Question:
With fingerprint security technology now used in so many businesses for secured door access, what category does it fall under (e.g., personally identifiable information)? How is the data deleted upon employee termination?
Answer:
Fingerprint information falls under a type of record referred to as biometrics. These questions bring up several facets of biometric recordkeeping: use, retention, and governance.
Biometric Information Uses
In addition to being used for secured door access, fingerprints are used routinely in the workplace for timeclock applications and to purchase items from vending machines and kiosks in employee break areas. You may have also seen iris recognition and face recognition applications used for banking and for security applications, such as for logging into an iPhone, including a work-owned iPhone. As the use of biometrics is becoming commonplace, the laws that regulate them are growing and changing.
Biometric Information Retention
Retention times for biometric identifiers are usually stated in “keep-no-longer-than” verbiage. The purpose for which the biometrics were collected dictates the maximum amount of time they may be retained. Seldom does an organization have the luxury of waiting until an employee is terminated before it must address their biometric information’s Specific retention/destruction times are based on regulations, the jurisdiction, and their type, and these can vary from law to law – and even within the same law.
Biometric Information Governance
By their nature, biometric identifiers are personally identifiable information (PII) and, under some laws, they are considered sensitive PII. They fall under the Principle of Protection under the Generally Accepted Recordkeeping Principles®. Records destruction requirements for biometrics are generally equal to the destruction requirements for sensitive, confidential, or personally identifiable information.
Two types of laws affect the use of biometric information:
- null
- Laws that specifically address the use of biometric identifiers
- Broad privacy and security laws that include biometric information in their definition of personal information
Biometric laws mandate how data is to be collected, stored, retained, used, and destroyed. (See sidebar “Biometric Protection Laws.”) Because new laws are emerging, it is important to remain vigilant to address changing requirements after your policy is set.
-Judy Vasek Sitton, CRM, FAI
Editor’s note: Read much more about governing biometric information in Judy Vasek Sitton’s article, “Understanding Biometrics’ IG Obligations,” in the May/June 2018 issue of Information Management.
Biometric Protection Laws
Two types of laws affect the governance of biometric information. Below are examples of each.
Specific Biometric Laws
These three U.S. laws specifically address the use of biometric identifiers:
- Illinois 740 ILCS 14 Biometric Information Privacy Act (BIPA), enacted in 2008
- Texas Business and Commerce Code – BUS & COM § 503.001, Capture or Use of Biometric Identifier, enacted in 2009
- Washington State H.B. 1493 – an act relating to biometric identifiers, and adding a chapter to Title 19 RCW, enacted in 2017
Because Illinois’s BIPA was the first biometric-specific law in the United States, the other state laws tend to follow its requirements, which are as follows:
- Requires informed consent prior to collection – in effect, stating why the biometric is being collected and what will be done with it
- Prohibits profiting from biometric data – meaning the biometric can’t be sold
- Allows only limited right to disclose the biometric information – usually limited to what is mentioned in the informed consent
- Mandates protection obligations and retention guidelines (more details below)
- Creates a private right of action (possible lawsuit) for individuals harmed by violators of BIPA – if the other criteria in this list aren’t followed
Texas and Washington do not offer a right of action by individuals. Also, Washington-based companies are not required to have opt-in consent in all cases for the collection, use, and disclosure of biometric data. Options for obtaining consent can vary.
Laws That Refer to Biometrics
The following address biometric information within their definitions of personal data:
- Maryland Personal Protection Act House Bill 947 – definition of personal information to include biometric data, enacted in 2018
- Security breach notification laws within other U.S. state laws
- Biometric implications in U.S. federal data breach and data protection laws such as the Health Insurance Portability and Accountability Act (HIPAA) and the Gramm-Leach-Bliley Act (GLBA)
- Biometric implications in the European Union’s General Data Protection Regulation (GDPR), Canada’s Personal Information Protection and Electronics Document Act (PIPEDA), The Australian Privacy Act, Japan’s Act on the Protection of Personal Information (), and Hong Kong’s Personal Data (Privacy) Ordinance
- Emerging data protection laws under consideration in other countries
[ls_content_block id=”430″]
About the Author
- Judy Vasek Sitton, CRM, FAI, is senior information governance analyst for Kinder Morgan, Inc. in Houston, Texas, and co-author of the 2014 ARMA- published book Managing Active Business Records. Having been a practitioner and consultant in records and information governance for 40 years, she is a recognized leader in the profession. She is a Certified Records Manager and Fellow of ARMA International. Sitton can be contacted at Judy_Sitton@kindermorgan.com.
