Biometric Data Defined
As used in this Policy, “biometric data” means “biometric identifiers” and “biometric information” as defined in the Illinois Biometric Information Privacy Act, 740 ILCS § 14/1, et seq. “Biometric identifier” means a retina or iris scan, fingerprint, voiceprint, or scan of hand or face geometry. Biometric identifiers do not include writing samples, written signatures, photographs, human biological samples used for valid scientific testing or screening, demographic data, tattoo descriptions, or physical descriptions such as height, weight, hair color, or eye color. Biometric identifiers do not include donated organs, tissues, or parts as defined in the Illinois Anatomical Gift Act or blood or serum stored on behalf of recipients or potential recipients of living or cadaveric transplants and obtained or stored by a federally designated organ procurement agency. Biometric identifiers do not include biological materials regulated under the Genetic Information Privacy Act. Biometric identifiers do not include information captured from a patient in a health care setting or information collected, used, or stored for health care treatment, payment, or operations under the federal Health Insurance Portability and Accountability Act of 1996. Biometric identifiers do not include an X-ray, roentgen process, computed tomography, MRI, PET scan, mammography, or other image or film of the human anatomy used to diagnose, prognose, or treat an illness or other medical condition or to further validate scientific testing or screening.
“Biometric information” means any information, regardless of how it is captured, converted, stored, or shared, based on an individual’s biometric identifier used to identify an individual. Biometric information does not include information derived from items or procedures excluded under the definition of biometric identifiers.
Purpose for Collection of Biometric Data
In order to efficiently and securely track employees’ time records, the Company uses a biometric time and attendance system. The Company, through its vendor(s) and/or the licensor(s) of the Company’s time and attendance systems, will utilize biometric data for the purpose of identifying employees and recording time entries. This biometric data will be collected, stored, and used solely for timekeeping and attendance, employee identification, and fraud prevention purposes. The Company may use third-party time and attendance system vendors to supply it with biometric time and attendance systems. The Company may also rely on biometric time and attendance systems provided by its clients’ time and attendance system vendors.
Biometric time and attendance systems are computer-based systems that scan an employee’s finger or hand for purposes of identification. The computer system extracts unique data points and creates a unique mathematical representation, which is stored and used to verify the employee’s identity; for example, when the employee arrives at or departs from the workplace. The biometric data itself is not recorded or stored, and cannot be regenerated from the digital data.
The Company may expand its use of biometric data in the future. In the event the Company begins collecting biometric data for any additional purpose, the Company will update this Policy.
Disclosure and Authorization Procedures
Prior to collecting, capturing, or otherwise obtaining biometric data relating to an employee, the Company will first:
- Inform the employee in writing that the Company, its vendor(s), and/or the licensor(s) of the Company’s time and attendance systems are collecting, capturing, or otherwise obtaining the employee’s biometric data, and that the Company is providing such biometric data to its vendor(s) and/or the licensor(s) of the Company’s time and attendance systems;
- Inform the employee in writing of the specific purpose and length of time for which the employee’s biometric data is being collected, stored, and used; and
- Obtain a written release executed by the employee (or the employee’s legally authorized representative) authorizing the Company, its vendor(s), and/or the licensor(s) of the Company’s time and attendance systems to collect, store, and use the employee’s biometric data for the specific purposes disclosed by the Company, and for the Company to provide such biometric data to its vendor(s) and/or the licensor(s) of the Company’s time and attendance systems.
The Company, its vendor(s), and/or the licensor(s) of the Company’s time and attendance systems will not sell, lease, trade, or otherwise profit from employees’ biometric data; provided, however, that the Company’s vendor and the licensor(s) of the Company’s time and attendance systems may be paid for products or services used by the Company that utilize such biometric data for time and attendance, employee identification, and fraud prevention purposes. Nor will the Company authorize its timekeeping vendor(s) and/or the licensor(s) of the Company’s time and attendance systems to engage in any such activity.
The Company will not disclose, redisclose, or disseminate any biometric data to anyone other than its vendor(s) and/or the licensor(s) of the Company’s time and attendance systems providing products and services for the Company’s use of biometric data without/unless:
- First obtaining written employee consent to such disclosure, redisclosure, or dissemination;
- The disclosed data completes a financial transaction requested or authorized by the employee;
- Disclosure is required by state or federal law or municipal ordinance; or
- Disclosure is required pursuant to a valid warrant or subpoena issued by a court of competent jurisdiction.
Except as required by an order from a court of competent jurisdiction, the Company shall retain employee biometric data until, shall permanently destroy an employee’s biometric data, and shall request that its vendor(s) and the licensor(s) of the Company’s time and attendance systems permanently destroy such data, when the first of the following occurs:
- The initial purpose for collecting or obtaining such biometric data has been satisfied, such as the termination of the employee’s employment with the Company, or the employee moves to a role within the Company for which the biometric data is not used; or
- Within three years of the employee’s last interaction with the Company.
The Company shall use a reasonable standard of care to store, transmit, and protect from disclosure any paper or electric biometric data collected. Such storage, transmission, and protection from disclosure shall be performed in a manner that is the same as or more protective than the manner in which the Company stores, transmits, and protects from disclosure other confidential and sensitive information, including personal information that can be used to uniquely identify an individual or an individual’s account or property, such as generic markers, genetic testing information, account numbers, PINs, driver’s license numbers, and Social Security numbers.