Video Metadata Use Standard

Category: Information Technology

Responsible Office: Vice President and Chief Information Officer (VPCIO)

Responsible Executive: Vice President and Chief Information Officer (VPCIO)

Date Established: July 5, 2022

On this page:

Summary

This standard provides transparency on videoconferencing and video management applications used at UB for instructional, business, and community meeting purposes. It outlines what data videoconference or recording participation collects, how this data should be handled, and with whom this data can be shared. This standard supports the Data Risk Classification Policy, Protection of University Data Policy, and is supplemented by the Data Access Procedure.

Standard Statement

The University at Buffalo (UB, university) is committed to maintaining the privacy of students, faculty, staff and community members. The university employs UB-licensed third-party web conferencing applications such as Microsoft Teams and Zoom and video management systems including Panopto to facilitate meetings, instruction, university business, and community activities. These third-party services collect video and meeting metadata at the request of the university and may use this data to improve their services. Neither UB nor our contracted third parties sell video data. University business must be conducted through university-licensed services, and should not use personal accounts. Because the metadata collected may include Category 1 and/or Category 2 data as defined by the Data Risk Classification Policy, meeting organizers must be aware of any privacy laws or regulations governing their meeting content and/or attendee information, and must use web conferencing applications and video management systems that are compliant with these laws and regulations.University-licensed videoconferencing applications and video management systems may include integrations with third-party add-on applications. Meeting organizers may not use any third-party add-on applications that have not been fully vetted and approved by the university if their meeting content or attendee data includes Category 1 and/or Category 2 data. Because it may include sensitive or protected information, UB will only share metadata internally where it can be appropriately separated based on role-based security, and only with authorized individuals who demonstrate a legitimate business need through the requesting video data process.

The Vice President and Chief Information Officer is the videoconference and video management application data trustee.

Data Collected

Contracted third-party videoconferencing and video management application service providers may collect information such as:

  • Customer information including name, email address, department, and location
  • Event title
  • Device information including IP address, device type, webcam, and microphone type
  • Usage information and customer content including enabled features such as recording, chat messages, and uploaded files

Add-Ons

Third party add-ons are available to integrate with university-provided videoconferencing services. Add-ons that may collect elements of restricted data are reviewed and approved on a case-by-case basis by the data trustee.

Application Information
Application Administrators have access to:
Microsoft Teams Application administrators do not generally have access to meeting recordings or meeting metadata. They may use vendor-provided tools to access this information when required for compliance purposes.
Panopto

• Recordings, recording creator, creation date, and time

• Usage information including views

• Viewer name (if available)

• View date

• View time

• Details of meetings automatically imported from Zoom

• If enabled: recordings of voice, image, surroundings, in-meeting chat messages, speech-to-text transcripts

Zoom

• Details about all meetings scheduled using the UB Zoom enterprise license.

• If enabled: recordings of voice, image, surroundings, in-meeting chat messages, speech-to-text transcripts.

• In-app chat messages (currently retained for two years).

Zoom sub-instance configured for telehealth and clinical use cases where the exchange of electronic protected health information (ePHI) may trigger regulatory statutes such as HIPAA.

Current

• Topic

• Host

• Date

• Start and end times

Proposed

• Topic

• Host

• Date

• Start and end time

• Attendee name

• IP address

• Device types

• Location city and country

How Videoconferencing Data is Used

Third-party providers use video data to improve services to the university and support to our UB community, including students, faculty, and staff. Application administrators support system stability and promote a positive user experience by monitoring service performance and providing customer support.University staff may request video data when they can demonstrate a legitimate business need. This need must support regular or improved services and support the mission of the university. Data must be stored and disposed of securely.UB may also be required to share videoconference data due to a court order or active investigation. UB does not sell video data.

Background

UB shifted largely to videoconferencing and video management applications in 2020 to accommodate instructional and business needs during the COVID-19 pandemic. These applications continue to be useful tools to conduct university business despite the return to an in-person environment beginning fall 2021. As such, there is a need to clearly identify different roles and responsibilities related to the ownership, access, and use of video data.

Applicability

This standard applies to anyone who accesses or creates content on videoconference and video management applications administered by UB. This includes UB faculty, staff, students, volunteers, and other community members, including members of the pubic. It covers university instruction, business, and any other meetings of the UB community or the broader community that is hosted by the university.

Definitions

Application Administrator

University staff who support the day-to-day functioning of university applications by performing installations, updates, and configurations and also troubleshooting and diagnosing application problems.

Data Manager

University officials and their staff who have operational-level responsibility for information management activities related to the capture, maintenance, and dissemination of data.

Data Trustee

Senior leader of the university (e.g., vice president, vice provost, dean) who has responsibility for areas that have systems of record.

Data User / Customer

Individual who needs and uses university data as part of their assigned duties or to fulfill their role in the university community.

Family Educational Rights and Privacy Act of 1974 (FERPA)

The Family Educational Rights and Privacy Act of 1974 is a federal law that protects the privacy of student educational records.

Health Insurance Portability and Accountability Act (HIPAA)

The Health Insurance Portability and Accountability Act of 1996 is a federal law that protects sensitive patient health information.

Meeting

Any videoconference-based gathering hosted by a member of the university community for instruction, university business, or community activities.

Role-Based Security

When access to various university systems and data is assigned only to employees who require such access to perform their duties.

Responsibility

Application Administrator

  • Manage customer access and roles
  • Configure application settings for security and ease of use
  • Facilitate integrations with other UB applications
  • Assist the Information Security Office in vetting requests for third-party add-ons
  • Provide anonymized statistical reports on application usage

Vice President and Chief Information Office (VPCIO)

  • Approves of updates to this standard as needed

Data Steward

  • Reviews and updates this standard as needed
  • Reviews video data requests to determine whether or not the criteria to grant access have been met
  • Communicates issues related to the creation, sharing, reuse, retention, and backup of data
  • Collaborates with VPCIO on updates and edits to this standard as needed

Data Manager

  • Secures data in accordance with the most restrictive category of information
  • Provides video data to authorized university employees upon approval from the Vice President and Chief Information Officer (VPCIO)
  • Shares data in accordance with a court order or active investigation

Data User / Customer

  • Submits requests for video data when such data is needed for a legitimate business reason
  • Uses provided data in accordance with the request provided
  • Stores information securely in accordance with Data Risk Classification Policy and Appendices as well and other applicable regulations
  • Disposes of information at the conclusion of its use or in accordance with UB records retention schedules or other applicable regulations

Meeting Organizer

  • Uses UB-licensed web conference and video management applications
  • Uses a web conference or video management application that complies with relevant laws and regulations governing the data collected

Contact Information

Information Security Officer
Phone: 716-645-6997
Email: sec-office@buffalo.edu        

Related Information

Related Procedures

University Links

Related Links

Vice President and Chief Information Officer Approval

J. Brice Bible
Vice-President and Chief Information Officer

May 25, 2022