Biometric Information Policy
Biometric Information Policy
Purpose
The University of Dayton is committed to enhancing the safety of the campus community by integrating best practices for campus safety and security with enhanced technology. Biometric Identifiers are digital representations of immutable and unique anatomical characteristics and, as such, create a lifelong risk should that data be used inappropriately. This policy sets forth the University’s procedures for collection, disclosure, storage, use and destruction of Biometric Information.
Scope
This policy is applicable to all students, faculty, staff, vendors, and visitors, regarding the use of Biometric Information in conjunction with any of the University’s systems or services.
Policy History
Effective Date: April 24, 2023
Approval: April 24, 2023
Policy History:
- Approved in Original Form: April 24, 2023
Maintenance of Policy: CIO, University of Dayton Information Technology (UDit) and Assistant Vice President for Compliance, Environmental Health & Safety, Division of Audit, Risk and Compliance
Definitions
a. “Biometric Identifier” is a fingerprint, voiceprint, retina or iris scan, hand or face geometry scan.
b. “Biometric Information” or “Biometric Data” is information based on a person’s Biometric Identifier that is used to identify that person.
Policy
The University of Dayton uses biometric identification systems to control access to certain campus facilities and to enhance time keeping activities. The University recognizes the sensitivity of Biometric Information, takes seriously its obligations to protect the confidentiality of this data, and sets forth the University’s procedures for collection, disclosure, storage, use and destruction of Biometric Information.
I. Consent
An individual’s Biometric Data will not be collected or otherwise obtained by the University without prior written consent of the individual. The consent form will inform the individual of the reason the Biometric Information is being collected and the length of time the data will be stored.
Guidance on how to withdraw consent may be found in Appendix B of this policy.
II. Disclosure
The University will not disclose or disseminate any Biometric Data to anyone other than its Biometric Identifier collector vendor(s) and/or licensor(s), unless:
a. Disclosure is required by state or federal law or municipal ordinance;
b. Disclosure is required pursuant to a valid warrant or subpoena issued by a court of competent jurisdiction;
c. The disclosed data completes a financial transaction requested or authorized by the employee; or the employee has consented to such disclosure or dissemination.
III. Storage
In circumstances where the University retains Biometric Information, the University will use a reasonable standard of care to store, transmit and protect from disclosure any paper or electronic Biometric Data collected. Storage, transmission, and protection from disclosure shall be performed in a manner that is the same as or more protective than the manner in which the University stores, transmits and protects from disclosure other confidential and sensitive information that is used to uniquely identify an individual.
IV. Retention Schedule
In circumstances where the University retains Biometric Information, the University will permanently destroy an individual’s Biometric Data within fourteen (14) months of when the initial purpose for collecting or obtaining such Biometric Data has been satisfied, such as:
a. The employee’s employment is terminated;
b. The student graduates or otherwise leaves the University;
c. The employee transfers to a position for which the Biometric Data is not used; or
d. The University no longer uses the Biometric Information.
If any University’s vendors and/or licensors require access to Biometric Data in order to fulfill the purpose of collecting such information, the University will request that they follow the above destruction schedule.
Reference Documents
- Appendix A, Sample Biometric Identification Collection Consent Language
- Appendix B, Opt Out Process
Appendix A
Sample Biometric Identification Collection Consent Language
The University of Dayton captures and uses your [fingerprint] data to control access into certain campus facilities or to enhance time-keeping activities through carefully vetted and authorized systems [e.g., CBORD, TimeClock Plus]. Your [fingerprint] data will not be disclosed by the University, except to a Biometric Identifier Collection vendor or licensor, without your consent unless the disclosure is required by law or by valid legal subpoena. If retained, your fingerprint data will be permanently deleted from the University’s systems within fourteen (14) months of when the initial purpose of obtaining such Biometric Information has been satisfied, as provided in the retention schedule set forth in the University’s Biometric Information Policy.
By [signing/clicking] below, you acknowledge you have read the University’s Biometric Information Privacy Policy and consent to the University ’s collection, use, and storage of your [fingerprint] data for the above stated purpose.
Appendix B
Opt Out Process
The University of Dayton uses biometric identification systems to control access to certain campus facilities and to enhance time keeping activities. If you’ve enrolled in one of the University’s two authorized systems [e.g., CBORD, TimeClock Plus] for such purposes, your [fingerprint] data will be permanently deleted by process from the University’s systems within fourteen (14) months of when the initial purpose of obtaining such Biometric Information has been satisfied.
However, if at any time you’d like to withdraw consent, there are a number of ways to do so. You may:
1. Open a ticket at https://udayton.teamdynamix.com/TDClient/1868/Portal/Requests/ServiceDet?ID=27499
2. Initiate a privacy action at https://udayton.edu/arc/compliance/gdpr.php