PURPOSE OF THIS POLICY
The purpose of this policy is to protect the privacy and safety of persons and property on campus by regulating and controlling the use of electronic (video and audio) surveillance systems. The policy requires that all new installations and upgrades of surveillance systems at CSU be reviewed by the Security Technology Committee to assure that they meet certain requirements for placement, installation, use, data viewing and storage, secure access, and (where appropriate) centralized monitoring. These measures are necessary to help avoid incompatibility of systems, reduce exposure to liability arising from the use of such systems, and assure appropriate respect for personal privacy.
APPLICATION OF THIS POLICY
This policy applies to all University units and employees involved in the design, installation, and use of electronic video surveillance systems and equipment, and all persons who request or obtain access to recorded data from such systems.
EXEMPTIONS FROM THIS POLICY
This policy does not apply to audio/video recording systems in use for non-surveillance purposes such as recording of live lectures or performances, instructional purposes, human subject and animal research, and the like. See section 5(B) below. This Policy also does not apply to the private use of video and audio equipment by persons who are not acting pursuant to their employment or agency relationship with the University, or under its direction and control.
DEFINITIONS USED IN THIS POLICY
Electronic Surveillance: the use of any audio, video (including film camera) or combined audio/video device or equipment with the capacity to capture, record, and/or transmit sounds or images of places, things, and activities occurring in University-owned or controlled spaces for surveillance purposes. Electronic surveillance subject to this Policy does not include the use of devices or equipment by persons who are not acting within the scope of their authority from the University, or under its direction or control.
Electronic Surveillance System (ESS): A system consisting of electronic devices such as cameras, microphones and recording systems, the data from which is transmitted and/or controlled remotely via a direct or network connection, and is designed or used for the purposes of electronic surveillance.
ESS Data: Digital video and audio data captured by recording devices that can be monitored, transmitted, stored, retrieved, or modified in conjunction with the use of an electronic surveillance system.
ESS Device: any camera, microphone, or other audio and/or video recording device that can capture images and sounds and store them as data; and any electronic equipment that, as part of an ESS, provides the capability to retrieve, transmit, or reproduce recorded audio and/or video data files.
Monitoring: the use of cameras, microphones, display monitors, or other audio and/or video equipment for real-time observation of sounds and images.
Permanent Installation: The installation of any ESS device or system that is intended to remain in place for an indefinite time, and to be removed or modified only for change of circumstances, upon approval of the STC.
Security Technology Committee (STC): a committee appointed by the Vice President for Information Technology (VPIT) and Vice President for University Operations (VPUO) to review electronic security measures and make recommendations to the Vice Presidents regarding changes, upgrades, and issues concerning the systems, devices and procedures related to such measures. The STC Chair is appointed by and reports to the Chief of Police.
Surveillance Equipment Operator: Any person viewing or controlling an ESS device or ESS system equipment.
Surveillance: the use of any ESS device to observe any place or thing and to capture, record and/or document occurrences or conditions, for the purpose of securing and protecting the University, its property, and persons in or around University property.
Temporary Installation: The installation of any ESS device or system that is intended to remain in place for a defined, temporary period, or for only as long as required for a specific investigation, trial period, or other short-term need, and to be removed when the specified need or period has expired.
Unit or Campus Unit: A college, department, program, office, research center, business service center, or other operating unit of Colorado State University, including, but not limited to, units located on the main Fort Collins campus, any satellite campus, and any research or agricultural extension, cooperative extension, or other outlying unit location.
1. Colorado State University is committed to providing a secure environment for members of its community and to protect personal safety and property. Electronic surveillance systems are an important tool in this effort. Such technologies, however, have the potential for abuse, and must be used only to meet the University’s legitimate needs for security and compliance, in a manner that is sensitive to interests of privacy, freedom of assembly, and freedom of expression. Colorado State University allows the use of approved video surveillance systems through a defined process, subject to rules and procedures governing equipment installation and access to, storage, security and use of the resulting recorded data.
2. Except as otherwise provided in this Policy, all ESS devices and equipment shall be installed and used only for the legitimate security and business purposes of the University after review by the STC and approval of the Vice President for University Operations (VPUO) and Vice President for Information Technology (VPIT) (or their respective designees). The following restrictions and requirements shall apply to all ESS installations:
- The use of ESS devices and equipment shall be restricted to places where risks to the security or well-being of persons or property are legitimately of concern, or where business activities such as cash handling are subject to audit.
- Electronic surveillance is normally not appropriate in areas where personal privacy is reasonably expected, such as inside a campus residence hall room, public or private bathroom, locker room, private office, or any other private location. Installation of ESS devices in such areas shall not be permitted or approved unless there are compelling circumstances (such as a criminal investigation of ongoing or threatened activities) and appropriate measures have been taken to protect privacy.
- ESS devices may be used as part of a fire, smoke, hazardous materials, or intrusion detection and alarm system, to monitor the condition and functioning of mechanical equipment, and the like. Such uses are also not normally expected in places where the persons being observed have a reasonable expectation of privacy.
- Installation and use of audio and video equipment for educational, social, promotional, or research purposes, rather than for the protection of persons and property, prevention of crime, or auditing of business activities, is not “surveillance” within the scope of this Policy. For example, lectures may be recorded for educational purposes; researchers may use video cameras and recording equipment to document animal activities, monitor climate changes, or capture and document other natural occurrences; or an event, speech, conference, or gathering may be recorded for promotional or historical purposes. In general, such uses are open and conspicuous, and the people participating in such events are aware of the video and/or audio recording taking place and have expressly or impliedly consented to such by participating. While these installations may be reviewed by the STC to assure that they are not for the purposes of surveillance, such uses are otherwise not subject to this Policy (although other University policies may apply).
- No electronic surveillance system installation shall be permitted to be used for the targeting of individuals based upon perceived individual characteristics or classifications such as race, gender, ethnicity, sexual orientation, or disability. In addition, surveillance equipment operators must not knowingly, continuously monitor people engaged in intimacy in public areas unless another, legitimate reason for such observation is being served.
- Notwithstanding the above restrictions and limitations, this policy and its provisions are not intended to prohibit the Department of Internal Audit, Office of the General Counsel, or the CSU Police Department, directly or through an agent, from conducting investigations that may include the use of surveillance systems, without the prior approval of the STC.
3. In general, people have no reasonable expectation of privacy in public areas. However, people do not necessarily expect the use of audio surveillance anytime that video surveillance is in use. The use of audio recording equipment has the potential to chill the free and open discourse that is inherent to the University’s character, role and mission of higher education. Therefore, installation and use of audio recording equipment should be restricted to areas where a compelling case is shown for such measures in order to protect the campus community against an appreciable threat of harm. Such devices must be installed and used in the manner that is as non-intrusive as possible, is least likely to record academic or research activities, and does not unreasonably infringe upon the free and open discourse of ideas, learning, and expression of speech or of the press. The duration of the installation should be as short as possible under the circumstances. Access to the recorded audio should be strictly controlled, limited and secured. Where permanent audio recording installations are approved, adequate notice of their presence should be provided, unless doing so would negate the legitimate reasons for their installation, and/or would create an unsafe situation or allow an unsafe situation to continue.
4. People in public places do not necessarily expect that video surveillance will be capable of capturing such minute detail as the content of text messages or emails appearing on their mobile devices. Video surveillance should be no more detailed or intrusive than is necessary to carry out its legitimate, intended purposes.
5. Notwithstanding the foregoing, ESS may be used to view the screens of University-owned computers in other public-access areas, and provided for public use, where personal privacy in viewing the screen is not reasonably expected, and signage to this effect is in place.
6. ESS surveillance is not to be used as an employee performance management tool. It is not appropriate to use ESS devices to measure an employee’s performance, although ESS Data may be relevant to a determination whether an employee has violated University policy or applicable law.
7. Signage should be placed in areas where video surveillance is taking place in order to advise the public of its presence, with care to word such signage so as to not give individuals a false sense of protection (e.g., “video surveillance may be used to monitor this area at random”). Signage may be at building entrances, but should also be placed in specific areas being monitored where deemed appropriate given the location and circumstances. In certain cases, the STC may determine that the protection and security of the campus demands that an ESS installation be allowed without signage; these instances should be rare and the circumstances for approving them should be compelling.
8. Special Considerations for Residential Facilities:
- Unless otherwise required by a warrant, camera views of residence halls, rooms or apartments must be of building exteriors and interior common areas that are generally accessible to all residents, and not assigned for private use.
- Viewing within or through the windows of private rooms is prohibited except as part of an active criminal investigation authorized by law.
APPLICATION OF THIS POLICY
STC Responsibilities: The STC’s responsibilities shall include:
- To provide prior review of all new proposed ESS installations;
- To make recommendations to the VPIT and VPUO regarding the selection, implementation, and maintenance of the centralized electronic surveillance monitoring system;
- To define the protocols and procedures for storage, retrieval, and access to the video and audio data that is produced by ESS devices;
- To assist the responsible administrators of affected units in non-emergency situations where temporary ESS installations will occur (e.g., law enforcement investigations);
- To assist the Chief of Police and Office of General Counsel regarding the release of ESS recordings directly related to a criminal investigation, subpoena, or legal proceeding;
- To authorize, as appropriate (and subject to approval by the VPIT and VPUO) requests for permission for new, temporary, or replacement ESS installations and upgrades;
- To make recommendations as to whether specific ESS devices and equipment should be locally controlled and accessed, remotely controlled and accessed by connection to the University’s central surveillance system, or both.
Responsibilities of Campus Units:
- Except as expressly provided in this policy, campus units shall not install or modify any ESS device without the prior, written approval of the VPUO and VPIT (or their respective designees).
- Excluding emergency or investigative situations, each campus unit that receives approval to install, maintain, and/or use an ESS device in areas under the unit’s control shall post signage at all surveillance locations stating, “This area is subject to surveillance for security purposes and may or may not be monitored.” The STC shall have the authority to require modifications, additions or removal of such signage at any time.
- Each unit that has any ESS device in operation shall be responsible for assuring that the ESS device(s) and equipment are accessible for use only by such persons designated by the STC, and are adequately secured, monitored, and maintained in good working order.
- Each unit shall also be responsible for reporting promptly to the STC or the Chief of Police any incident in which persons within the unit are aware that ESS devices or equipment have (or may have) recorded activity which appears to involve the commission of any act that is illegal, or is potentially a cause for University disciplinary measures to be initiated, or depicts an injury to any persons or property; and for reporting any suspected crime in progress observed while monitoring a surveillance system in real time, by immediately calling 911.
- Campus units shall take reasonable measures to prevent tampering with and unauthorized access to ESS devices and equipment, and shall store recorded surveillance data in a secure location, accessible only to designated individuals.
- For all new or replacement ESS installations or upgrades, campus units shall confirm with the STC that integration with the university-wide ESS is possible, and effect such integration as directed by the STC.
- Campus units shall conduct, at least annually, audits of their authorized users and access levels in the ESS system.
Storage, Retention and Access to Recorded Data:
- All data storage will be by digital means. Stored data will be retained for a minimum of 14 days, or such longer period as may be determined by the STC. Specific applications, such as PCI DSS compliance, may have greater retention requirements.
- Access to stored data shall be strictly limited to University employees who have a legitimate business need. Campus units shall identify the persons within the unit who have a recurring, legitimate business need to access real-time or stored ESS data and shall provide names and positions to the STC. Persons not identified for such purposes shall not be permitted access without the express, prior, written approval of the STC Chair.
- The STC may require background checks before approving any person’s access to ESS data.
- STC members shall undergo background checks (as prescribed by the VPUO and the Executive Director of Human Resources) prior to serving on the STC (or, where appropriate, as soon as practicable after being appointed). In addition, all STC members shall undergo training in the same manner as provided herein for Surveillance Equipment Operators.
- Release of Recorded ESS Data:
- Requests for external release of recorded data must be approved by the STC Chair, who will consult with the Office of the General Counsel to determine whether or not such release is appropriate.
- All such data released shall be specifically documented and the person(s) to whom the data is provided shall be required to sign an acknowledgement of receipt of access to, or copies of, the data, together with an acknowledgement of any limitations or restrictions on the release and any re-release.
- Each campus unit, whether or not it actually has ESS devices, that receives a request, demand, subpoena, court order, or any other type of request for the disclosure, release or use of ESS data shall immediately contact the STC Chair and shall secure, maintain and preserve in a secure location any data that is in the unit’s possession or control, pending the outcome of the matter.
- Where such requests take the form of subpoenas or other legal documents compelling production, the responsibility for responding to requests rests with the Office of the General Counsel.
Security Technology Committee (STC) Procedures, Forms, and Training:
- The STC shall meet at least quarterly, or as otherwise directed by the VPUO, to review ESS installations, make determinations as authorized by this Policy, review requests from campus units for installation or modification of ESS devices or equipment, review security measures, etc.
- The STC shall submit an annual report of its activities and determinations to the VPUO and the VPIT.
- The STC shall make recommendations for system changes and policy changes as necessary.
- The STC shall develop procedures and forms as required for the implementation of, and compliance with this policy. Procedures and forms shall be reviewed by the Office of Policy and Compliance, Office of the General Counsel and the Vice President for University Operations before being adopted.
- Opportunities for campus education and training on this Policy and STC procedures shall be provided annually.
Installation of ESS Devices:
Except as provided herein, ESS devices may be installed or modified only with the prior review and recommendation of the STC.
- Existing installations:
Existing installations of ESS devices and systems may remain in place, but may be reviewed by the STC to assure that they are being appropriately utilized and to determine whether the local, campus unit control and access is secure and appropriate. Any changes in equipment, security, access and control that may be recommended by the STC shall be discussed first with the campus unit director and, as appropriate, with the VPUO and/or VPIT. In the event that the STC determines that a campus unit having one or more local ESS devices in use should be required to either grant access to CSUPD or to transmit the ESS data to the University’s central ESS system, the STC shall document the reasons for such determination and work closely with the campus unit to implement changes. It is the responsibility of every campus unit that has a local installation of ESS devices in place to inform the STC of the existence of such devices and systems, and to not install any new devices or implement any upgrades or modifications of the equipment, without prior review and approval.
b. New installations and modification of existing installations:
New installations and modifications of existing installations must utilize equipment that is compatible with the University’s centralized ESS, unless the VPUO and/or VPIT determines otherwise after STC review.
Campus units shall not purchase ESS devices or equipment without the involvement of the CSU Purchasing Department.
c. Temporary Installations:
A temporary installation of an ESS device or system may be authorized by the Chief of Police or the Vice President for University Operations, for purposes of aiding in an investigation, without the prior approval of the STC. The period for which the installation remains in place shall be limited to the duration of the investigation or sixty days, whichever is shorter, unless the STC approves a longer period.
Security concerns related to protecting the integrity of the infrastructure:
- Security of ESS equipment shall be provided in all installations, including physical protection of the cameras, DVRs, and cabling systems, as well as access to the applications and the stored video content.
- Physical security of the surveillance system infrastructure must include (at a minimum) camera installation in tamper proof enclosures, installing cabling in (EMT) conduit, and locating DVR’s or servers in locked rooms with carefully controlled access.
Surveillance Equipment Operators:
- Surveillance equipment operators must be trained and supervised in the responsible use of surveillance technology, including the technical, legal, and ethical parameters of such use. The STC will be responsible for providing or arranging for this training.
- Operators shall receive a copy of this Policy and the STC Procedures standards, and must sign that they have read, understood and will comply with their contents
COMPLIANCE WITH THIS POLICY
Violations of this policy can lead to disciplinary action, up to and including termination of employment or discipline pursuant to the Student Conduct Code. Persons violating this policy may be subject to civil and criminal liability under applicable laws. If a system is installed without complying with the policy, it may be removed at the expense of the department responsible for the unauthorized installation.
American Library Association, ALA Library Bill of Rights http://www.ala.org/ala/issuesadvocacy/intfreedom/librarybill/index.cfm
FORMS AND TOLLS
Video System Request Form (Facilities Management website)
Approved by Anthony Frank, December 3, 2012