Biometric Data Policy

 

1. Purpose

American DataBank LLC (“ADB“) performs background screening services for its customers, which include universities, government entities and private companies. ADB obtains, receives, scans into electronic form and/or transmits Biometric Information as described in this Biometric Data Policy (this “Policy“) for the purpose of obtaining criminal history information used to prepare background screening reports. Defined terms used in this Policy have the meaning set forth in Section 8 of this document.

ADB has adopted this Policy to govern its treatment of Biometric Data.  Protecting the confidentiality and integrity of Biometric Data is a critical responsibility that must be taken seriously at all times. Compliance with this Policy is mandatory.

2. Scope

This Policy applies to all ADB employees, agents and representatives who collect, store or transmit fingerprints or other Biometric Data. This Policy applies to all Biometric Data collected, maintained, transmitted, stored, retained, or otherwise used by ADB regardless of the media on which that information is stored.

3. Retention Schedule

In the case of fingerprint data, ADB will permanently destroy an Individual’s fingerprint data within thirty (30) days from the latter of the date that ADB receives an Individual’s fingerprint capture (whether received in electronic form or on hardcopy fingerprint card), or the “date last modified” in the case where the original fingerprint or card scan date was modified. If an error occurs requiring the re-transmission of fingerprint images, the “date last modified” will be updated, beginning a new period for purposes of calculating the retention period.

In the event that an Individual is requested to provide or submit a new set of fingerprint images, in paper or electronic form, due to an error with previously submitted Biometric Data or otherwise, this creates a new fingerprint inquiry transaction and a new date of fingerprinting capture. The date that the new fingerprints are captured or received commences a new thirty (30) day retention period.

In all circumstances where ADB retains Biometric Data (including non-fingerprint data) beyond thirty (30) days, ADB will permanently destroy an Individual’s Biometric Data (i) within three (3) years of collection or (ii) when the initial purpose for collecting or obtaining such identifiers or information has been satisfied, whichever occurs first. Initial purposes for collection end when:

      • Biometric information has been transmitted to an FBI channeling partner for purposes of completing a background screening report; or
      • Any longer period of time is required under the FBI CJIS Security Policy or any other law or regulation governing the retention or deletion of biometric information. 

4. Biometric Data Collection

ADB, its partners and providers collect, store, and use customer or Individual fingerprint information for the purpose of obtaining criminal history information used in preparing a background screening report on the Individual. Before collecting Biometric Data from any Individual, ADB will obtain the Individual’s written consent to the collection.

    1. Electronic Biometric Data. ADB may collect fingerprint information through electronic means. Once the record has been utilized by ADB in the process of researching and preparing a background screening report for an Individual, ADB causes such Biometric Information to be securely deleted within the period called for in the Retention Schedule.
    2. Fingerprint Cards and other hard copy documentation. ADB may also receive the Biometric Information of an Individual in paper form, such as through a fingerprint card. When ADB receives a physical copy of an Individual’s Biometric Information, ADB personnel will make a digital scan of the fingerprint card and transmit the electronic reproduction to an FBI channeler as a part of the process for preparation of a background screening report.

5. Biometric Data Security: Storage and Transfer

Digital Biometric Data Storage

Digital Biometric Data is stored to industry standards (a minimum of 3DES bit encryption is used). Principals of least privilege are adhered to in system design and user provisioning.

Physical Biometric Data Storage

Physical Biometric Data (i.e.: fingerprint cards) is stored to industry standards. Site access is controlled with human security and badge code access. All ingress and egress points are recorded. The site itself is also recorded.

Digital Biometric Data Transfer

Transfer of digital Biometric Data is done to the standards of the Federal Bureau of Investigation’s Criminal Justice Information Services Division (CJIS).

Physical Biometric Data Transfer

Transfer and handling of physical Biometric Data is only done by authorized staff.

  1. Biometric Data Destruction

Destruction of Physical Biometric Data

Biometric data may be provided to the Company in a physical format, including ink-rolled cards. Such physical data will be digitized and then placed in secure storage for up to thirty (30) days. At, or before, the thirty (30) day limit the physical data will be placed into a secure shred bin. A third-party vendor contracted for professional destruction will access the secure shred bin and destroy the physical Biometric Data within thirty (30) days of it being placed there.

A shred certificate is obtained from the third-party vendor.

Destruction of Digital Biometric Data

After a piece of digital Biometric Data has reached the end of the retention period it is deleted. Hard drive encryption and operating system control policies prevent restoration of data that is deleted.

Hard drive encryption and operational system control policies include controls that render the hard drive unusable if it is removed from the device it is assigned to.

Deletion of data is not equivalent to permanent destruction. Therefore, hard drives are permanently destroyed and rendered unrecoverable under the direct supervision of ADB’s Security Officer at the earliest practical point, and no less often than every three years.

 

7. Biometric Data Disclosures

Subject to Individual’s consent, ADB may disclose an Individual’s Biometric Data to its Third Party Service Providers in order to facilitate the provision of background screening reports.

ADB prohibits any further disclosure or re-disclosure of Biometric Data unless:

      • The Individual or the Individual’s legally authorized representative consents to the disclosure;
      • The disclosure is required by applicable law or regulation; or
      • The disclosure is required pursuant to a valid warrant or subpoena issued by a court of competent jurisdiction.

 

8. Definitions

Biometric Data” means collectively all Biometric Identifiers and Biometric Information.

Biometric Identifiers” means:

      • Retina or iris scans.
      • Fingerprints.
      • Voiceprints.
      • Scans of hand or face geometry.

Biometric Identifiers do not include:

  • Writing samples and written signatures.
  • Human biological samples used for valid scientific testing or screening.
  • Demographic data.
  • Tattoo descriptions.
  • Physical descriptions, such as:
    • height;
    • weight;
    • hair color; or
    • eye color.
  • Information captured from a patient in a healthcare setting.
  • Information collected, used, or stored for healthcare treatment, payment, or operations under the Health Insurance Portability and Accountability Act (HIPAA).
  • Donated organs, tissues, or parts as defined by the Illinois Anatomical Gift Act or blood or serum stored in connection with organ transplants.
  • Biological materials regulated under the federal Genetic Information Privacy Act.

Biometric Information” means information, regardless of how it is captured, converted, stored, or shared, that is based on a Biometric Identifier. Biometric Data does not include information derived from items or procedures excluded under the definition of Biometric Identifiers.

“Individual” means a person from whom Biometric Data is collected.

Third Party Service Provider” means a third party working with ADB to handle part of the processing of an Individual’s Biometric Data for the purpose of obtaining criminal history used in preparing a background screening report.

  1. Questions & Requests

American Databank has assigned Jeremy Marcum, Director of Compliance, to be responsible for overseeing and implementing this Policy, including requests for the most recent version or update to the Policy. Questions related to this Policy, including any requests for the most current version, may be directed to:

Attn: Jeremy Marcum
American DataBank
700 17th Street
10th Floor
Denver, CO 80202

Telephone: 303-573-1130

Email: dispute@americandatabank.com