MANAGING PHYSICAL SECURITY DATA

About This Policy

Policy Statement

North Central University operates video surveillance and card access systems for the purposes of crime prevention, and to provide for the safety and security of individuals and property within the university community.  Information generated by these technologies is considered physical security data.

Use of Physical Security Data
Recorded data will be stored for a period of at least 60 days, in a secure location accessible by authorized staff only.  Information obtained in violation of this policy may not be used in any disciplinary proceeding against a member of any university faculty, staff, or student body.

Individuals responsible for conducting video surveillance and card access monitoring must limit their surveillance/monitoring activities to authorized safety and security purposes, such as, but not limited to:

• Protection of individuals, property, and buildings.
• Oongoing operation of a secure data facility.
• Investigation of policy violation or criminal activity.

Data gathered through these mechanisms may be not used for unauthorized purposes, such as, but not limited to:

• Monitoring political activities.
• Employee and/or student evaluations.
• Unauthorized

Oversight and Controls
Authorized users are prohibited from basing viewing practices on any characteristics and classifications within these policies, including, but not limited to race, gender, sexual orientation, national origin, etc. Use that violates an individual’s reasonable expectation of privacy, as defined by law, is prohibited.  Unauthorized individuals are not permitted to operate video surveillance and card access systems at any time.

Employee assigned monitoring responsibilities must complete training on the professional, ethical, and legal use of these monitoring technologies prior to using them.  Employees found to be in violation of this policy subject to disciplinary action consistent with the rules and regulations governing employees of the university.

Access to Physical Security Data
Entities authorized to request and review Physical Security Data are strictly limited to:

• University Safety and Security – in conjunction with a criminal investigation and routine security activities.
• Information Security – in conjunction with secure data facility oversight.
• Human Resources – in conjunction with an official administrative investigation.

Authorized Users must:

• Conduct video observation of public areas that are in plain view of others.
• Be trained in the technical, legal, and ethical parameters of appropriate video surveillance and card access data use.
• Monitor based on behavior, not group characteristics (e.g., race, gender, sexual orientation, national original, disability, etc.)
• Notify public safety responders immediately whenever any criminal or life-threatening activity is observed.
• Document criminal or life-threatening activities in detail.
• Not release any video surveillance or card access data without written approval for a formal investigation from one of the authorized entities outlined above.
• Not use university resources to monitor unauthorized areas (e.g., living spaces), or violate any individual’s right to privacy, as defined by law.

Managers of these Systems and Supervisors of Authorized Users must:

• Provide ongoing oversight of operator activities and performance.
• Periodically require staff to demonstrate their knowledge and understanding of relevant policies.
• Not release any video surveillance or card access data without written approval for a formal investigation from one of the authorized entities outlined above.

Exceptions

The Executive Director of Operations has the sole discretion to grant exceptions to this policy for the purposes of securing and maintaining the university’s interests.  Exceptions will be granted to individuals and will remain in effect until expiration, suspension, or revocation by the Executive Director of Operations.  Exceptions cannot be subdelegated and automatically expire when an individual leaves their role.

Reason For Policy

The university utilizes video surveillance and card access technologies to enhance security, safety, and the quality of life of the campus communities.  This policy outlines the appropriate use of these resources.

Policy Scope

All university employees and students.

Procedures

• There are no procedures associated with this policy.

Forms

• There are no forms associated with this policy.

Appendices

• There are no appendices associated with this policy.

Additional Contacts

Definitions

Access
The ability to retrieve, review, or download information. Access is provided only to specified entities in conjunction with an official investigation or purpose.

Authorized User
Any individual employed in an official capacity with the university (employee or subcontractor) that has been granted access to data outlined in this policy.

Data
Any information that is collected, stored, transferred or reported for any purpose, utilizing university technologies or resources, whether stored electronically or otherwise.

Information Security Incident
Any occurrence resulting in the loss of data confidentiality or integrity. This can be accidental, intentional, negligent or otherwise.

Information Security Measures
Processes, hardware, and/or software used by system and network administrators to assure confidentiality and integrity, and to prevent loss of data belonging to the university. This includes network keys, watermarking, etc.

Information Security Violations
Any action that does not comply with, or is in conflict with processes, policies, procedures, security concepts, and/or measures.

Physical Security Data
Information classified as “security service data” under Minnesota law generated through the use of video surveillance or card access systems.

Secure Data Facility
Any space under electronic control or surveillance that is primarily classified as housing one or more data servers and subject to oversight by the director of information technology.

University Information
Information collected, manipulated, stored, reported, or presented in any format, on any medium, by any unit of the university.

Responsibilities

Authorized Users

• Conduct video surveillance and card access system monitoring responsibly, in compliance with all university policies and applicable state and federal laws, and in plain view.
• Prevent security incidents and protect data from unauthorized dissemination.

Individuals Granted Exceptions

• Request data only for the purposes of investigating civil, security, or conduct matters to secure the university’s interests. Prevent security incidents and protect data from dissemination to unauthorized individuals or entities.

Office of Safety and Security

• Authority for oversight, training, coordination of use of the system, and ensures all users maintain compliance with relevant state and federal law, and/university
• Retains final authority regarding access to these resources for safety and security purposes.
• Responsible for the daily operation and management of video surveillance and card access technologies, and monitoring new developments in relevant laws and security industry practices to ensure university procedures are consistent with the highest standards and protections.

Director of Information Technology

• Request data, or delegate individuals authorized to request data, for the purposes of ongoing operation of a secure data facility.
• Responsible for ensuring that delegated individuals fully understand and remain in compliance with policies and procedures.

Executive Director of Operations

• Grants exceptions to officials for the purposes of securing and maintaining the university’s interests.

Human Resources

• Assist in any disciplinary process or proceeding for violations of this policy, or any other relevant university policies.

RELATED INFORMATION

Related Legislation

• Family Educational Rights and Privacy Act of 1974, 20 U.S.C. § 1232g (1974).

History

Issued
2020-02-18