Date Established: 11/17/2020
Date Last Updated:
Administration and Governance
Vice President for Finance and Administration
This policy provides guidance on the installation of video surveillance equipment and the handling, viewing, retention, dissemination, and destruction of video surveillance records.
The University at Buffalo (UB, university) is committed to enhancing the quality of life of the campus community by integrating the best practices of safety and security with technology. A critical component of a comprehensive security plan is utilizing a security and safety camera system. Surveillance of public areas deters crime and assists in protecting the safety and property of the UB community.
The university uses security cameras and a single centralized video management system to enhance campus safety and physical facility security while respecting and preserving individual privacy. All security cameras placed on university property must be installed and operated in accordance with the Safety and Security Camera Procedures. Unapproved or nonconforming devices will be removed.
Information obtained from security cameras is considered university property and will be used for safety and security purposes and for law and university policy enforcement, including where appropriate, student, faculty, and staff judicial functions. Information obtained from security cameras is considered Category 2 - Private Data and must be handled with an appropriate level of security to protect against unauthorized access, alteration, or disclosure in accordance with the Protection of University Data Policy.
All appropriate measures must be taken to protect an individual’s right to privacy and secure university information through its creation, storage, transmission, use, and deletion.
Security cameras may be installed to enhance the security and safety of people or property. Cameras are limited to uses that do not violate the reasonable expectation of privacy as defined by law. Where appropriate, cameras may be placed campus-wide, inside and outside buildings. All camera installations are subject to federal and state laws.
Security cameras will not be installed with the intent to conduct personnel investigations, such as those related but not limited to work place attendance, work quality, or academic conduct. However, the university may utilize security camera recordings captured during routine surveillance or upon reasonable cause for suspicion that particular employees or students are violating university policy or state or federal laws, or in a civil suit or other proceeding involving person(s) whose activities are shown on the recording and relate to the proceeding. Information obtained in violation of this policy may not be used in a disciplinary proceeding against a university student or employee.
Although the physical cameras may be identical, the security functions of these cameras fall into three main categories:
The locations where security cameras are installed may be restricted access sites (e.g., departmental computer lab); however, these locations are not places where a person has a reasonable expectation of privacy. Cameras will be located to maximize personal privacy and audio will not be recorded.
Security camera positions and views of residential housing will be limited. The view of a residential housing facility must not violate the standard of a reasonable expectation of privacy.
Monitoring by security cameras is prohibited in the following locations:
All video camera installations must be visible. The installation of “dummy” or placebo cameras that do not operate is prohibited.
All university security camera recording or monitoring of activities of individuals or groups will be conducted in a manner that is:
University security cameras are not monitored continuously under normal operating conditions but may be monitored for legitimate safety and security purposes that include, but are not limited to the following: high risk areas, restricted access areas or locations, in response to an alarm, special events, and specific investigations authorized by the Chief of Police or designee.
For property protection, personal safety, and extended responsibility security cameras, access to live video or recorded video is limited to authorized personnel of the department which installed the cameras, University Police, and other persons authorized by the Chief of Police or designee.
Exporting, copying, duplicating, or retransmission of live or recorded video is limited to persons within University Police as authorized by the Chief of Police.
A record log will be maintained by the Vice President and Chief Information Officer (CIO) of all instances of access to, and use of, recorded material. Data will be kept for one year.
Nothing in this section is intended to limit the authority of University Police in law enforcement activities.
Security cameras must be purchased with State funds. Research Foundation and UB Foundation funds may not be used to purchase security cameras.
Video management system users are prohibited from using or disseminating information acquired from university security cameras, except for official purposes. All information or observations made in the use of security cameras is considered confidential and can only be used for official university and law enforcement purposes.
The university uses security cameras and a centralized video management system to:
Unless explicitly exempted, this policy applies to all personnel, departments, colleges, campus organizations, subsidiaries, tenants, and public/private partnerships with the university for the installation and use of security cameras and their video monitoring and recording systems on campus and in any university-owned or leased spaces.
This policy does not apply to:
Category 1 – Restricted Data
Protection of the data is required by law or regulation. The loss of confidentiality, integrity, or availability of the data or system could have a significant adverse impact on our mission, safety, finances, or reputation.
Restricted data includes the definition of private information in the New York State (NYS) Security and Breach Notification Act as a foundation: bank account, credit card, and debit card numbers; social security numbers; state-issued driver license numbers; and state-issued non-driver identification numbers. To this list, university policy adds protected health information (PHI), computer passwords, other computer access protection data, and passport numbers.
Category 1 – Restricted Data are exempt from disclosure or release under the NYS Freedom of Information Law (FOIL). The NYS Information Security Breach and Notification Act requires the university to disclose any breach of the data to New York residents. (State entities must also notify non-residents; see the NYS Information Security Policy.)
Individuals who access, process, store, or in any other way handle Category 1 – Restricted Data must implement controls and security measures as required by relevant laws, regulations, and university policy. In instances where laws and/or regulations conflict with university policy, the more restrictive policy, law, or regulation governs.
Category 2 – Private Data
Includes university data not identified as Category 1 – Restricted Data, and data protected by state and federal regulations. This includes Family Educational Rights and Privacy Act (FERPA)-protected student records and electronic records that are specifically exempt from disclosure by the NYS FOIL.
Category 2 – Private Data must be protected to ensure that they are not disclosed in a FOIL request. Private data must be protected in order to ensure that they are only disclosed as required by law, including FOIL. Decisions about disclosure must be made by the Records Management Officer.
The National Institute Standards and Technology (NIST) Special Publication 800-171 Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations maps to the Category 2 – Private Data risk classification.
Reasonable Expectation of Privacy
The reasonable expectation of privacy is an element of privacy law that determines in which places and in which activities a person has a legal right to privacy. Sometimes referred to as the "right to be left alone," a person's reasonable expectation of privacy means that someone who unreasonably and seriously compromises another's interest in keeping their affairs from being known can be held liable for that exposure or intrusion.
A device that records images and which is used to detect or prevent crime.
Security Camera Oversight Committee (SCOC)
Operational committee established by the Vice President for Finance and Administration to oversee implementation of this policy. The SCOC is comprised of the following members:
|Daryl Kempf, University Policeemail@example.com|