Q&A: Fingerprint Security

Written by Judy Vasek Sitton, CRM, FAI on December 7, 2018. Posted in Data Governance, Information Governance, Information Security (Information Protection), Privacy, Retention.

Question:

With fingerprint security technology now used in so many businesses for secured door access, what category does it fall under (e.g., personally identifiable information)? How is the data deleted upon employee termination?

Answer:

Fingerprint information falls under a type of record referred to as biometrics. These questions bring up several facets of biometric recordkeeping: use, retention, and governance.

Biometric Information Uses

In addition to being used for secured door access, fingerprints are used routinely in the workplace for timeclock applications and to purchase items from vending machines and kiosks in employee break areas. You may have also seen iris recognition and face recognition applications used for banking and for security applications, such as for logging into an iPhone, including a work-owned iPhone. As the use of biometrics is becoming commonplace, the laws that regulate them are growing and changing.

Biometric Information Retention

Retention times for biometric identifiers are usually stated in “keep-no-longer-than” verbiage. The purpose for which the biometrics were collected dictates the maximum amount of time they may be retained. Seldom does an organization have the luxury of waiting until an employee is terminated before it must address their biometric information’s disposition. Specific retention/destruction times are based on regulations, the jurisdiction, and their type, and these can vary from law to law – and even within the same law.

Biometric Information Governance

By their nature, biometric identifiers are personally identifiable information (PII) and, under some laws, they are considered sensitive PII. They fall under the Principle of Protection under the Generally Accepted Recordkeeping Principles®. Records destruction requirements for biometrics are generally equal to the destruction requirements for sensitive, confidential, or personally identifiable information.

Two types of laws affect the use of biometric information:

Laws that specifically address the use of biometric identifiers
Broad privacy and security laws that include biometric information in their definition of personal information

Biometric laws mandate how data is to be collected, stored, retained, used, and destroyed. (See sidebar “Biometric Protection Laws.”) Because new laws are emerging, it is important to remain vigilant to address changing requirements after your policy is set.

-Judy Vasek Sitton, CRM, FAI

Editor’s note: Read much more about governing biometric information in Judy Vasek Sitton’s article, “Understanding Biometrics’ IG Obligations,” in the May/June 2018 issue of Information Management.

Biometric Protection Laws

Two types of laws affect the governance of biometric information. Below are examples of each.

Specific Biometric Laws

These three U.S. laws specifically address the use of biometric identifiers:

Illinois 740 ILCS 14 Biometric Information Privacy Act (BIPA), enacted in 2008
Texas Business and Commerce Code – BUS & COM § 503.001, Capture or Use of Biometric Identifier, enacted in 2009
Washington State H.B. 1493 – an act relating to biometric identifiers, and adding a chapter to Title 19 RCW, enacted in 2017

Because Illinois’s BIPA was the first biometric-specific law in the United States, the other state laws tend to follow its requirements, which are as follows:

Requires informed consent prior to collection – in effect, stating why the biometric is being collected and what will be done with it
Prohibits profiting from biometric data – meaning the biometric can’t be sold
Allows only limited right to disclose the biometric information – usually limited to what is mentioned in the informed consent
Mandates protection obligations and retention guidelines (more details below)
Creates a private right of action (possible lawsuit) for individuals harmed by violators of BIPA – if the other criteria in this list aren’t followed

Texas and Washington do not offer a right of action by individuals. Also, Washington-based companies are not required to have opt-in consent in all cases for the collection, use, and disclosure of biometric data. Options for obtaining consent can vary.

Laws That Refer to Biometrics

The following address biometric information within their definitions of personal data:

Maryland Personal Protection Act House Bill 947 – expanded definition of personal information to include biometric data, enacted in 2018
Security breach notification laws within other U.S. state laws
Biometric implications in U.S. federal data breach and data protection laws such as the Health Insurance Portability and Accountability Act (HIPAA) and the Gramm-Leach-Bliley Act (GLBA)
Biometric implications in the European Union’s General Data Protection Regulation (GDPR), Canada’s Personal Information Protection and Electronics Document Act (PIPEDA), The Australian Privacy Act, Japan’s Act on the Protection of Personal Information (APPI), and Hong Kong’s Personal Data (Privacy) Ordinance
Emerging data protection laws under consideration in other countries

About the Author

Judy Vasek Sitton, CRM, FAI

Judy Vasek Sitton, CRM, FAI, is senior information governance analyst for Kinder Morgan, Inc. in Houston, Texas, and co-author of the 2014 ARMA- published book Managing Active Business Records. Having been a practitioner and consultant in records and information governance for 40 years, she is a recognized leader in the profession. She is a Certified Records Manager and Fellow of ARMA International. Sitton can be contacted at Judy_Sitton@kindermorgan.com.

Latest articles

Author Archives

Data Governance2018.12.07Q&A: Fingerprint Security