Adato can now be used again – “Many measures have been taken”
NEWS
A risk and vulnerability analysis has been carried out, procedures for data deletion and archiving have been reviewed, and the supplier has implemented several measures to increase security. Adato will be reopened for use on 12 November.
"Both the supplier and our own departments have worked hard to secure the university's personal data management," says Per Ragnarsson, Assistant University Director and Chair of the University's Crisis Management Council.
The Adato system support, used in the employee rehabilitation process, has been shut down at Umeå University since the cyberattack against the supplier Miljödata on 23 August.
"We did not want to open up the system before analyses had been carried out and measures taken to ensure that the system is secure. But it is clear that we need system support for the rehabilitation process. It feels good to be able to reopen the system again, as this has been requested by our users," says Per Ragnarsson.
The university's agreement with Miljödata sets high standards for security and the handling of personal data. In the wake of the cyber attack, Miljödata has reviewed these standards and taken further measures to secure the system against attacks. The IT Office (ITS) at Umeå University has reviewed the measures and given them its approval.
"Miljödata has implemented new work routines and monitoring systems, among other things, and taken a number of technical measures to increase security. We believe they have done a thorough job following the cyber attack," says Emilio Perez Iznaga, IT manager at ITS.
Measures taken by the University
Furthermore, the Human Resources Office has conducted a risk and vulnerability analysis of the system. The University has also taken its own measures regarding personal data management.
“In light of the cyberattack, we have recognised the need to review our procedures for archiving and deleting personal data and other documentation in Adato. We have now done so,” says Per Ragnarsson.
All personal data relating to former employees where there are no rehabilitation cases will be deleted from Adato. A procedure is being introduced whereby personal data relating to employees who have left their employment at the university will be removed from the system, provided that there is no ongoing rehabilitation case. According to the university's document management plan, all documentation relating to a rehabilitation case must be retained. This documentation is currently stored in Adato.
“We are now investigating the possibility of archiving these cases internally,” says Per Ragnarsson.
All these measures combined mean that the university now considers it safe enough to start using the system again. It will be available again on 12 November.
Minimise the number of tasks
ITS is also investigating what personal data must be stored in Adato. One request is to only transfer the information needed for managers and HR to be able to carry out preventive and remedial rehabilitation work.
“Our goal is to minimise the amount of personal data in the system in order to increase the safety and security of our employees,” says Per Ragnarsson.
Employees or former employees with questions regarding Adato or the university's handling of the matter can contact the Human Resources Office by emailing: ah.adm@umu.se.
