This provisional policy helps ensure compliance with applicable regulatory standards and to meet the need for safe and secure recording of interactive conversations, lectures, laboratory sessions or other web-conferences for the purpose of archiving or rebroadcasting during or after contingency operations – such as those associated with the novel coronavirus known as COVID-19.
This provisional policy is created to meet the need for safe and secure recording of interactive conversations, lectures, laboratory sessions or other web-conferences for the purpose of archiving or rebroadcasting during or after contingency operations – such as those associated with the novel coronavirus known as COVID-19. All laws, regulations, and policies regarding the privacy, security, and confidentiality of individually identifiable information about students, patients, and research subjects apply to information shared and/or recorded during these sessions. This policy helps ensure compliance with applicable regulations including the Health Insurance Portability and Accountability Act (HIPAA) and the Family Educational Rights and Privacy Act (FERPA).
This document will be reviewed no later than six months from the date on which this provisional policy is issued.
Conducting a collaboration session is the responsibility of the individual or organization hosting the session. Recording a collaboration session is the act of capturing and saving the session for archival purposes and to playback the session.
Use of collaborative tools to conduct or record conversations or presentations that do not contain Sensitive or Restricted Data are at the discretion of the individual if the tools are licensed for use by the University. For additional information regarding Sensitive and Restricted Data visit: https://kb.wisc.edu/itpolicy/cio-data-classification-policy
Recording cloud-based collaboration and web-conferencing sessions, regardless of the intended purpose, should follow the guidance shown in this policy. Any recording made is considered a record that should be retained per Wisconsin Stat. § 16.61 which addresses the records retention practices for state agencies, and UW-Madison requirements listed at https://www.library.wisc.edu/archives/records-management/.
If uncertain whether a session contains Sensitive or Restricted Data, the recordings should be reviewed promptly with a manager or primary contact of the distributed IT team and/or HIPAA security coordinator (https://compliance.wisc.edu/hipaa/coordinators/) and/or designated data steward (https://data.wisc.edu/data-governance/data-stewards/). In the event the aforementioned personnel are unavailable, contact firstname.lastname@example.org to determine the classification of the data before selecting the appropriate storage solution for the recordings. Recordings involving Sensitive or Restricted Data must be stored via an approved format and storage medium that is deemed high-grade encryption according to industry standards.
While many open source and free web conference and recording tools are available, they may not satisfy the university’s privacy and security policies or legal obligations UW–Madison has purchased licenses for several collaboration services that include the ability to provide appropriate security to ensure safe and secure conduct and retention of any Sensitive or Restricted Data contained within the collaboration session and video presentations. Use of these services may require those conducting the collaboration to provide appropriate security of the information within the session and give appropriate notice to participants.
Issued by the UW–Madison Vice Provost for Information Technology.
Failure to comply with this policy may result in elevated risk to the University and may require the Risk Executive for the school, college, or division to accept that risk or direct actions to mitigate the risk. Formal risk analysis may be requested by contacting the Office of Cybersecurity at email@example.com.
Please address questions or comments to firstname.lastname@example.org.