Printed on: 08/20/2018. Please go to http://policy.umn.edu for the most current version of the Policy or related document.

ADMINISTRATIVE POLICY

Access to and Use of Physical Security Data

Responsible University Officer(s):

  • Vice President for University Services

Policy Owner(s):

  • Police Chief

Policy contact(s):

Date Revised:

Jan 20, 2016

Effective Date:

Jan 20, 2016

POLICY STATEMENT

The University of Minnesota operates video surveillance and card access systems for the purposes of crime prevention, and to provide for the safety and security of individuals and property within the University community.  Information generated by these technologies is considered Physical Security Data. 

Use of Physical Security Data

Recorded data will be stored for a period of at least 30 days, in a secure location accessible by authorized staff only.  Information obtained in violation of this policy may not be used in any disciplinary proceeding against a member of any University faculty, staff, or student body.

Individuals responsible for conducting video surveillance and card access monitoring must limit their surveillance/monitoring activities to authorized safety and security purposes, such as, but not limited to:

  • protection of individuals, property, and buildings;
  • confirmation of alarms;
  • patrol of public areas;
  • ongoing operation of a secure data facility; and
  • investigation of policy violation or criminal activity.

Data gathered through these mechanisms may be not used for unauthorized purposes, such as, but not limited to: 

  • monitoring political and religious activities;
  • employee and/or student evaluations;
  • unauthorized investigations.

Oversight and Controls

Authorized users are prohibited from basing viewing practices on any characteristics and classifications within these policies, including, but not limited to race, gender, sexual orientation, national origin, etc.  Standard Operating Procedures prohibit use that violates an individual’s reasonable expectation of privacy, as defined by law.  Unauthorized individuals are not permitted to operate video surveillance and card access systems at any time.

Staff assigned monitoring responsibilities must complete training on the professional, ethical, and legal use of these monitoring technologies prior to using them.  Staff found to be in violation of this policy or any associated Standard Operating Procedure will be subject to disciplinary action consistent with the rules and regulations governing employees of the University.

Access to Physical Security Data

Entities authorized to request and review Physical Security Data are strictly limited to:

  • Chief Information Security Officer – in conjunction with secure data facility oversight
  • Human Resources – in conjunction with an official administrative investigation
  • Office of General Counsel – in conjunction with an investigation, granting exceptions from this policy, or providing legal counsel
  • Office of Internal Audit – in conjunction with an investigation, or internal audit of a University unit
  • University of Minnesota Police Department – in conjunction with a criminal investigation

Authorized Users must:

  • Conduct video observation of public areas that are in plain view of others.
  • Be trained in the technical, legal, and ethical parameters of appropriate video surveillance and card access data use as prescribed by the Department of Public Safety.
  • Monitor based on behavior, NOT group characteristics (e.g., race, gender, sexual orientation, national original, disability, etc.)
  • Notify public safety responders immediately whenever any criminal or life-threatening activity is observed.
  • Document criminal or life-threatening activities in detail.
  • Not release any video surveillance or card access data without written approval for a formal investigation from one of the authorized entities outlined above.
  • Not use University resources to monitor unauthorized areas (e.g., living spaces), or violate any individual’s right to privacy, as defined by law.

Managers of these Systems and Supervisors of Authorized Users must:

  • Provide ongoing oversight of operator activities and performance.
  • Periodically require staff to demonstrate their knowledge and understanding of relevant policies.
  • Not release any video surveillance or card access data without written approval for a formal investigation from one of the authorized entities outlined above.

Exceptions

The Office of General Counsel has the sole discretion to grant exceptions to this policy for the purposes of securing and maintaining the University’s interests.  Exceptions will be granted to individuals and will remain in effect until expiration, suspension, or revocation by the Office of General Counsel.  Exceptions cannot be subdelegated and automatically expire when an individual leaves their role.

REASON FOR POLICY

The University is committed to providing an environment that is safe and secure for students, faculty, staff, and visitors alike.  To this end, the University utilizes state-of-the-art video surveillance and card access technologies to enhance security, safety, and the quality of life of the campus communities.  This policy outlines the appropriate use of these resources to ensure compliance with all University policies.

This policy applies to all facets of the University of Minnesota system.  Approved research is excluded from this policy, provided the research is conducted in accordance with the University policies and procedures governing ethical research.

PROCEDURES

FORMS/INSTRUCTIONS

APPENDICES

FREQUENTLY ASKED QUESTIONS

CONTACTS

SubjectContactPhoneFax/Email
Primary Contact Jeff Lessard 612-624-1583 jdlessar@umn.edu

DEFINITIONS

Access
The ability to retrieve, review, or download information. Access is provided only to specified entities in conjunction with an official investigation or purpose.
Authorized User
Any individual employed in an official capacity with the University (employee or subcontractor) that has been granted access to data outlined in this policy.
Data
Any information that is collected, stored, transferred or reported for any purpose, utilizing University technologies or resources, whether stored electronically or otherwise.
Physical Security Data
Information classified as “security service data” under Minnesota law generated through the use of video surveillance or card access systems.
Public Safety Responder
Any individual officially authorized or licensed in law enforcement, fire-fighting, or emergency medical services acting within their official capacity or scope of duties.
Secure Data Facility
Any space under electronic control or surveillance that is primarily classified as housing one or more data servers and subject to oversight by the Chief Information Security Officer.
Security Incident
Any occurrence resulting in the loss of data confidentiality or integrity. This can be accidental, intentional, negligent or otherwise.
Security Measures
Processes, hardware, and/or software used by system and network administrators to assure confidentiality and integrity, and to prevent loss of data belonging to the University. This includes network keys, watermarking, etc.
Security Violations
Any action that does not comply with, or is in conflict with processes, policies, procedures, security concepts and/or measures.
University Information
Information collected, manipulated, stored, reported, or presented in any format, on any medium, by any unit of the University.

RESPONSIBILITIES

Authorized Users
Conduct video surveillance and card access system monitoring responsibly, in compliance with all University policies and applicable state and federal laws, and in plain view. Prevent security incidents and protect data from unauthorized dissemination.
Chief Information Security Officer
Request data, or delegate individuals authorized to request data, for the purposes of ongoing operation of a secure data facility. The CISO is responsible for ensuring that delegated individuals fully understand and remain in compliance with policies and procedures.
Department of Public Safety
Final authority for oversight, training, coordination of use of the system, and ensures all users maintain compliance with relevant state and federal law, and/or University policies. Retains final authority regarding access to these resources for safety and security purposes. Responsible for the daily operation and management of video surveillance and card access technologies, and monitoring new developments in relevant laws and security industry practices to ensure University procedures are consistent with the highest standards and protections. Public Safety will ensure employees or subcontractors adhere to all related University policies, including the Non-Discrimination Policy, the Sexual Harassment Policy, and all other relevant policies.
General Counsel
Provide legal advice and guidance to University staff and decision makers to ensure compliance with state and federal law; grants exceptions to officials for the purposes of securing and maintaining the University's interests.
Individuals Granted Exceptions by General Counsel
Request data only for the purposes of investigating civil, security, or conduct matters to secure the University’s interests. Prevent security incidents and protect data from dissemination to unauthorized individuals or entities.
Human Resources
Provide authorization on departmental letterhead in conjunction with any administrative investigation involving the use of video surveillance or card access data. Assist in any disciplinary process or proceeding for violations of this policy, or any other relevant University policies.
Office of Internal Audit
Request data for the purposes of any authorized investigation or audit process.

RELATED INFORMATION

HISTORY

Effective:
January 2016 - New Policy: 1. Defines the acceptable handling and use of physical security data. This addresses recommendations from the Secure Data Center Audit in January 2015. 2. Specifies which individuals or units have access to the data, and under what circumstances. 3. Includes the training, oversight, and controls necessary for staff assigned monitoring responsibilities.
Document Feedback