on Compulsory Education.

Personal data stored in the register may also be processed when it is necessary for the purposes of testing the information systems, for example when the education provider introduces a new information system.

The data contained in the basic education pupil register is partly confidential.

The data is confidential in accordance with section 24 of the Act on the Openness of Government Activities and section 40 of the Basic Education Act.

Primus, Kurre and Wilma  

Primus and Kurre 

• Organisation of basic education and monitoring the completion of compulsory schooling (Sections 4 and 26 of the Basic Education Act). 
• Taking care of tasks that arise from the education provider’s relationship with the pupil. 
• Performance of duties laid down in the Act on Compulsory Education. 
• Provision of three-tier support in accordance with Sections 16–17a of the Basic Education Act (pedagogic documents).
• The ‘Hearing of the guardian and pupil’ online form related to special support and the electronic signature.
• Organisation of school transportation. 
• Creation of a user identity for the study environment’s electronic services (Microsoft O365, Google Workspace for Education). 
• Provision of a mobile device management service (AppleID/Lightspeed). 
• Administration of user accounts for the Wilma user interface. 
• School-specific statutory pupil number data are disclosed for Government data collection purposes based on data in Primus. (Act on the Financing of Educational and Cultural Provision, Act on Central Government Transfers to Local Government for Basic Public Services). 
• Data in Primus is used to compile statistics for the City of Espoo. When statistics are compiled, the personal data are processed anonymously. 
• Pupils’ subject and course selection data are stored in Kurre’s work plan software for the purpose of preparing work plans 

Wilma (browser-based interface of the Primus and Kurre school administration system)  

Wilma can be used to carry out:  

• absence recording  
• pupil assessment  
• registration of new pupils  
• course selection and course registration  
• cooperation between schools and homes  
• communications (communication with and notifications to guardians and guardians’ messages to schools)  
• surveys and their feedback  
• notices concerning pupils relating to their school performance (steering/corrective feedback, follow-up feedback, positive feedback)  
• secondary school selections and related information
• communication of decisions related the school place, if the pupil’s guardian has provided their consent for this. 

Microsoft O365 

• organisation of basic education (O365 includes electronic tools and user-produced content) 
• management of O365 access rights 
• enabling of interaction between users within their own groups 
• use of e-mail services. 

Google Workspace for Education

• organisation of basic education (Google Workspace includes electronic tools and user-produced content) 
• management of Workspace access rights 
• enabling of interaction between users within their own groups 
• management of devices connected to the service and the software and applications used on them (e.g. Chrome, Classroom and Drive). 

School library system Axiell Aurora

• Implementation of library activities supporting basic education (section 47 of the Basic Education Act)
• The system has three components: the library system, the self-service user interface and the online library. The pupil data is in the library system, and the self-service user interface and the online library Axiell Arena make use of the pupil data entered into the system.

Digital learning materials Edustore

The procurement channel Edustore for the procurement of digital and printed learning materials and related supporting materials and supplies.

Digital assessment tool Lukuseula

Lukuseula is a group-based digital assessment tool that is used for assessing the reading, writing and mathematical skills of pupils in grades 1–9 and for identifying learning difficulties.

Mobile device management (Apple School Manager/Lightspeed) 

The mobile device management service is used for the data-secure management of the mobile devices used in schools, to improve the privacy of users of shared tablets in particular with the help of Apple ID. Administered Apple ID accounts are created and shared by the educational institution. Since the educational institution retains administration rights, Apple ID provides pupils with controlled access to iCloud, iTunes U. This makes it possible to ensure that pupils use the devices they obtain from the school only for learning purposes, for example. Since the administered Apple IDs are created and shared by the educational institution, passwords can be easily reset, accounts can be reviewed and the roles of everyone associated with the school can be defined by an administrator, if necessary. Administrators’ actions are logged. 

The mobile device management service consists of two components:  

1) a management solution (Apple School Manager), and  

2) a remote management environment (Lightspeed).  

The remote management environment creates the correct school and group structure for the management solution. The management solutions can be used not only to create accounts, but also to purchase content, define the automatic registration of devices in the remote management environment and to prepare iTunes U courses, for example. 

6. On what grounds will personal data be processed?

Article 6, paragraph 1, point c of the EU’s General Data Protection Regulation: processing is necessary for compliance with a legal obligation to which the controller is subject, i.e. for the purpose of organising basic education in accordance with the Basic Education Act.

Special categories of personal data: According to section 6 of the Data Protection Act, Article 9(1) of the Data Protection Regulation does not apply to any processing of data that is provided by law or that derives directly from a statutory duty set out for the controller by law. Processing of special categories of personal data is derived from duties set out for an education provider by the Basic Education Act. 

7. What data will be processed?

Azure AD management and logs

• Privacy notice Azure AD management and log register (in Finnish)

Primus, Kurre and Wilma

• the pupil’s name, personal identity code, contact information and photograph
• the pupil’s AD account for the Wilma user interface and pupil network

• the pupil’s guardians’ name and contact information and Wilma user account
• information concerning the pupil’s role (comprehensives school pupil, home-school pupil; subject student; hospital teaching)
• information on selections concerning subjects and syllabuses
• the pupil’s assessment information
• decisions concerning the pupil
• the pupil’s school history
• the pupil’s immigration-related information
• the electronic signature of the ‘Hearing of the guardian and pupil’ online form related to special support, which requires processing of the guardians’ personal identity codes
• information related to school transportation
• information concerning the pupil’s absences
• information related to the reprimanding and disciplining of the pupil (disciplinary educational discussion, detention)
• other information related to teaching and the organisation of teaching

(e.g. Finnish as a second language teaching, special support; language programme; language immersion and bilingual teaching; religion and ethics subjects)

• the pupil’s participation in afternoon activities, the service provider and operating time (full-time/part time)
• pedagogic documents: pedagogic assessment, pedagogic report, learning plan, individual education plan (IEP), support measures.

Special categories of personal data processed include information on religious or philosophical conviction and possibly information related to health.

Microsoft O365

• the user’s name
• information related to schooling (grade, group, etc.)
• encrypted unique identifier
• e-mail address
• account name
• password
• information produced or added by the pupil themselves.

Content produced by the pupil and guardian themselves means pictures, texts, links, videos and audio files uploaded to the system.

The user can, for example, add their own description of themselves and their area of responsibility, their mobile phone number, location information, competence information, date of birth and other areas of interest to the service, to be viewed by everyone/limited users. The user can allow the utilisation of the information content that they produce and obtain information about their networking and closest friends.

Google Workspace for Education

• the pupil’s name
• user account
• school
• grade and groups
• encrypted unique identifier
• information produced or added by the user themselves.

An administrator can save information such organisations’ names, websites, phone numbers, addresses and account suspension in the service. In addition to this, Google collects information from end users, the entering of which is based on information entered by the user themselves, e.g.: phone number, a photograph of the user, date of birth, the user’s device-specific information, such as hardware model, operating system version, individual device identified and mobile network used, including mobile phone number. Google can connect the device identifier or phone number to a Google account.

School library system Axiell (Aurora)

• Identifiable data: Name, school, class, email address, user name, library card number, loan details, group's teacher, PIN code/password
• Pseudonymised data: Object ID that acts as a customer’s technical identifier but does not include, for example, a personal identity code or other identifying information.

Digital learning materials Edustore

• User name
• Name of school
• Class
• Encrypted unique identifier
• Email address

Digital assessment tool Lukuseula

The following data is stored in the service, but it cannot be linked to a specific person without additional information (data pseudonymisation):

• the pupil’s gender and age
• pupils in grades 1–3 store a scale-based assessment of their reading, writing or mathematical skills in the service
• pupils in grades 4–9 store their latest grades in mother tongue, mathematics and English in the service
• the pupil’s results in tests carried out through the service  
• information on whether the pupil receives, for example, instruction in Finnish as a second language or remedial teaching related to reading may also be stored in the service.

Mobile device management

AppleID/Lightspeed

• Pupil

person_id,"person_number","first_name","middle_name", "last_name",

"grade_level","email_address","sis_username","password_policy",

"location_id"

The following variables are not currently used: middle_name, grade level

• Classes

course_id,"course_number","course_name","location_id"

• Groups

class_id,"class_number","course_id","instructor_id","instructor_id_2",

"instructor_id_3","location_id"

In practice, all ID information is running alphanumeric series.

Personal data processed outside of the systems and electronic environments

These personal data may include, for example, the pupil’s identifying and contact information, information related to assessment and information related to health (relating to school transportation and school lunches, for example)

8. What are the sources of data?

• The basic information of pupils starting basic education is transferred to the Primus and Kurre school administration system from the Xcity population information system maintained by the City of Espoo. After this, pupils’ and their guardians’ basic information is updated into the Primus school administration system from XCity every two weeks. 

• Guardians supplement and update personal data using a pupil registration form or in Wilma. 

• The majority of the information saved in the register consists of information related to the pupil’s education, created in the organisation of education.

Changing schools 

• A pupil’s previous school may disclose to their new school public information necessary to the new school for arranging instruction for the pupil (Section 16(3) of the Act on the Openness of Government Activities).
• If the pupil has previously studied at another comprehensive school in the same municipality, the previous school may transfer information necessary for arranging instruction for the pupil to the new comprehensive school, even if said information is confidential (Section 40(2) of the Basic Education Act).
• Notwithstanding provisions on confidentiality, if a pupil under the age of 18 transfers to education or activities organised by another education provider in accordance with the Basic Education Act, the former education provider must without delay provide information necessary for arranging instruction for the pupil to the new education provider. The information may also be provided at the request of the new education provider (Section 40(4) of the Basic Education Act).

Pedagogic documents

Pedagogic documents are prepared with the help of the Wilma interface as part of multidisciplinary cooperation in accordance with the Basic Education Act. The person responsible for pedagogic documents is the class supervisor or class teacher. 

Electronic study environment services

Electronic study environment services are produced with the user identity of Visma’s Primus school administration system (name, encrypted unique identifier, school, class, grade, teaching groups, e-mail address, user name).

In Microsoft’s O365 service, user identity is administered by Microsoft’s Azure Ad, which is the City’s centralised user authorisation management and log register, Microsoft AD and Azure AD.

In mobile device management, a user identity is imported into the management solution (Apple School Manager), e.g. for the creation of an AppleID. The remote management environment Lightspeed synchronises user identities (user information, class information and teachers) from the management solution to create the correct school and group structure for it.

‘Hearing of the guardian and pupil’ online form related to special support

In the processing of the ‘Hearing of the guardian and pupil’ online form related to special support, the guardians’ personal identity codes are obtained through strong electronic identification (suomi.fi).

9. Will data be disclosed or transferred outside the city?

Koski

• The national centralised integration service for study rights and study records (KOSKI) collects students’ study records and study rights in a single service. The information is collected directly from the pupil register. (Act on the National Registers of Education Records, Qualifications and Degrees 884/2017)

Changing schools or transferring to a general upper secondary school or vocational education and training

• If the pupil transfers to another comprehensive school, the school may transfer public information necessary for arranging instruction for the pupil to the new school (Section 16(3) of the Act on the Openness of Government Activities).
• If the pupil transfers to another comprehensive school within the same municipality, confidential information may be transferred to the new school if it is necessary for the appropriate arrangement of instruction for the pupil (Section 40(2) of the Basic Education Act).
• Notwithstanding provisions on confidentiality, if a pupil under the age of 18 transfers to education, activities or training organised by another education provider in accordance with the Basic Education Act, the Act on General Upper Secondary Education, the Act on Vocational Education and Training or the Act on Vocational Adult Education and Training, the former education provider must without delay forward information necessary for arranging instruction or training for the pupil to the new education provider.
•  The information may also be provided at the request of the new education provider (Section 40(4) of the Basic Education Act).

Outreach youth work

• An education provider may disclose the identifying information and contact details of a young person who has completed their basic education but who is not pursuing any studies beyond the completed basic education to the young person’s municipality of residence for outreach youth work purposes (Youth Act, section 11, subsection 2, paragraph 1 and subsection 4, paragraph 1).

Pupil welfare services

• The Western Uusimaa Wellbeing Services County’s school social workers and psychologists as well as school nurses have, on the basis of section 23 of the Act on Information Management in Public Administration, limited access (viewing access) to the pupil’s necessary information (name, personal identity code, contact information and guardians’ names and contact information). With the consent of the person in question, limited access (viewing access) may apply to the pupil’s absence information and lesson notes.
• The education provider may disclose the pupil’s necessary information in situations provided for by law, for example when the pupil’s situation is addressed through multi-professional cooperation with pupil welfare professionals (Basic Education Act, sections 16a and 17).

Transfer of data to service providers

• The service providers used in the organisation of education (such as the providers of electronic environments) process students’ personal data to the extent necessary for the provision of the service. The City of Espoo is always the controller of the data.

Microsoft’s subcontractors

• List of subcontractors used by Microsoft: https://go.microsoft.com/fwlink/p/?linkid=2096306(external link, opens in a new window)

Google’s subcontractors

• List of subcontractors used by Google Workspace: https://gsuite.google.com/intl/en/terms/subprocessors.html(external link, opens in a new window)

Transfer of data to other systems

• transfer of pupils’ address information to the Reitti-GIS geographic information application for the purpose of processing pupil placement and school transportation
• transfer of pupils’ data to the Finnish National Agency for Education’s Studyinfo
• data specified in the Statistics Act to Statistics Finland.
• use of the survey tool (Webropol).

Based on the specific written consent of the data subject/underage pupil’s guardian, data may also be transferred to other parties. Data may be disclosed if there is a specific provision on such access or on the right of such access in an Act. (Section 26 of the Act on the Openness of Government Activities).

The disclosure of public information from a personal data filing system controlled by an authority is based on Section 16(3) of the Act on the Openness of Government Activities. According to this provision, the party requesting access must have the right to record and use such data. Personal data may only be disclosed on the basis of a sufficiently detailed request for access. (Section 13(2) of the Act on the Openness of Government Activities)

Pedagogic documents

• The documents contain confidential information.

• If the pupil transfers to another comprehensive school within the same municipality, confidential information may only be transferred to the new school if it is necessary for the appropriate arrangement of instruction for the pupil (Section 40(2) of the Basic Education Act).
• Notwithstanding provisions on confidentiality, if a pupil under the age of 18 transfers to education, activities or training organised by another education provider in accordance with the Basic Education Act, the Act on General Upper Secondary Education, the Act on Vocational Education and Training or the Act on Vocational Adult Education and Training, the former education provider must without delay forward information necessary for arranging instruction or training for the pupil to the new education provider.

 The information may also be provided at the request of the new education provider (Section 40(4) of the Basic Education Act).

• Those participating in pupil welfare work have the right to obtain from one another and disclose to one another and to the pupil's teacher, principal and the authority responsible for education operations under the Basic Education Act information necessary for the appropriate arrangement of instruction for the pupil (Section 40(2) of the Basic Education Act).

Based on Section 21 of the Basic Education Act, personal data may be disclosed for the purpose of organising external education evaluation (such as a PISA or TIMSS survey or an evaluation by the Finnish Education Evaluation Centre). The personal data disclosed for this purpose include only the data necessary for organising the evaluation. Individual pupils are not evaluated.

10. Will data be transferred outside the EU/EEA?

Primus, Kurre and Wilma

• Data are not transferred outside the EU or the EEA.

Library system Axiell Aurora

Data is not transferred outside the EU or the EEA.

Digital learning materials Edustore

Data is not transferred outside the EU or the EEA.

Digital assessment tool Lukuseula

Data is not transferred outside the EU or the EEA.

Electronic study environment services

• Microsoft O365

Personal data is transferred outside the European Union or the European Economic Area (Microsoft Online).

Basis for transfer:

The terms of Microsoft Online services, including standard contractual clauses approved by the European Commission (Attachment 1), are available on Microsoft’s website:

Microsoft Services and Data Protection Addendum DPA Sept.2021(external link, opens in a new window)

https://www.microsoft.com/licensing/docs/view/Professional-Services-Data-Protection-Addendum-DPA(external link, opens in a new window)

• Google Workspace for Education

Personal data are transferred outside the EU or the EEA.

Basis for transfer:

Standard contractual clauses approved by the European Commission:

https://gsuite.google.com/terms/mcc_terms.html(external link, opens in a new window) and Google’s amendment:

https://gsuite.google.com/terms/dpa_terms.html(external link, opens in a new window).

• Mobile device management

Apple School Manager

Personal data are transferred outside the EU or the EEA.

Basis for transfer:

The terms of Apple’s services, including standard contractual clauses approved by the European Commission, are available on Apple’s website.

https://www.apple.com/legal/education/data-transfer-agreements/datatransfer-eu-en.pdf(external link, opens in a new window)

Lightspeed

Personal data are transferred outside the EU or the EEA.

Basis for transfer:

Lightspeed’s privacy policy: section 6) European Union Data Protection: https://www.lightspeedsystems.com/privacy(external link, opens in a new window)

11. How long will data be stored?

Data are stored and destroyed in line with the records management plan of the Finnish Education Unit. Personal data are stored in the pupil register for one (1) year from the end of the use of the service. Statutory obligations regarding the storage of data are taken into account in the deletion of the data. The information and documents in electronic environments are stored in archived in the online services in accordance with the Finnish Education Unit’s records management plan for one year after the end of compulsory education.

12. How will data be protected?

Personal data are processed in a manner that ensures appropriate security of the personal data (Article 5, paragraph 1, point f of the GDPR). The processing of personal data is regulated by the principles of purpose limitation, necessity and accuracy, amongst others.

Each employee can only process the data they need to conduct their work.

The protection of confidential and sensitive data are given particular consideration in the likes of the descriptions of work processes and the granting of access rights. Provisions on the confidentiality of data are laid down in Section 40 of the Basic Education Act and Section 24 of the Act on the Openness of Government Activities.

Electronic maintenance systems:

The Primus and Kurre school administration system can only be accessed through the administration network. The administration network is a protected internal domain that is only accessible to employees of the City of Espoo. All users of the network accept an access rights commitment, which includes a non-disclosure commitment, amongst other provisions. The server hardware is located in a protected, supervised space in the service provider’s data centre. Electronically processed data are transmitted encrypted on the open Internet. The data in the register are backed up automatically at regular intervals.

Personal data are protected with access rights determined based on the duties of school and unit employees. Access rights are restricted in accordance with duties and are based on user roles, which have access to duty-specific screens and functions. Read, write, save and delete rights are defined separately for each access rights group.

Manual materials:

Manual materials are stored in locked work premises and locked cabinets.

13. Rights of the data subject

Further instructions on submitting information requests referred to in the General Data Protection Regulation: Data_protection/Client_rights

You have the right to obtain from the controller a copy of the personal data that is subject to processing. The controller shall provide the data without undue delay and in any event within one month of receipt of the request. That period may be extended by two further months where necessary, taking into account the complexity and number of the requests.

If the controller does not take action on the request of the data subject, the controller shall inform the data subject without delay, and at the latest within one month of receipt of the request, of the reasons for not taking action and on the possibility of lodging a complaint with a supervisory authority and seeking a judicial remedy.

Requests from the data subject and any resulting actions are free of charge. Where requests from a data subject are manifestly unfounded or excessive, in particular because of their repetitive character, the controller may either charge a reasonable fee taking into account the administrative costs of providing the information or communication or taking the action requested, or refuse to act on the request.

You have the right to have inaccurate, incomplete, outdated or unnecessary personal data that we store either rectified or completed by us.

You have the right to have the controller erase your personal data without undue delay under certain conditions. The data subject does not have the right to erasure if the processing of data is necessary for compliance with a legal obligation or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller. In these cases, the data will only be erased after the statutory time limit.

13.4. When can I request restriction of processing of my data?

If the data concerning you is inaccurate, you have the right to request that its processing be restricted until its accuracy has been verified.

You have the right to lodge a complaint with a supervisory authority if you feel that the processing of your personal data is in infringement of data protection legislation. You can lodge a complaint with the Office of the Data Protection Ombudsman: https://tietosuoja.fi/en/data-protection(external link, opens in a new window)