Illinois Biometric Information Privacy Act (BIPA)
ETimer Face Attendance App (com.etimer.facedetector)
The Illinois Biometric Information Privacy Act ("BIPA") aims to “regulate the collection, use, safeguarding, handling, storage, retention, and destruction of biometric identifiers and information”. If your organization operates in Illinois or you have employees that are residents of Illinois, you need to comply with BIPA. You can read the full text of BIPA in the Illinois Compiled Statutes.
ETimer Face App is committed to privacy and provides you with extensive capabilities in the ETimer Face App and Dashboard (collectively the "ETimer Face Service") to help you comply with BIPA. However, it is important to note that if your organization uses the ETimer Face Service you cannot rely on the capabilities of the ETimer Face Service alone. You must ensure you configure and use the ETimer Face Service appropriately to comply with BIPA and that you comply with the non-system requirements of BIPA. For example, you should update your employment agreements to cover the use of biometrics, ensure your premises and devices are physically secured, and update your own public privacy policy to cover the use of biometrics. Given the importance of privacy, you should obtain your own professional legal advice to ensure you are fully compliant.
The sections below detail the requirements of BIPA and explain how ETimer Face provides you with capabilities in the ETimer Face Service to help you comply with each of them.
Collection and Consent
Requirements
BIPA requires that: "No private entity may collect, capture, purchase, receive through trade, or otherwise obtain a person's or a customer's biometric identifier or biometric information, unless it first:
-
Informs the subject or the subject's legally authorized representative in writing that a biometric identifier or biometric information is being collected or stored;
-
Informs the subject or the subject's legally authorized representative in writing of the specific purpose and length of term for which a biometric identifier or biometric information is being collected, stored, and used; and
-
Receives a written release executed by the subject of the biometric identifier or biometric information or the subject's legally authorized representative.
Compliance
The ETimer Face Service displays a written privacy statement which informs subjects that biometric data will be collected (before it is collected), the specific usage of the biometric data, and the length of term for which the biometric data will be stored.
If the privacy statement is accepted, the ETimer Face Service will capture the subject's photo and extract their biometric data. If the privacy statement is not accepted, the subject can still use the ETimer Face Service by manually identifying themselves using non-biometric methods (eg: passcodes).
The date and time each subject accepts the privacy statement is recorded and can be viewed through the ETimer Face Service.
Retention and Destruction
Requirements
BIPA requires that: "A private entity in possession of biometric identifiers or biometric information must develop a written policy, made available to the public, establishing a retention schedule and guidelines for permanently destroying biometric identifiers and biometric information when the initial purpose for collecting or obtaining such identifiers or information has been satisfied or within 3 years of the individual's last interaction with the private entity, whichever occurs first."
Compliance
ETimer Face has a written privacy policy, made available on our public Web site (ETimer Face Privacy Policy), which covers the retention and destruction of data, including biometrics data.
In particular, the ETimer Face Service will automatically destroy a subject's biometric data whenever either:
-
The subject's record is removed from the ETimer Face Service (eg: when the employer / employee relationship is terminated).
-
The subject's consent to the use of their biometrics is removed. In this case, the subject can continue to use the ETimer Face Service by manually identifying themselves using non-biometric methods (eg: passcodes).
No Commercial Use
Requirements
BIPA requires that: "No private entity in possession of a biometric identifier or biometric information may sell, lease, trade, or otherwise profit from a person's or a customer's biometric identifier or biometric information."
Compliance
ETimer Face does NOT sell, lease, trade, or otherwise profit from biometric data.
No Disclosure
Requirements
BIPA requires that: "No private entity in possession of a biometric identifier or biometric information may disclose, redisclose, or otherwise disseminate a person's or a customer's biometric identifier or biometric information [unless required to legally]".
Compliance
ETimer Face does NOT disclose, redisclose, or otherwise disseminate biometric data.
Data Protection
Requirements
BIPA requires that: "A private entity in possession of a biometric identifier or biometric information shall:
-
Store, transmit, and protect from disclosure all biometric identifiers and biometric information using the reasonable standard of care within the private entity's industry; and
-
Store, transmit, and protect from disclosure all biometric identifiers and biometric information in a manner that is the same as or more protective than the manner in which the private entity stores, transmits, and protects other confidential and sensitive information."
Compliance
ETimer Face has designed data protection into the core of the ETimer Face Service. In particular:
-
The ETimer Face Service encrypts biometric data both at rest and in transit.
-
The ETimer Face Service does not permit the export of biometric data, even by system administrators.