16.03 – Regulation of Security Cameras on University Premises

PART 1: PURPOSE

1. To enhance and protect public safety and property, while also respecting the privacy and other rights of those within the university community;
2. To manage the use of security cameras and related issues, throughout the NMSU System.

PART 2: SCOPE

1. Unless indicated in the following subsection on exceptions, this Rule applies to the installation and use of security camera systems on university premises throughout the NMSU System, whether installed by third party vendors or by authorized NMSU personnel.
2. Exceptions – This Rule does not apply to:
   1. The use of cameras or other electronic recording equipment to conduct academic research;
   2. The overt use of video and/or audio recording equipment utilized for video conferencing for academic or administrative purposes and/or to facilitate real time communication for the purpose of admitting personnel to secured facilities;
   3. The creation or use of class lecture recordings and/or archiving utilized not for security, but for the purpose of content sharing;
   4. The use of recording systems by the NMSU Police Department law enforcement personnel for specific criminal investigations or for recording individual Police Officer interaction.
   5. Cameras placed on a temporary basis for operational/administrative investigation into alleged misconduct, with the consent of one party to the communication, as approved by the Office of General Counsel.
   6. The overt use of video audio recording equipment placed to enhance safety and security of NMSU employees in the workplace.
   7. Personal recording equipment, including but not limited to cell phone cameras, used by private individuals for purposes not associated with student or employee status.
   8. The use of a computer attached camera (webcam) in a private office.

PART 3: RULE ADMINISTRATOR

This Rule shall be administered by the university’s chief information officer (CIO) in consultation with the Police Chief and other University Administrators as needed.

PART 4: GENERAL PRINCIPLES

1. Security cameras shall only be installed in compliance with this Rule.
2. Signage will be conspicuously posted in any area where security cameras are recording images.
3. Audio recording is only permissible for short duration, with the consent of one of the parties, consistent with applicable law; or as may be permitted by court order. The audio function (both monitoring and recording) of the security camera microphone must be disabled.  See Also Exceptions in Part 2 subsection B.
4. This Rule does not require the university to provide security cameras in all public locations, and/or to ensure that a camera is recording or monitoring at all times. Images may be monitored in real time, or may be preserved for review at a later date as part of an incident investigation.  Any images retained will be disposed of in accordance with Part 5 subsection H below: Storage and Retention of Recordings.
5. Security cameras will be installed, operated and monitored in compliance with all university policies and the law, including but not limited to those covering FERPA, HIPAA, discrimination, harassment and stalking. The use of security cameras authorized by this Rule will be limited to uses that do not violate a reasonable expectation of privacy, nor disclose confidential or classified information.

PART 5: RULE GUIDELINES

1. The installation and use of security cameras addressed in this Rule is for the general purpose of campus safety and security, including the deterrence of vandalism and theft.
   1. Examples of areas which may be subject to monitoring by security cameras include but are not limited to:
      1. outdoor parking lots;
      2. areas within buildings open to the public such as libraries, museum, Pan Am Center and Corbett Center;
      3. common areas inside residence halls;
      4. areas proximate to the handling of cash or other valuable property.
   2. Examples of areas that will not be subject to security camera monitoring include, but are not limited to:
      1. individually licensed living areas within residence halls or other NMSU housing, absent express consent from the affected license holder;
      2. restrooms;
      3. locker rooms;
      4. dressing rooms and similar space;
      5. areas where restricted Department of Defense classified information is discussed, stored or otherwise processed.
2. Any interception, duplication, transmission, alteration, tampering, or other improper diversion of the security camera or recorded images or related instrumentation, software or documentation for purposes other than official university business is prohibited.
3. Personnel authorized to access security camera information, including the images they produce, will perform their duties in accordance with this Rule, in addition to any supplemental procedures which may be issued by the operating department.
4. All existing uses of security cameras will be brought into compliance with this Rule as soon as feasibly possible, and no later than June 30, 2015, unless otherwise determined by the CIO.
5. The NMSU entities utilizing security cameras governed by this Rule will notify the CIO annually to ensure compliance and will provide a list of security cameras currently in operation.
6. The use of security cameras by university contractors operating on university premises pursuant to a contract will be governed by the terms of the contract, consistent with NMSU policies, rules and procedures.
7. In the event of a criminal investigation, civil litigation or other administrative action, the recorded data will be maintained in accordance with guidance provided by the prosecutor and/or the Office of NMSU General Counsel.
8. Storage and Retention of Recordings: Recordings shall be retained for a minimum of thirty (30) calendar days.  See also C.

PART 6: SUPPLEMENTAL PROCEDURAL GUIDELINES

As authorized by RPM 1.10 and Part 6, the following Procedural Guidelines, issued on April 9, 2013, supplement the above.

1. Justification and Approval: Individual NMSU Entities desiring to install security camera equipment shall submit a written request to their appropriate unit administrator, dean or vice president describing the proposed location of security camera (s), justifying the proposed installation, as well as identifying the funding source for purchase and ongoing maintenance. (See Appendix ARP 16.03-A – Security Camera Proposal and Justification Form).
   1. Upon approval by appropriate administrator, dean or vice president, the Security Camera Proposal and Justification Form will be submitted to the CIO for information purposes and maintain a copy on-site.
   2. The University’s Chief Information Officer or designee is responsible to assure compliance with this rule.
2. Installation: Installation of all networked security cameras should be coordinated through Networking Services to ensure they are on a secure network and access is restricted.
   1. All networked security cameras and related equipment should be configured to require two factor authentication (user IDs and passwords) and not use default or common logins.
   2. Networking Services, Security Camera Coordinator and Facilities Services will collaborate to install network infrastructure to ensure all relating building codes are followed.
   3. When appropriate, installing department is encouraged to seek the assistance of the ICT Computer Systems function to ensure proper system setup, configuration and to clearly identify location of software i.e. PC or Server.
3. Signage: Signage for security cameras shall be placed conspicuously in areas with cameras, as determined by the Chief Information Officer and consistent with requirements of ARP 12.06 Uniform Signage – Wayfinding.
4. Training:
   1. Authorized personnel responsible for security cameras shall receive a copy of this rule governing security cameras and provide written acknowledgement that they have read and understood the contents. (See Appendix ARP 16.03-B, Security Camera Training Acknowledgment Form)
   2. Authorized personnel shall attend any meetings or trainings convened by the CIO.
5. Transitioning Security Cameras in Use Prior to Policy Effective Date: The use of existing security cameras shall comply with this rule’s requirements for professional, legal and ethical use. To the extent that existing equipment or software make it infeasible to comply with technical requirements, the NMSU Entities shall proposed a transition plan to the CIO explaining the steps needed for compliance and a proposed timeline.
6. Unit Level Camera Security Operations:
   1. Unit Level Protocols Required: NMSU Entities will need to Develop Security Camera Protocols:  All NMSU Entities responsible for security cameras governed by this rule shall develop and maintain written departmental policies and processes detailing operation of cameras and how tampering with, intercepting, or duplicating of recorded information will be prevented. Written protocols shall be no less stringent than those outlined in this rule.
   2. Inventory and Documentation: Each NMSU Entity shall maintain a master inventory and associated documentation of all existing and approved components to their security camera, including but not limited to equipment, software and authorizations received.  Inventories must include but may not be limited to:
      1. Name of responsible person for security cameras and review/approval date;
      2. Name and contact information of the person requesting the installation and/or approval of the security camera;
      3. List of authorized personnel and other members of management, by position and by name, who may be permitted access to the recorded images/information;
      4. Purpose and justification for the proposed security camera, consistent with the permitted uses of this rule;
      5. Explanation of how the recorded information may be reviewed and/or used;
      6. Measures that have been taken to minimize the impact on personal privacy;
      7. Assertion that the planned installation and operation of the security camera system shall comply with applicable law and this rule;
      8. Nature of the physical space in which the security camera will be placed, and a description of the types of activities reasonably likely to be captured on the recordings by the security camera;
      9. Implementation details, including:
         1. physical location of installation,
         2. field of view of the camera(s),
         3. capabilities of the camera(s) (video, audio, pan, tilt, zoom, etc.) or microphone(s) that have been disabled, and
         4. the make and model of equipment and software;
         5. the location and the timing relating to storage and retention of the recorded information.
   3. Acknowledgement of Training and Compliance Requirements: All authorized personnel, and supervisors involved in security camera operations, including the review of recorded images, will perform their duties in accordance with this rule and any supplemental procedures which may be issued by the University’s Chief Information Officer.  They shall each indicate acceptance of this responsibility by signing the Security Camera Training Acknowledgment Form (See Appendix ARP 16.03-B).
   4. Maintenance of Log for Security Camera Recordings Access or Use: A log shall be maintained of all instances of access to or use of security camera recordings. At a minimum, the log shall include the date and identification of the person or persons to whom access was granted.  (See Appendix ARP 16.03-C, Sample Access Log Form)
   5. Prohibition of Tampering with Security Cameras: Security cameras shall be configured to prevent authorized personnel from altering or otherwise tampering with recorded information.  Allegation of tampering with a security camera, software, or other instrument or documentation related to the administration of this rule will be treated seriously, investigated thoroughly and appropriate criminal, civil, or administration action taken.
7. Storage and Retention of Recordings: Recordings from all security cameras governed by this rule shall be stored by the individual NMSU Entities in accordance with the document retention requirements of the State of New Mexico, codified at NMAC 1.15.5 et seq, and also as directed by the NMSU Records Management and Retention Office, summarized below:
   1. All administrative records relating to the Security Cameras program initiative, including training materials generated or utilized by it, shall be retained until the information value ceases, and then shall be transferred to Library Archives and Special Collections for review for further disposition;
   2. Routinely recorded images shall be retained for a minimum of thirty (30) calendar days from the date of recording or creation.
   3. Excepted from this retention rule are security camera images and any other program maintenance information when related to a criminal investigation or civil administrative or legal proceeding, or other bona fide use approved by the NMSU Police Chief and University General Counsel.