Category: Information Technology
Responsible Office: Vice President and Chief Information Officer (VPCIO)
Responsible Executive: Vice President and Chief Information Officer (VPCIO)
Date Established: July 5, 2022
This standard provides transparency on videoconferencing and video management applications used at UB for instructional, business, and community meeting purposes. It outlines what data videoconference or recording participation collects, how this data should be handled, and with whom this data can be shared. This standard supports the Data Risk Classification Policy, Protection of University Data Policy, and is supplemented by the Data Access Procedure.
The University at Buffalo (UB, university) is committed to maintaining the privacy of students, faculty, staff and community members. The university employs UB-licensed third-party web conferencing applications such as Microsoft Teams and Zoom and video management systems including Panopto to facilitate meetings, instruction, university business, and community activities. These third-party services collect video and meeting metadata at the request of the university and may use this data to improve their services. Neither UB nor our contracted third parties sell video data. University business must be conducted through university-licensed services, and should not use personal accounts. Because the metadata collected may include Category 1 and/or Category 2 data as defined by the Data Risk Classification Policy, meeting organizers must be aware of any privacy laws or regulations governing their meeting content and/or attendee information, and must use web conferencing applications and video management systems that are compliant with these laws and regulations.University-licensed videoconferencing applications and video management systems may include integrations with third-party add-on applications. Meeting organizers may not use any third-party add-on applications that have not been fully vetted and approved by the university if their meeting content or attendee data includes Category 1 and/or Category 2 data. Because it may include sensitive or protected information, UB will only share metadata internally where it can be appropriately separated based on role-based security, and only with authorized individuals who demonstrate a legitimate business need through the requesting video data process.
The Vice President and Chief Information Officer is the videoconference and video management application data trustee.
Contracted third-party videoconferencing and video management application service providers may collect information such as:
Third party add-ons are available to integrate with university-provided videoconferencing services. Add-ons that may collect elements of restricted data are reviewed and approved on a case-by-case basis by the data trustee.
Application Information | Application Administrators have access to: |
---|---|
Microsoft Teams | Application administrators do not generally have access to meeting recordings or meeting metadata. They may use vendor-provided tools to access this information when required for compliance purposes. |
Panopto | • Recordings, recording creator, creation date, and time • Usage information including views • Viewer name (if available) • View date • View time • Details of meetings automatically imported from Zoom • If enabled: recordings of voice, image, surroundings, in-meeting chat messages, speech-to-text transcripts |
Zoom | • Details about all meetings scheduled using the UB Zoom enterprise license. • If enabled: recordings of voice, image, surroundings, in-meeting chat messages, speech-to-text transcripts. • In-app chat messages (currently retained for two years). |
Zoom sub-instance configured for telehealth and clinical use cases where the exchange of electronic protected health information (ePHI) may trigger regulatory statutes such as HIPAA.
Current | • Topic • Host | • Date • Start and end times |
Proposed | • Topic • Host • Date • Start and end time | • Attendee name • IP address • Device types • Location city and country |
Third-party providers use video data to improve services to the university and support to our UB community, including students, faculty, and staff. Application administrators support system stability and promote a positive user experience by monitoring service performance and providing customer support.University staff may request video data when they can demonstrate a legitimate business need. This need must support regular or improved services and support the mission of the university. Data must be stored and disposed of securely.UB may also be required to share videoconference data due to a court order or active investigation. UB does not sell video data.
UB shifted largely to videoconferencing and video management applications in 2020 to accommodate instructional and business needs during the COVID-19 pandemic. These applications continue to be useful tools to conduct university business despite the return to an in-person environment beginning fall 2021. As such, there is a need to clearly identify different roles and responsibilities related to the ownership, access, and use of video data.
This standard applies to anyone who accesses or creates content on videoconference and video management applications administered by UB. This includes UB faculty, staff, students, volunteers, and other community members, including members of the pubic. It covers university instruction, business, and any other meetings of the UB community or the broader community that is hosted by the university.
University staff who support the day-to-day functioning of university applications by performing installations, updates, and configurations and also troubleshooting and diagnosing application problems.
University officials and their staff who have operational-level responsibility for information management activities related to the capture, maintenance, and dissemination of data.
Senior leader of the university (e.g., vice president, vice provost, dean) who has responsibility for areas that have systems of record.
Individual who needs and uses university data as part of their assigned duties or to fulfill their role in the university community.
The Family Educational Rights and Privacy Act of 1974 is a federal law that protects the privacy of student educational records.
The Health Insurance Portability and Accountability Act of 1996 is a federal law that protects sensitive patient health information.
Any videoconference-based gathering hosted by a member of the university community for instruction, university business, or community activities.
When access to various university systems and data is assigned only to employees who require such access to perform their duties.
Information Security Officer
Phone: 716-645-6997
Email: sec-office@buffalo.edu
J. Brice Bible
Vice-President and Chief Information Officer
May 25, 2022