Safety and Security Camera Acceptable Use Policy

The University at Buffalo (UB, university) is committed to enhancing the quality of life of the campus community by integrating the best practices of safety and security with technology. A critical component of a comprehensive security plan is utilizing a security and safety camera system. Surveillance of public areas deters crime and assists in protecting the safety and property of the UB community.

The university uses security cameras and a single centralized video management system to enhance campus safety and physical facility security while respecting and preserving individual privacy. All security cameras placed on university property must be installed and operated in accordance with the Safety and Security Camera Procedures. Unapproved or nonconforming devices will be removed.

Information obtained from security cameras is considered university property and will be used for safety and security purposes and for law and university policy enforcement, including where appropriate, student, faculty, and staff judicial functions. Information obtained from security cameras is considered Category 2 - Private Data and must be handled with an appropriate level of security to protect against unauthorized access, alteration, or disclosure in accordance with the Protection of University Data Policy.

All appropriate measures must be taken to protect an individual’s right to privacy and secure university information through its creation, storage, transmission, use, and deletion.

Security cameras may be installed to enhance the security and safety of people or property. Cameras are limited to uses that do not violate the reasonable expectation of privacy as defined by law. Where appropriate, cameras may be placed campus-wide, inside and outside buildings. All camera installations are subject to federal and state laws.

Security cameras will not be installed with the intent to conduct personnel investigations, such as those related but not limited to work place attendance, work quality, or academic conduct. However, the university may utilize security camera recordings captured during routine surveillance or upon reasonable cause for suspicion that particular employees or students are violating university policy or state or federal laws, or in a civil suit or other proceeding involving person(s) whose activities are shown on the recording and relate to the proceeding. Information obtained in violation of this policy may not be used in a disciplinary proceeding against a university student or employee.

Although the physical cameras may be identical, the security functions of these cameras fall into three main categories:

• Property Protection - The intent is to capture video and store it on a centralized video management system (VMS) so that if property is reported stolen or damaged, the video may show the perpetrator (e.g., unstaffed computer or science lab, parking lot)
• Personal Safety - The intent is to capture video and store it on a centralized VMS so that if a person is assaulted, the video may show the perpetrator (e.g., public lounge, walkway, parking lot)
• Extended Responsibility - The intent is to have the live video stream in one area monitored by a staff member in close proximity and to store the video on a centralized VMS (e.g., food service area or testing center with multiple rooms or stations and limited staff members acting as a manager or proctor)

The locations where security cameras are installed may be restricted access sites (e.g., departmental computer lab); however, these locations are not places where a person has a reasonable expectation of privacy. Cameras will be located to maximize personal privacy and audio will not be recorded.

Security camera positions and views of residential housing will be limited. The view of a residential housing facility must not violate the standard of a reasonable expectation of privacy.

Monitoring by security cameras is prohibited in the following locations:

• Student living spaces in university residence halls and apartments
• Bathrooms
• Locker rooms

All video camera installations must be visible. The installation of “dummy” or placebo cameras that do not operate is prohibited.

All university security camera recording or monitoring of activities of individuals or groups will be conducted in a manner that is:

• Consistent with university policies and state and federal laws
• Professional, ethical, and legal
  • Personnel with access to university security cameras must be trained in the effective, legal, and ethical use of monitoring equipment
• Not based on the subjects’ personal characteristics including age, color, disability, gender, national origin, race, religion, sexual orientation, or other protected characteristics

University security cameras are not monitored continuously under normal operating conditions but may be monitored for legitimate safety and security purposes that include, but are not limited to the following: high risk areas, restricted access areas or locations, in response to an alarm, special events, and specific investigations authorized by the Chief of Police or designee.

For property protection, personal safety, and extended responsibility security cameras, access to live video or recorded video is limited to authorized personnel of the department which installed the cameras, University Police, and other persons authorized by the Chief of Police or designee.

Exporting, copying, duplicating, or retransmission of live or recorded video is limited to persons within University Police as authorized by the Chief of Police.

A record log will be maintained by the Vice President and Chief Information Officer (CIO) of all instances of access to, and use of, recorded material. Data will be kept for one year.

Nothing in this section is intended to limit the authority of University Police in law enforcement activities.

Security cameras must be purchased with State funds. Research Foundation and UB Foundation funds may not be used to purchase security cameras.

Video management system users are prohibited from using or disseminating information acquired from university security cameras, except for official purposes. All information or observations made in the use of security cameras is considered confidential and can only be used for official university and law enforcement purposes.

The university uses security cameras and a centralized video management system to:

• Enhance the safety of individuals and assets
• Support the university’s ability to prepare for and respond to emergencies
• Improve operational efficiency and effectiveness

Unless explicitly exempted, this policy applies to all personnel, departments, colleges, campus organizations, subsidiaries, tenants, and public/private partnerships with the university for the installation and use of security cameras and their video monitoring and recording systems on campus and in any university-owned or leased spaces.

This policy does not apply to:

• Security cameras used inside University Police headquarters and sub-stations
• Mobile or hidden video equipment used in criminal investigations conducted by University Police
• Covert video equipment used for non-criminal investigations of specific instances which may be a significant risk to public safety, security, and property as authorized by the Chief of Police or designee
  • The use of such cameras is subject to applicable state and federal laws as well as University Police internal policies and procedures
• Automated teller machines (ATMs), which may utilize cameras
• Cameras used for academic purposes
  • Cameras used for research are governed by policies involving human subjects
  • May not be used as a security camera or in another manner with the intent of circumventing this policy
• Webcams for general use by university personnel (e.g., webcams installed on individual workstations, laptops, tablets, or cellular telephones) used for legitimate business purposes (e.g., video conferences)
  • May not be used as a security camera or in another manner with the intent of circumventing this policy
• Use of video equipment to record public performances or events, sporting events, interviews, or other use for broadcast or educational purposes (e.g., videotaping athletic events for post-game review, videotaping concerts, plays, and lectures, or videotaped interviews)
  • May not be used as a security camera or in another manner with the intent of circumventing this policy

Category 1 – Restricted Data

Protection of the data is required by law or regulation. The loss of confidentiality, integrity, or availability of the data or system could have a significant adverse impact on our mission, safety, finances, or reputation.

Restricted data includes the definition of private information in the New York State (NYS) Security and Breach Notification Act as a foundation: bank account, credit card, and debit card numbers; social security numbers; state-issued driver license numbers; and state-issued non-driver identification numbers. To this list, university policy adds protected health information (PHI), computer passwords, other computer access protection data, and passport numbers.

Category 1 – Restricted Data are exempt from disclosure or release under the NYS Freedom of Information Law (FOIL). The NYS Information Security Breach and Notification Act requires the university to disclose any breach of the data to New York residents. (State entities must also notify non-residents; see the NYS Information Security Policy.)

Individuals who access, process, store, or in any other way handle Category 1 – Restricted Data must implement controls and security measures as required by relevant laws, regulations, and university policy. In instances where laws and/or regulations conflict with university policy, the more restrictive policy, law, or regulation governs.

Category 2 – Private Data

Includes university data not identified as Category 1 – Restricted Data, and data protected by state and federal regulations. This includes Family Educational Rights and Privacy Act (FERPA)-protected student records and electronic records that are specifically exempt from disclosure by the NYS FOIL.

Category 2 – Private Data must be protected to ensure that they are not disclosed in a FOIL request. Private data must be protected in order to ensure that they are only disclosed as required by law, including FOIL. Decisions about disclosure must be made by the Records Management Officer.

The National Institute Standards and Technology (NIST) Special Publication 800-171 Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations maps to the Category 2 – Private Data risk classification.

Reasonable Expectation of Privacy

The reasonable expectation of privacy is an element of privacy law that determines in which places and in which activities a person has a legal right to privacy. Sometimes referred to as the "right to be left alone," a person's reasonable expectation of privacy means that someone who unreasonably and seriously compromises another's interest in keeping their affairs from being known can be held liable for that exposure or intrusion.

Security Camera

A device that records images and which is used to detect or prevent crime.

Security Camera Oversight Committee (SCOC)

Operational committee established by the Vice President for Finance and Administration to oversee implementation of this policy. The SCOC is comprised of the following members:

• Chief of Police, chair of the SCOC
• Vice President and Chief Information Officer or designee
• Vice President for Student Life or designee
• Associate Vice President for Human Resources
• Associate Vice President for University Facilities

• Approve department and unit requests to purchase and install security cameras.
• Select, coordinate, operate, manage, and monitor all campus security cameras and video management systems.
• Oversee the installation, support, maintenance, replacement, and decommissioning of all approved security camera systems.
• Provide advice to departments on appropriate applications of surveillance technologies.
• Provide technical assistance to departments preparing proposals for the purchase and installation of security camera systems.
• Review proposals and recommendations for camera installations and specific camera locations to determine that the perimeter of view of fixed location cameras conforms to this policy.
• Assess new camera locations and conduct an evaluation of existing camera locations and incidents as necessary.
• Test cameras and coordinate maintenance.
• Review complaints regarding utilization of surveillance camera systems.
• Review requests to release records obtained through security camera surveillance.
  • Seek consultation and advice from university legal counsel and other departments, as appropriate, prior to the release of any records.
  • Direct Freedom of Information Law (FOIL) requests to the Records Management Officer.
• Monitor developments in the law, security industry practices, and technology so that camera surveillance is consistent with best practices and complies with federal and state laws.

• Request approval to install video surveillance equipment from their vice president, dean, or department head.

• Review and approve, as appropriate, requests:
  • To purchase and install security cameras within their area of responsibility
  • For user access to the VMS to monitor and review video from departmental cameras
  • To export and save video

• Manage and maintain the:
  • Single centralized VMS
  • Campus data network infrastructure over which the security cameras will communicate with the VMS log of all instances of access to, and use of, recorded material

• Complete training in the technical, legal, and ethical parameters of appropriate security camera use.
• Operate security cameras.
• Watch both live and recorded video surveillance footage.
• Report incidents or suspicious behavior.
• Contact authorities when necessary.

• Review and approve requested exceptions to this policy, as appropriate.
• Review appeals of decisions made by the Chief of Police regarding complaints of surveillance camera systems.