BIOMETRIC IMPRESSIONS CORPORATION’S
BIOMETRIC INFORMATION RETENTION POLICY
I. LEGAL AUTHORITY
BioMetric Impressions Corporation’s acquisition, preservation and exchange of fingerprints is authorized under 28 U.S.C. 534, et seq. BioMetric Impressions Corporation’s retention policy is further governed in part by 740 ILCS 14/1, et seq. commonly known as the Illinois Biometric Information Privacy Act* (“BIPA”). Additional regulations and supplemental authorities include Federal statutes, State statutes, including Pub. L. 92-544, Presidential Executive Orders, and State and Federal regulations.
BioMetric Impressions Corporation’s fingerprint vendor license is governed by Section 1240.535(c)(8) of the Illinois Administrative Code (the regulates fingerprint vendors in the State of Illinois (the “Administrative Code”). Section 1240.535(c)(8) states: “A licensed fingerprint vendor must develop a written policy, made available to the public, establishing a retention schedule and guidelines for permanently destroying identifiers and other biometric information when the initial purpose for collecting or obtaining the identifiers or information has been satisfied or after [three] 3 years from the individual’s last interaction with the licensed fingerprint vendor, whichever occurs first. Absent a valid warrant or subpoena issued by a court of competent jurisdiction, a private entity in possession of biometric identifiers or biometric information must comply with its established retention schedule and destruction guidelines.”
BIPA specifically provides that it does not apply to contractors of State or local governments and this further supports that the authority and regulations referred to above are not intended to restrict a government contractor from retaining records longer than necessary to achieve the intended goal. Therefore, a period of retention greater than the time allowed by BIPA or other authority is warranted and required in certain circumstances.
BIPA provides definitions of the terms contained within this retention policy (the “Policy”), unless otherwise documented within this Policy:
(1) “Biometric identifier” means a retina or iris scan, fingerprint, voiceprint, or scan of hand or face geometry. Biometric identifiers do not include writing samples, written signatures, photographs, human biological samples used for valid scientific testing or screening, demographic data, tattoo descriptions, or physical descriptions such as height, weight, hair color, or eye color. Biometric identifiers do not include donated organs, tissues, or parts as defined in the Illinois Anatomical Gift Act or blood or serum stored on behalf of recipients or potential recipients of living or cadaveric transplants and obtained or stored by a federally designated organ procurement agency. Biometric identifiers do not include biological materials regulated under the Genetic Information Privacy Act. Biometric identifiers do not include information captured from a patient in a health care setting or information collected, used, or stored for health care treatment, payment, or operations under the federal Health Insurance Portability and Accountability Act of 1996. Biometric identifiers do not include an X-ray, roentgen process, computed tomography, MRI, PET scan, mammography, or other image or film of the human anatomy used to diagnose, prognose, or treat an illness or other medical condition or to further validate scientific testing or screening.
(2) “Biometric information” means any information, regardless of how it is captured, converted, stored, or shared, based on an individual’s biometric identifier used to identify an individual. Biometric information does not include information derived from items or procedures excluded under the definition of biometric identifiers.
(3) “Confidential and sensitive information” means personal information that can be used to uniquely identify an individual or an individual’s account or property. Examples of confidential and sensitive information include, but are not limited to, a genetic marker, genetic testing information, a unique identifier number to locate an account or property, an account number, a PIN number, a pass code, a driver’s license number, or a social security number.
(4) “Private entity” means any individual, partnership, corporation, limited liability company, association, or other group, however organized. A private entity does not include a State or local government agency. A private entity does not include any court of Illinois, a clerk of the court, or a judge or justice thereof.
(5) “Written release” means informed written consent or, in the context of employment, a release executed by an employee as a condition of employment.
II. RETENTION POLICY
Unless required by BioMetric Impressions Corporation or customer contract, and excused from the statutory authority and regulation referred to above, to maintain fingerprint images for an extended period of time, all identifiers and other biometric information, including fingerprint images will be retained for up to 45 days from the date of receipt, fingerprint capture or card scan date, or the “date last modified”, in the case where the original fingerprint or card scan date was modified. If an error occurs requiring the re-transmission of fingerprint images, the “date last modified” will be modified to extend the retention period an additional 45 days. 45 days is preferred to allow for the resubmission of prints for customers and applicants who either do not receive reports or accidentally misplace reports they have received. The 45-day period is also in the interest of the fingerprinted individual to avoid unnecessary re-prints and associated inconvenience.
When required by customer contract and excused from the statutory authority, or otherwise obligated to retain fingerprint images for a specific or indefinite period of time, BioMetric Impressions Corporation’s computer database is programmed to retain the biometric information as required. Any such retention has been built utilizing the purpose for which the fingerprints were captured, in addition to the government agency’s identification information assigned by the Federal Bureau of Investigation, State Police or Bureau of Identification.
III. DESTRUCTION POLICY
Once the 45-day period or other retention period as prescribed by statute (“Retention Period”) has been reached, a “delete” process is initiated to destroy all protected biometric information. As a consequence, the biometric information will no longer accessible and will be permanently destroyed on the applicable computer backup system. All physical copies of materials containing biometric information are also destroyed on the expiration of the Retention Period.
IV. RETENTION EXCEPTIONS
Absent a valid legal requirement, BioMetric Impressions Corporation will comply with the Policy.
V. THE TEAM
BioMetric Impressions Corporation’s is comprised of a team of licensed fingerprinting professionals who are responsible for overseeing and implementing the Policy.
VI. MISCELLANEOUS QUESTIONS OR REQUESTS
A physical copy of this Policy is available upon request. Questions related to the Policy, including requests for the most recent version of the Policy, should be directed to BioMetric Impressions Corporation:
188 W. Industrial Dr. Suite
214B Elmhurst, IL 60126
Phone: (630) 532-5922