The purpose of this policy is to define LogicGate, Inc.’s (“LogicGate” or the “Company”) policy and procedures for the collection, use, safeguarding, storage, retention, and destruction of biometric data. It is LogicGate’s policy to protect, use and store biometric data in accordance with applicable laws including, but not limited to, the Illinois Biometric Information Privacy Act (“BIPA”). This policy is intended to supplement other LogicGate privacy and data protection policies and only applies to LogicGate employees. In the event of an inconsistency relating to biometric information between the terms of this policy and other LogicGate policies, the terms of this policy will apply to the treatment of such biometric information. LogicGate has instituted the following biometric information privacy policy:
Biometric Data Defined
As used in this policy, biometric data includes “biometric identifiers” and “biometric information” as defined in BIPA, 740 ILCS § 14/1, et seq., or other information covered by applicable laws relating to the privacy or security of biometric information. “Biometric identifier” means a retina or iris scan, fingerprint, voiceprint, or scan of hand or face geometry. Biometric identifiers do not include writing samples, written signatures, photographs, human biological samples used for valid scientific testing or screening, demographic data, tattoo descriptions, or physical descriptions such as height, weight, hair color, or eye color. Biometric identifiers do not include information captured from a patient in a health care setting or information collected, used, or stored for health care treatment, payment, or operations under the federal Health Insurance Portability and Accountability Act of 1996.
“Biometric information” means any information, regardless of how it is captured, converted, stored, or shared, based on an individual’s biometric identifier used to identify an individual. Biometric information does not include information derived from items or procedures excluded under the definition of biometric identifiers.
Purpose for the Company’s Collection of Biometric Data
Certain LogicGate employees have been issued Company devices equipped with an optional biometric user authentication feature that allows an employee to unlock and access his/her device.
To the extent that LogicGate employees choose to enable and utilize the biometric authentication feature of their Company devices, the Company’s devices may collect and use biometric data only for the purpose of authenticating authorized users and granting them secure access to their Company devices.
LogicGate Cannot Access Employees’ Biometric Data
If the biometric authentication feature is utilized by an employee on a Company Device, the employee’s biometric data is stored locally on the specific device and cannot be accessed by LogicGate. For the avoidance of doubt, LogicGate does not have access to employees’ biometric data even when submitted and stored on the Company devices. LogicGate does not store, nor foresee the need to store, the employee’s biometric data.
Biometric Authentication Is Optional
Use of biometric authentication for Company device access is entirely optional. Employees are not required to use the biometric authentication feature as a condition of their employment. Employees may utilize biometric authentication for their Company device as long as the employees provide their written consent pursuant to BIPA.
Collection and Authorization
As of the effective date of this Biometric Information Policy, to the extent that the Company may collect, capture, or otherwise obtain biometric data relating to an employee, the Company will first:
1. Inform the employee in writing that the Company is collecting, capturing, or otherwise obtaining the employee’s biometric data.
2. Inform the employee in writing of the specific purpose and length of time for which the employee’s biometric data is being collected, stored, used, and with whom it will be shared; and,
3. Receive Attachment A signed by the employee (or his or her legally authorized representative) authorizing the Company to collect, store, and use the employee’s biometric data for the specific purposes disclosed by the Company.
The Company will not sell, lease, trade, or otherwise profit from employees’ biometric data; provided, however, that Company device vendor may be paid for products or services used by the Company that may collect and utilize such biometric data.
Disclosure and Authorization
The Company will not disclose, re-disclose, or otherwise disseminate an employee’s biometric data to anyone unless:
1. The employee or the employee’s legally authorized representative consents to such disclosure, re-disclosure, or dissemination;
2. The disclosed data completes a financial transaction requested or authorized by the employee;
3. The disclosure, re-disclosure, or dissemination is required by state or federal law or municipal ordinance; or
4. The disclosure, re-disclosure, or dissemination is required pursuant to a valid warrant or subpoena issued by a court of competent jurisdiction.
Retention Schedule
To the extent that the Company must retain employee biometric data, it will do so only until, and will permanently destroy such data when, the first of the following occurs:
1. The initial purpose for collecting or obtaining such biometric data has been satisfied, such as the termination of the employee’s employment with the Company, or the employee moves to a role within the Company for which the biometric data is not used; or
2. Within 3 years of the employee's last interaction with the Company.
Data Storage, Transmission, and Protection
To the extent the Company must store any biometric data collected, the Company will use a reasonable standard of care to do so. Additionally, the Company will use a reasonable standard of care to transmit, and protect from disclosure, any biometric data collected. Such storage, transmission, and protection from disclosure shall be performed in a manner that is the same as, or more protective than, the manner in which the Company stores, transmits and protects from disclosure, other confidential and sensitive information of the Company and its employees.