BIOMETRIC IMPRESSIONS CORP.’S
BIOMETRIC DATA RETENTION AND DESTRUCTION POLICY
1. Introduction
1.1 Background
BioMetric Impressions Corp. is a licensed fingerprint vendor in Illinois. Section 1240.535(c)(8) of the Illinois Administrative Code provides: “A licensed fingerprint vendor must develop a written policy, made available to the public, establishing a retention schedule and guidelines for permanently destroying identifiers and other biometric information when the initial purpose for collecting or obtaining the identifiers or information has been satisfied or after 3 years from the individual’s last interaction with the licensed fingerprint vendor, whichever occurs first. Absent a valid warrant or subpoena issued by a court of competent jurisdiction, a private entity in possession of biometric identifiers or biometric information must comply with its established retention schedule and destruction guidelines” (the “Regulation”). This Policy is made pursuant to and in accordance with the Regulation.
1.2 Definitions
The Regulation generally tracks language in the Illinois Biometric Information Privacy Act, 740 ILCS 14/1, et seq. (the “Act”). The Regulation does not define the terms “identifiers” and “biometric information,” but the Act defines the terms “biometric identifier” and “biometric information.” BioMetric Impressions therefore construes the phrase “identifiers and other biometric information” as it appears in the Regulation to be consistent with the definitions in the Act. Accordingly, whenever used within the Policy, unless otherwise clearly documented:
(1) “Biometric data” means “biometric identifiers” and “biometric information.”
(2) “Biometric identifier” means a retina or iris scan, fingerprint, voiceprint, or scan of hand or face geometry. Biometric identifiers do not include writing samples, written signatures, photographs, human biological samples used for scientific testing or screening, demographic data, tattoo descriptions, or physical descriptions such as height, weight, hair color, or eye color. Biometric identifiers do not include donated organs, tissues, or parts as defined in the Illinois Anatomical Gift Act or blood or serum stored on behalf of recipients or potential recipients of living or cadaveric transplants and obtained or stored by a federally designated organ procurement agency. Biometric identifiers do not include biological materials regulated under the Genetic Information Privacy Act. Biometric identifiers do not include information captured from a patient in a health care setting or information collected, used, or stored for health care treatment, payment, or operations under the federal Health Insurance Portability and Accountability Act of 1996. Biometric identifiers do not include an X-ray, roentgen process, computed tomography, MRI, PET scan, mammography, or other image or film of the human anatomy used to diagnose, prognose, or treat an illness or other medical condition or to further validate scientific testing or screening.
(3) “Biometric information” means any information, regardless of how it is captured, converted, stored, or shared, based on an individual’s biometric identifier used to identify an individual. Biometric information does not include information derived from items or procedures excluded under the definition of biometric identifiers.
(4) “CMS Contract” means the contract between BIC and CMS titled State of Illinois Contract, Central Management Services Fingerprinting and Photographic ID Services, Number 19-416CMS-BOSS4-P-4770, effective October 26, 2018.
(5) “Government contract” means an agreement between BioMetric Impressions, on the one hand, and any federal, state, or local governmental entity, on the other hand, pursuant to which the government pays BioMetric Impressions for fingerprinting services, including, without limitation, the CMS Contract.
(6) “Identifiers and other biometric information” means biometric identifiers and biometric information.
2. Retention Policy
Unless otherwise obligated by Government contract to maintain fingerprint images for a different period of time, BioMetric Impressions retains identifiers and other biometric information, including fingerprint images, for up to 45 days from the date of receipt, fingerprint capture or card scan date.
If a collection or transmission error results in the need for a new set of fingerprint images to be taken, a new fingerprint inquiry transaction is created with a new date of fingerprint capture, which in turn starts the 45-day retention date from the revised date of fingerprint capture.
When obligated by Government contract to retain fingerprint images for longer than 45 days, BioMetric Impressions programmed its database to retain the digital images to the specified contractual requirements. Such electronic retention relies on the purpose for which the fingerprints were captured. The CMS Contract is an example of a Government contract pursuant to which BioMetric Impressions is obligated to retain fingerprint images for longer than 45 days.
BioMetric Impressions recognizes that the requirements of certain Government contracts may appear to conflict with the Regulation and the retention time frame described above, but it believes the intent of the Regulation is not to conflict with governmental contractual requirements and can be reconciled by the fact that the initial purpose of the contractual requirement has not been met and the governmental entity is relying upon the fingerprinting agency for archival of its records. Additionally, the Act specifically provides that it does not apply to contractors of State or local governments when said contractors are working for a government agency or local unit of government, which is consistent with the conclusion that the Regulation is not intended to restrict a government contractor from retaining records for longer than three years if required to do so by the Government contract. Accordingly, a retention period of more than three years is warranted and permissible in certain circumstances, as specified by the applicable government contract.
3. Permanent Destruction Policy
3.1 Electronic Documents
Upon the expiration of the retention period for given identifiers and other biometric information, BioMetric Impressions securely deletes such identifiers and other biometric information. Through that deletion process, the identifiers and other biometric information are no longer accessible and permanently destroyed on the applicable storage drive and/or server space.
3.2 Physical Documents
Some identifiers and other biometric information may be received in paper form, e.g., fingerprint cards. Those identifiers and other biometric information are converted into an electronic/digital format. Thereafter the physical documents are placed in a file for a period of up to 30 days. On or before such 30 days expires, the physical documents are placed in a secure shred bin.
4. Exceptions to Policy
Absent a valid warrant or subpoena issued by a court of competent jurisdiction or other applicable law or legal requirement, BioMetric Impressions will comply with this Policy.
5. Roles and Responsibilities
BioMetric Impressions has assigned its President to be responsible for overseeing and implementing the Policy.
6. Questions and Copies
This policy shall be available to the public and be provided upon request. Questions related to the Policy, including requests for the most recent version of the Policy, should be directed to:
Attn: President
BioMetric Impressions
188 W. Industrial Dr. Suite 214B
Elmhurst, IL 60126
e-Mail: [email protected]