Provisional UW–Madison Online Collaboration Session Recording Policy (eff. March 16, 2020)

This provisional policy helps ensure compliance with applicable regulatory standards and to meet the need for safe and secure recording of interactive conversations, lectures, laboratory sessions or other web-conferences for the purpose of archiving or rebroadcasting during or after contingency operations – such as those associated with the novel coronavirus known as COVID-19.

Purpose

This provisional policy is created to meet the need for safe and secure recording of interactive conversations, lectures, laboratory sessions or other web-conferences for the purpose of archiving or rebroadcasting during or after contingency operations – such as those associated with the novel coronavirus known as COVID-19. All laws, regulations, and policies regarding the privacy, security, and confidentiality of individually identifiable information about students, patients, and research subjects apply to information shared and/or recorded during these sessions. This policy helps ensure compliance with applicable regulations including the Health Insurance Portability and Accountability Act (HIPAA) and the Family Educational Rights and Privacy Act (FERPA).

This document will be reviewed no later than six months from the date on which this provisional policy is issued.


Policy

Conducting a collaboration session is the responsibility of the individual or organization hosting the session. Recording a collaboration session is the act of capturing and saving the session for archival purposes and to playback the session.

Use of collaborative tools to conduct or record conversations or presentations that do not contain Sensitive or Restricted Data are at the discretion of the individual if the tools are licensed for use by the University. For additional information regarding Sensitive and Restricted Data visit: https://kb.wisc.edu/itpolicy/cio-data-classification-policy

Recording cloud-based collaboration and web-conferencing sessions, regardless of the intended purpose, should follow the guidance shown in this policy. Any recording made is considered a record that should be retained per Wisconsin Stat. § 16.61 which addresses the records retention practices for state agencies, and UW-Madison requirements listed at https://www.library.wisc.edu/archives/records-management/.

  1.  Sessions containing only Public data may be conducted using any collaboration tool licensed to UW-Madison for any academic or university business where only Public data is used. These tools currently include UW–Madison’s instances of Blackboard Collaborate, Cisco Webex, Kaltura, and Microsoft Teams. Divisions who purchased Zoom or other tools for communicating Public data may use those tools without contacting the Office of Cybersecurity for further approval.
  2.  Sessions containing Internal Data may be conducted and recorded using UW–Madison’s instances of Blackboard Collaborate, Kaltura, Cisco Webex, and Microsoft Teams without contacting the Office of Cybersecurity for approval. Other tools must be reviewed to ensure the security controls supporting Internal data are enabled. Due to Federal law and standards in addition to other privacy issues, we strongly recommend you do not use other, non-sanctioned web conferencing software for any academic or university business that should remain internal to the University. For a list of approved applications when recording visit: https://kb.wisc.edu/45390. Campus IT staff for schools, colleges and divisions should contact the Office of Cybersecurity via grc-cybersecurity@cio.wisc.edufor risk assessment prior to use of applications that are not included in the approved list. Please include in the request:
    • your contact information,
    • the type or classification of data being used,
    • describe how you plan to use the collaboration tool, and
    • number of expected users for the project.
  3. Sessions containing Sensitive or Restricted Data should use only the UW–Madison instances of Blackboard Collaborate, Cisco Webex or Microsoft Teams and may be recorded. Further, sessions containing Restricted Data protected by HIPAA may only be recorded using approved tools from the list posted at: https://compliance.wisc.edu/hipaa/.

If uncertain whether a session contains Sensitive or Restricted Data, the recordings should be reviewed promptly with a manager or primary contact of the distributed IT team and/or HIPAA security coordinator (https://compliance.wisc.edu/hipaa/coordinators/) and/or designated data steward (https://data.wisc.edu/data-governance/data-stewards/). In the event the aforementioned personnel are unavailable, contact grc-cybersecurity@cio.wisc.edu to determine the classification of the data before selecting the appropriate storage solution for the recordings. Recordings involving Sensitive or Restricted Data must be stored via an approved format and storage medium that is deemed high-grade encryption according to industry standards.

  1. Patient care interactions: Interactions with clinical patients may only be recorded so long as the recordings are conducted through the use of tools, methods, and procedures approved by your respective health organization.
  2. Instructional use: Recording of sessions for instructional use is allowed as long as FERPA guidance and precautions shown in the campus KnowledgeBase: https://kb.wisc.edu/28251 are taken to protect the integrity of the recording. Published information regarding specific protocols for appropriate precautions is forthcoming.
  3. Research subject interactions: Interactions with research subjects may only be recorded if approved by the applicable research study’s reviewing Institutional Review Board. Visit https://kb.wisc.edu/hsirbs/ for additional information.
  4. UW–Madison is required by law to provide technology and services that are accessible to all students, faculty and staff. If closed captioning is required or if additional accessibility questions arise with regard to recorded sessions, contact the DoIT Help Desk (https://kb.wisc.edu/helpdesk/) who will connect individuals to the Learn@UW–Madison team for further assistance.
  5. Individuals should utilize WiscVPN Services (https://kb.wisc.edu/page.php?id=90370) when recording using collaboration tools and working remotely, especially while working from places with unsecured public internet access and required if accessing restricted or sensitive campus resources remotely.
  6. Work products generated by recording collaborative sessions are University property and must be managed throughout its entire lifecycle according to an approved UW–Madison Record Retention Schedule (https://www.library.wisc.edu/archives/records-management/retention-disposition/).

Background

While many open source and free web conference and recording tools are available, they may not satisfy the university’s privacy and security policies or legal obligations UW–Madison has purchased licenses for several collaboration services that include the ability to provide appropriate security to ensure safe and secure conduct and retention of any Sensitive or Restricted Data contained within the collaboration session and video presentations. Use of these services may require those conducting the collaboration to provide appropriate security of the information within the session and give appropriate notice to participants.


Authority

Issued by the UW–Madison Vice Provost for Information Technology.


Enforcement

Failure to comply with this policy may result in elevated risk to the University and may require the Risk Executive for the school, college, or division to accept that risk or direct actions to mitigate the risk. Formal risk analysis may be requested by contacting the Office of Cybersecurity at grc-cybersecurity@cio.wisc.edu.


Contact

Please address questions or comments to policy@cio.wisc.edu.