Legal

Legal srodriguez31

Confidentiality/Non-Disclosure Agreements

Confidentiality/Non-Disclosure Agreements jgastley3

For more information about Confidentiality/Non-Disclosure Agreements, please see the Office of Legal Affairs website:

Consulting Agreements

Consulting Agreements jgastley3

For general information about Consulting Agreements and links to resources, please see the Office of Legal Affairs website:

Contracts

Contracts jgastley3

EU General Data Protection Regulation Compliance Policy

EU General Data Protection Regulation Compliance Policy
Type of Policy
Administrative
s1polics
Effective Date
Last Revised
Review Date
Policy Owner
Ethics, Compliance & Legal Affairs
Contact Name
Tarryn T. Brennon
Contact Title
Chief Privacy Officer
Contact Email
tarryn.brennon@gatech.edu
Reason for Policy

The European Union has passed a data privacy regulation that is applicable throughout the entire European Union (“EU”), and to those who collect personal data about people in the EU. The European Union General Data Protection Regulation (“EU GDPR”) imposes obligations on entities, like Georgia Tech, that collect or process personal data about people in the EU. The EU GDPR applies to personal data collected or processed about anyone located in the EU, regardless of whether they are a citizen or permanent resident of an EU country.

Georgia Institute of Technology (“Georgia Tech” or the “Institute”) is an institute of higher education involved in education, research and community development. In order for Georgia Tech to educate its foreign and domestic students both in class and on-line, engage in world-class research, and provide community services, it is essential and necessary, and Georgia Tech has a lawful basis, to collect, process, use, and/or maintain the personal data of its students, employees, applicants, research subjects, and others involved in its educational, research, and community programs. These activities include, without limitation, admission, registration, delivery of classroom, on-line, and study abroad education, grades, communications, employment, applied research, development, program analysis for improvements, and records retention.

Georgia Tech takes seriously its duty to protect the personal data it collects or processes. In addition to Georgia Tech’s overall data protection program, Georgia Tech must make sure it complies with the dictates of the EU GDPR. Among other things, the EU GDPR requires Georgia Tech to:

  1. be transparent about the personal data it collects or processes and the uses it makes of any personal data
  2. keep track of all uses and disclosures it makes of personal data
  3. appropriately secure personal data

This policy describes Georgia Tech’s data protection strategy to comply with the EU GDPR.

Policy Statement

2.1 Lawful Basis for Collecting or Processing Personal Data

Georgia Tech has a lawful basis to collect and process personal data. Most of Georgia Tech’s collection and processing of personal data will fall under the following categories:

  1. Processing is necessary for the purposes of the legitimate interests pursued by Georgia Tech or by a third party.
  2. Processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract.
  3. Processing is necessary for compliance with a legal obligation to which Georgia Tech is subject.
  4. The data subject has given consent to the processing of his or her special categories of sensitive personal data for one or more specific purposes.

There will be some instances where the collection and processing of personal data will be pursuant to other lawful bases

2.2 Data Protection & Governance

Georgia Tech will protect all personal data and special categories of sensitive personal data that it collects or processes for a lawful basis. Any personal data and special categories of sensitive personal data collected or processed by Georgia Tech shall be:

  1. Processed lawfully, fairly, and in a transparent manner
  2. Collected for specified, explicit, and legitimate purposes, and not further processed in a manner that is incompatible with those purposes
  3. Limited to what is necessary in relation to the purposes for which they are collected and processed
  4. Accurate and kept up to date
  5. Retained only as long as necessary
  6. Secure

2.3 Sensitive Personal Data & Consent

Georgia Tech must obtain consent before it collects or processes special categories of sensitive personal data.

2.4 Individual Rights

Individual data subjects covered by this policy will be afforded the following rights:

  1. information about the controller collecting the data
  2. the data protection officer contact information (if assigned)
  3. the purposes and lawful basis of the data collection/processing
  4. recipients of the personal data
  5. if Georgia Tech intends to transfer personal data to another country or international organization
  6. the period the personal data will be stored
  7. the existence of the right to access, rectify incorrect data or erase personal data, restrict or object to processing, and the right to data portability
  8. the existence of the right to withdraw consent at any time
  9. the right to lodge a complaint with a supervisory authority (established in the EU)
  10. why the personal data are required, and possible consequences of the failure to provide the data
  11. the existence of automated decision-making, including profiling
  12. if the collected data are going to be further processed for a purpose other than that for which it was collected

Note: Exercising of these rights is a guarantee to be afforded a process and not the guarantee of an outcome.

Scope

This policy applies to the personal data and special categories of sensitive personal data protected by the EU GDPR and all Georgia Tech Units who collect or process personal data and special categories of sensitive personal data protected by the EU GDPR.


Definitions:

Collect or Process Data

Collection, storage, recording, organizing, structuring, adaptation or alteration, consultation, use, retrieval, disclosure by transmission/dissemination or otherwise making data available, alignment or combination, restriction, erasure or destruction of personal data, whether or not by automated means. 

Consent

 

Consent of the data subject means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.

Under the EU GDPR:

  1. Consent must be a demonstrable, clear affirmative action.
  2. Consent can be withdrawn by the data subject at any time and must be as easy to withdraw consent as it is to give consent.
  3. Consent cannot be silence, a pre-ticked box or inaction.
  4. Consent should not be regarded as freely given if the data subject has no genuine or free choice or is unable to refuse or withdraw consent without detriment.
  5. Request for consent must be presented clearly and in plain language.
  6. Maintain a record regarding how and when consent was given.

Controller

 

The natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.

Georgia Tech Unit

A Georgia Tech college, school, office or department.

Identified or Identifiable Person

 

An identified or identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, psychological, genetic, mental, economic, cultural or social identity of that person.

Examples of identifiers include but are not limited to: name, photo, email address, identification number such as GT ID#, GT Account (User ID), physical address or other location data, IP address or other online identifier

Lawful Basis

 

Processing of personal data shall be lawful only if and to the extent that at least one of the following applies:

  1. The data subject has given consent to the processing of his or her personal data for one or more specific purposes;
  2. Processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;
  3. Processing is necessary for compliance with a legal obligation to which the controller is subject; 
  4. Processing is necessary in order to protect the vital interests of the data subject or of another natural person;
  5. Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
  6. Processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party.

Legitimate Interest

 

Processing of personal data is lawful if such processing is necessary for the legitimate business purposes of the data controller/processor, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data.

Personal Data

Any information relating to an identified or identifiable person (the data subject). 

Processor

 

A natural or legal person, public authority, agency or other body who processes personal data on behalf of the controller.

Special Categories of Sensitive Personal Data

Special categories of sensitive personal data that require consent by the data subject before collecting or processing are:

  1. Racial or ethnic origin
  2. Political opinions
  3. Religious or philosophical beliefs
  4. Trade union membership
  5. Genetic, biometric data for the purposes of uniquely identifying a natural person
  6. Health data
  7. Data concerning a person’s sex life or sexual orientation
Procedures
5.1 Data Governance

Document Lawful Basis for Collection or Processing

All Georgia Tech Units who collect or process personal data protected by the EU GDPR must document the lawful basis for the collection or processing of personal data and special categories of sensitive personal data they collect or process, why they collect it, and how long they keep it using the online Georgia Tech EU GDPR Lawful Basis Form: http://eugdpr.gatech.edu/georgia-tech-compliance     

All data at Georgia Tech shall be kept in compliance with the USG-BOR Records Retention Schedules.

5.2.  Privacy Notice

Georgia Tech’s Privacy Notice

Georgia Tech’s Privacy Notice to data subjects must specify the lawful basis for Georgia Tech to collect or process personal data and include:

  1. whether their personal data are being collected or processed and for what purpose
  2. categories of personal data concerned
  3. to whom personal data is disclosed
  4. storage period (records retention period)
  5. existence of individual rights to rectify incorrect data, erase, restrict or object to processing
  6. how to lodge a complaint
  7. the source of the personal data (if not collected from the data subject)
  8. the existence of automated decision-making, including profiling

A link to the Georgia Tech Privacy Notice is available on the footer of all Georgia Tech websites – “Legal & Privacy Information”: http://www.gatech.edu/privacy 

Georgia Tech Units Privacy Notice Each Georgia Tech Unit that collects or processes personal data protected by the EU GDPR must create and publicly post a privacy notice that meets the requirements (a) through (h) set forth above. A link to the Georgia Tech Unit Privacy template is available at: http://eugdpr.gatech.edu/georgia-tech-compliance
5.3 Consent

Documentation of Consent

Georgia Tech Units must obtain affirmative consent before it collects or processes sensitive personal data.

Georgia Tech EU GDPR Model Consent Form
http://eugdpr.gatech.edu/sites/default/files /documents/eu_gdpr_consent_form_for_sensitive_personal_data.docx

Withdrawal of Consent Georgia Tech must have a process for individuals who request to withdraw their consent.
5.4 Individual Rights

Exercise of Rights

Any individual wishing to exercise their rights under this policy should contact: privacy@gatech.edu

5.5 Data Protection

Security of Personal Data

All personal data and special categories of sensitive personal data collected or processed by any Georgia Tech Units under the scope of this policy must comply with the security controls and systems and process requirements and standards of NIST Special Publication 800-171 as set forth in the Georgia Tech Controlled Unclassified Information Policy found here: https://policylibrary.gatech.edu/information-technology/controlled-unclassified-information

Breach Notification

Any Georgia Tech Unit that suspects that a breach or disclosure of personal data has occurred must immediately notify Georgia Tech Cyber Security here: https://security.gatech.edu/report-incident

Responsibilities

8.1 Responsible Party:

Georgia Tech Units:
To document the lawful basis for personal data or special categories of sensitive personal data collected or processed pursuant to this policy.

To cooperate with the Privacy Program within the Office of Ethics and Compliance when individuals inquire about their personal data or special categories of sensitive personal data collected or processed pursuant to this policy (See Section 2.3).

To immediately notify (24/7) and cooperate with Georgia Tech Cyber Security relating to any data breach: https://security.gatech.edu/report-incident

8.2 Responsible Party:

Privacy Program within the Office of Ethics and Compliance:
To field inquiries about personal data or special categories of sensitive personal data collected from individuals while in the EU (See Section 2.4).

To coordinate with Georgia Tech Units responding to inquiries about personal data or special categories of sensitive personal data collected from individuals while in the EU.

8.3 Responsible Party:

Cyber Security:
To answer questions about and review data security measures.

To handle data breach notification for the Institute.

Enforcement

Violations of the policy may result in loss of system, network, and data access privileges, administrative sanctions (up to and including termination or expulsion) as outlined in applicable Georgia Tech disciplinary procedures, as well as personal civil and/or criminal liability.

To report suspected instances of noncompliance with this policy, please contact: privacy@gatech.edu, or visit Georgia Tech’s EthicsPoint, a secure and confidential reporting system, at: https://secure.ethicspoint.com/domain/en/report_custom.asp?clientid=7508

Enforcement of the EU GDPR shall be carried out by the appropriate Data Protection Authority within the European Union.

Policy History
Revision Date Author Description
01-25-2022 Office of Ethics and Compliance Editorial Updates
05-03-2018 Institutional Research & Enterprise Data Management New Policy

 

Export Issues and International Travel

Export Issues and International Travel jgastley3

For information about Export Issues and International Travel, please see:

 

Intellectual Property and Copyright

Intellectual Property and Copyright jgastley3

Minors on Campus

Minors on Campus agarton3

For additional information regarding Minors on Campus, please see the Youth Programs website here.

Open Records Act Policy

Open Records Act Policy
Type of Policy
Administrative
jgastley3
Effective Date
Last Revised
Review Date
Policy Owner
Institute Communications
Contact Name
Jamila Hudson-Allen
Contact Title
Open Records Officer
Contact Email
openrecords@gatech.edu
Reason for Policy

As a public institution, Georgia Tech is subject to the Open Records Act, O.C.G.A. § 50-18-70 et seq. The law requires that Georgia Tech make available for public inspection public documents within three business days of receiving a request. The purpose of this policy and its procedures is to ensure compliance with the law.

Policy Statement

Georgia Tech must respond to Open Records Act requests as required by the Open Records Act, O.C.G.A. § 50-18-70 et seq. (the “ORA”). With limited exceptions, Georgia Tech must respond to such requests within three business days. In response to an ORA request, Georgia Tech will allow the requester to view public documents and, for a fee, make copies.

Institute Communications (IC) has been designated by the President of Georgia Tech as the office responsible for responding to ORA requests on behalf of the custodian of the records. Departments and school, as custodians of Georgia Tech’s records, must work in cooperation with IC to ensure Georgia Tech’s compliance with the ORA. The custodian of the records remains responsible for compliance with the ORA and for any civil or criminal penalties imposed for failure to comply.

Departments, schools, faculty or staff who receive an ORA request from any person, or an ORA inquiry from IC, shall respond promptly, following the procedures in this policy.

Scope

This Policy applies to all Georgia Tech departments, schools, faculty, and staff.

Policy Terms

Public Records
All documents or other records (including video, audio, or electronic records) prepared or maintained by Georgia Tech, as well as documents prepared or maintained by its employees as part of their job responsibilities, are subject to the ORA. For example, employee notes of official University business (e.g., notes of meetings) are public, not personal, documents. The ORA includes “computer based or generated information” within the definition of a “public record.” This includes, for example, e-mail and logs kept on a server.

Custodian
The person responsible for maintaining the records in the ordinary course of business.

Responsibilities

Institute Communications
IC has been designated by the President of the Institute as the office responsible for responding to ORA requests.

Georgia Tech Departments and Schools
Georgia Tech departments and schools are responsible for maintaining their own records and for collecting and preparing requested documents in response to an ORA request.

Enforcement

Any person who knowingly and willfully fails to respond to a written ORA request may be found guilty of a misdemeanor criminal act, and fined up to $1,000 for the first violation. Additional civil and criminal penalties may also be imposed.

Violation of this Georgia Tech policy may result in disciplinary action, up to and including termination of employment.

Policy History
Revision Date Author Description
04-17-2012 Office of Legal Affairs Update per change in ORA law.
10-12-2012 Office of Legal Affairs Established a formal written policy.
6-16-2020 Institute Communications Updated Policy Owner and references.

 

Personal Information Privacy Policy

Personal Information Privacy Policy
Type of Policy
Administrative
kcross8
Effective Date
Review Date
Policy Owner
Ethics, Compliance & Legal Affairs
Contact Name
Tarryn T. Brennon
Contact Title
Chief Privacy Officer
Contact Email
tarryn.brennon@gatech.edu
Reason for Policy

This Personal Information Privacy Policy supports the mission and vision of the privacy program to further innovation and legitimate business needs while balancing the privacy of the individuals who entrust their personal data to Georgia Tech. It also supports compliance with University System of Georgia ("USG”) requirements.

Policy Statement

Individuals with access to Georgia Tech’s personal data assets are responsible for ensuring such information is collected, maintained, and used by Georgia Tech only for purposes that are relevant and necessary to perform the job or task that reasonably serves a legitimate Georgia Tech function. Such collection, maintenance and use must also comply with applicable laws and regulations, Georgia Tech policies, and USG requirements governing privacy of information.

Management and Access to PII
Individuals with responsibility for Records containing Personally Identifiable Information (PII) should only Process or seek to access such PII as appropriate in the performance of their assigned role or duties for Georgia Tech and in accordance with all applicable laws and regulations, Georgia Tech policies, and USG requirements. Access to PII as part of an individual’s assigned responsibilities or role does not constitute authority to release such information to other employees, students, parents or guardians, or third parties.

Both units and individuals are responsible for protecting PII against accidental or intentional misuse or improper disclosure or exposure within or outside of Georgia Tech. For more information concerning safeguarding Institute Records and PII, see the Cyber Security Policy, the Protected Data Practices resource, and the Security Procedures and Standards resource. Concerns regarding the security and safeguarding of PII can be reported to the Georgia Tech Cyber Security Teamhttps://security.gatech.edu/report-incident.

Georgia Tech shall not use social security numbers, driver’s license numbers, passport numbers or other governmental-issued numbers or designations as an official Institute personal identifier unless required by applicable law or reviewed and approved by the Risk Panel.

Processing PII

Individuals with responsibility for Processing PII must be able to identify and articulate the following:

  • whose PII is being Processed (what group or population of individuals)
  • why the PII is being Processed (the purpose(s) or business need for the Processing),
  • how that Processing will take place (the Processing activity),
  • and who has access to the PII being Processed.

This includes Processing within Georgia Tech as well as external to Georgia Tech (third parties such as vendors and contractors).

Where appropriate and practicable, persons Processing PII should implement the principle of Data Minimization, and if possible, Disassociate and De-identify datasets that include PII.

Scope

This policy applies to all parties, both internal and external to Georgia Tech, that are Processing Administrative Data that contains PII generated or collected by Georgia Tech.

Policy Terms

Administrative Data
Administrative data includes Organizational Data that is administratively or operationally generated, owned or managed, by or on behalf of, Georgia Tech.

Examples of Administrative Data include, but are not limited to, data about students or employees, finance, facilities, technology, student life, Campus Services and Professional Education.

It also includes Administrative Data about research (such as financial components of research and grants and contracts details), as well as research of Administrative Data (such as research on student success, work force demographics, campus network traffic and facilities data.)

Data Breach
The unauthorized acquisition or exposure of computerized data that compromises the security, confidentiality, or integrity of personal information maintained by a data collector. Breaches do not include good faith acquisitions of personal information by an employee or agent of the entity that is collecting data for a legitimate business purpose—so long as the personal information is not used for a purpose unrelated to the entity’s business or is subject to further unauthorized disclosure.

Data Subject
Any person whose PII is being Processed.

De-Identify
The method used to prevent a Data Subject’s personal identity from being revealed. For example, data produced during human subject research might be de-identified to preserve privacy for research participants.

Organizational Data
As defined in the Data Governance and Management Policy, Organizational Data is “Data generated, owned, or managed, by or on behalf of, Georgia Tech including all data to which Georgia Tech has been granted stewardship by third parties. Organizational Data record facts, statistics, or information, which is read, created, collected, used, updated, reported, shared, stored, transferred, or deleted by Georgia Tech units. Data may be in any form, including electronic or physical. Organizational Data may reside in an Information System hosted by Georgia Tech or a third party.*

Personally Identifiable Information (PII)
Any information about an individual that can be used to distinguish or trace an individual’s identity, such as name, social security number, date and place of birth, mother’s maiden name or biometric records; and any other information that is linkable to an individual, such as medical, educational, financial and employment information.

Process or Processing
Data life cycle operations, including, but not limited to, collection, creation, sharing, dissemination, transmission, storage, use, retention and disposal.

Record
Record is defined by USG.

Risk Panel
A group of Georgia Tech stakeholders, from areas including but not limited to privacy, cyber security, data governance, and enterprise risk management, that will gather to review the risk associated with Processing Administrative Data, on an asneeded basis.

Security Incident
A security incident is an event, as determined by Georgia Tech Cyber Security, that violates an applicable law or Institute policy including the violation or imminent threat of violation of computer security policies, acceptable use policies, or standard security practices. An incident could also be established based on the potential for harm to the confidentiality, integrity, or availability of Georgia Tech IT resources.

Procedures

Report an Incident
If an individual believes a Security Incident or a Data Breach of PII has occurred, the individual should report the suspicion immediately to the Georgia Tech Cyber Security Team at https://security.gatech.edu/report-incident. Incidents relating to individuals can also be reported to the Ethics Hotline.

GDPR Data Subject Requests
Any individual wishing to exercise their rights under the EU GDPR should visit the EU GDPR website for more information and additional instructions.

Institute Personal Identifier Requests
If an individual wishes to utilize social security numbers, driver’s license numbers, passport numbers or other governmentalissued number or designation as an official Institute personal identifier, the individual must receive approval from the Risk Panel. All requests should be sent to privacy@gatech.edu.

Responsibilities

Senior Privacy Officer
The Senior Privacy Officer oversees and manages the Georgia Tech Privacy Program. The Georgia Tech Privacy Program monitors, helps to verify compliance with, and provides guidance on privacy laws and regulations. It also provides oversight and maintenance of any privacy policies, procedures, training and awareness, or engagement activities.

Data Management Committee
The Data Management Committee (“DMC”) is a sub-committee of the broader Data Governance Committee. It is comprised of a selection of Georgia Tech leaders (including faculty, staff, and student representatives) and is responsible for recommending and advising on various matters including privacy related policy and procedures and providing guidance and support for Institutional privacy efforts.

Units
Units include various departments, offices, colleges/schools, and other groups across Georgia Tech that Process PII. Each unit should abide by the terms of this policy in how it Processes that PII. This includes taking into consideration which unit members should have access to the PII based on their role and regularly checking and removing access provisions as necessary. Units should also consider whether the PII being Processed requires any additional training or knowledge about a specific privacy law, regulation, or policy. Examples might include FERPA, HIPAA, or GDPR.

Employees Processing PII
Employees may need to Process PII in their assigned role at Georgia Tech. All employees should abide by the terms of this policy in how they Process that PII. Employees should have access only to the PII needed to accomplish the duties within their assigned role and should complete any additional training necessary to properly Process the PII.

Enforcement

Georgia Tech, the University System of Georgia, the state of Georgia, the federal government, or another regulatory agency may periodically audit compliance with this policy. To report suspected instances of noncompliance with this policy, please contact the Privacy Program at: privacy@gatech.edu.

Presidential Signature Authority

Presidential Signature Authority
Type of Policy
Administrative
s1polics
Effective Date
Last Revised
Review Date
Policy Owner
Office of the General Counsel
Contact Name
Susann Estroff
Contact Title
Assistant Chief Counsel
Contact Email
susann.estroff@legal.gatech.edu
Reason for Policy

The Board of Regents of the University System of Georgia (BOR) has delegated authority to the president of each system institution or their designee to execute certain types of agreements. This policy articulates requirements for Presidential designation of signature authority at the Georgia Institute of Technology (Georgia Tech or the Institute).

Policy Statement

The President of the Institute may designate officials of the Institute to execute Agreements in the name of The Board of Regents of the University System of Georgia by and on behalf of the Georgia Institute of Technology. This designation by the President can be accomplished only by a written delegation of authority. Such delegation of signature authority by the President shall apply only to the incumbent (or interim) in the position named in the written delegation, or in any successor title to the named position.

Unless authority is expressly delegated by the President, an individual does not have authority to bind the Institute. The President of the Institute may periodically issue a memorandum or other writing to confirm the conditions under which other officials of the Institute have been authorized to enter in to binding contracts on behalf of the Institute. A Delegation of Presidential Authority Memorandum will supersede and replace all prior delegations.

The official exercising the delegated signature authority is authorized to execute only those Agreements that are specified in the written delegation. All such agreements must first be reviewed by the Office of the General Counsel (OGC) prior to signature unless the OGC has created a template document for the signatory's use.

An official may not further delegate their delegated signature authority.

This policy does not address Purchasing Agreements which will be reviewed, approved, and executed by Georgia Tech Purchasing.

Scope

This policy applies to all employees of the Institute and applies to the execution of Agreements as specified in the written delegation.

Policy Terms
Agreements Those agreements described in the BOR policies (see Related Information below). The term includes any document entered into on behalf of the Institute in which the parties make legally enforceable commitments, whether or not titled a contract or agreement. Terms used to describe an Agreement may include letter of agreement, proprietary information agreement or non-disclosure agreement, license agreement, consortium agreement, operating agreement, or equipment loan.  Agreements shall also be used in this policy to refer to memorandums of understanding, memorandums of intent, and letters of intent, which are typically non-binding.
Purchasing Agreements Agreements for the purchase of supplies, materials, equipment and certain contractual services.  Authority to commit Institute funds for these purposes has been delegated to Georgia Tech Procurement within the limits established by the State Department of Administrative Services.  See GT Procurement Of Good and Services Policy.

 

Responsibilities

Delegated Official

An individual who has delegated signature authority pursuant to the Delegation of Presidential Authority Memorandum shall sign only those Agreements within their delegated authority.

Employees

An employee who does not have delegated signature authority shall not sign any Agreements that are intended to bind the Institute or any unit or department of the Institute. Such employees shall route Agreements to the parties identified in the Delegation of Presidential Authority Memorandum.

Office of the General Counsel

The OGC shall review and initial Agreements that are specified in the written delegations of signature authority.  All such agreements must be reviewed by the OGC prior to signature unless the OGC has created a template document for the signatory’s use. The OGC may also assist in determining who is authorized to sign a specific Agreement.

 

Enforcement

Violation of this policy may result in disciplinary action up to an including termination of employment. Individuals who sign without authority may incur personal liability for any contracts or other agreements that they sign.

Policy History
Revision Date Author Description
 07-18-2011 Legal Affairs & Risk Management New Institute Policy
 09-25-2012 Legal Affairs & Risk Management Policy statement edited to limit scope to Presidential signature authority
 11-23-2015 Legal Affairs & Risk Management Updated policy
4-22-2024 Office of the General Counsel Editorial Updates

 

Security Camera Use

Security Camera Use
Type of Policy
Administrative
s1polics
Effective Date
Last Revised
Review Date
Policy Owner
Security and Police
Contact Name
Jeffrey Hunnicutt
Contact Title
Physical Security Specialist
Contact Email
jeff.hunnicutt@police.gatech.edu
Reason for Policy

Video Management Systems (hereafter, “VMS”) and video surveillance devices are necessary to deter, detect and prosecute wrong-doing on the Georgia Tech Campus.  This policy is necessary to ensure the effective, efficient, ethical, and legal use of the Institute’s VMS and video surveillance devices in: protecting sensitive or classified information; protecting Georgia Tech and personal resources; and identifying those responsible for committing criminal acts, safeguarding video evidence, and pursuing prosecution in accordance with the U.S. Constitution, United States Federal law, Georgia State law,  City of Atlanta municipal ordinances, and Board of Regents and Institute policy.

Policy Statement

The Institute’s employees, contractors, representatives, and others having responsibility for installing, maintaining, having access to, having the capability of viewing, or otherwise having the ability to utilize VMS and video surveillance devices associated with any real property owned, leased or occupied by the Institute, or any entity with a Georgia Tech affiliation, shall utilize said video surveillance devices in a manner consistent with the U.S. Constitution, United States Federal law, Georgia State law, City of Atlanta municipal ordinances, Georgia Tech Police Department’s (hereafter “GTPD”) “Video Surveillance” policy, and Institute “Ethics” policy.

Installation of any video surveillance devices shall be coordinated with either GTPD’s Physical Security Specialist or the Georgia Tech Research Institute’s (hereafter “GTRI) Research Security Department in order to ensure video surveillance devices are not placed or positioned in such a way as to compromise a person’s expectation of privacy.  No one is authorized to install security controls, to include video surveillance devices, web cams or other intrusive electronic devices used for surveillance, without the proper coordination with either the GTPD or GTRI Research Security Department.

The installation and monitoring of all such video surveillance devices shall be solely for the legitimate purposes of protecting human life, personal property, and the Institute’s interests and assets.

Recorded images shall not be made public, nor shall recorded images be released to, provided to, or otherwise made accessible to, any person, party or entity inside or outside of the Institute, without the Institute’s express permission, or as required by law.

All requests to obtain recorded images must be submitted through the Georgia Tech Police Department Records Division.

Scope

This policy applies to all Institute Building Managers, Security Contractors, Security Equipment Installers, GTPD Employees, GTRI Employees, and all others with the capability of accessing, viewing or utilizing live or recorded images associated with the video surveillance devices on any Institute VMS.

Definitions:

Institute

The Georgia Institute of Technology

Video Surveillance Device

Any device capable of viewing, transmitting and/or capturing still or streaming video images, whether or not associated with monitoring or recording devices.

Video Management System

Also referred to as “VMS” - is any electronic system capable of receiving, displaying, capturing, and/or recording images transmitted by cameras, whether across a network or within a closed circuit.

Procedures

5.1 Requests for Video

Internal Requests for Video Footage

Submit an email request to the Georgia Tech Police Department’s Records Division.

openrecords@police.gatech.edu

5.2 Installation of New Cameras

New Construction & Building Renovations

http://gtlowvoltagestandards.gatech.edu/node/123

Adding Cameras to Existing VMS

Reference GTPD Video Surveillance System Policy 7-05c, 4.1

New VMS Installation Not Related to Construction or Building Renovation

 

Reference GTPD Video Surveillance System Policy 7-05c, 4.1

Responsibilities

Georgia Tech Police Department
The GTPD’s employees, as defined by the GTPD Video Surveillance System Policy, will be responsible for the day-to-day operational use, administration, and maintenance of the GTPD’s VMS, to include training, creation of accounts, assignment of user privileges, repair, and maintenance of video surveillance devices.     

Georgia Tech Research Institute
GTRI’s Research Security and Information Systems Department (ISD) will be responsible for the day-to-day administration and maintenance of their VMS, to include training, creation of accounts, assignment of user privileges, repair and maintenance of video surveillance devices, etc. 

Enforcement

Access to Georgia Tech’s VMS and information via Georgia Tech computer systems is limited to those employees and faculty who have a legitimate business reason to access such information. The Institute has policies and procedures in place to complement the physical and technical (IT) safeguards in order to provide security to Georgia Tech information systems.

Violations of the policies may result in loss of usage privileges, administrative sanctions (including disciplinary action) as outlined in applicable Georgia Tech disciplinary procedures, as well as personal civil and/or criminal liability.

 

To report suspected instances of noncompliance with this policy, please contact GTPD or visit Georgia Tech’s EthicsPoint, a secure and confidential reporting system, at: https://secure.ethicspoint.com/domain/en/report_custom.asp?clientid=7508

Policy History
Revision Date Author Description
April 2018 GTPD, Physical Security New Policy

 

Software Licenses

Software Licenses jgastley3

For information about Software Licensing, please see: