Compliance
Compliance
Compliance Part 1
IKVO is in Strict Adherence to BIPA: We comply with 740 ILCS 14/ Biometric Information Privacy Act, ensuring the lawful handling of biometric data. This law mandates that private entities in possession of biometric identifiers develop a written policy, publicly available, regarding their practices
Destruction of Biometric Data: As per BIPA, our policy includes the destruction of biometric data either when the initial purpose for collecting the data has been fulfilled or within three years of the individual’s last interaction with us, whichever occurs first.
Data Security and Retention: We implement and maintain reasonable security safeguards as BIPA requires to protect biometric data from unauthorized access and acquisition. Our retention schedule aligns with BIPA’s requirements, ensuring data is not kept longer than necessary for its intended purpose.
Legal Compliance in Data Handling: We verify that our data retention and destruction policies are compliant with BIPA’s data breach notification requirements, protecting against biometric data risks.
Ongoing Policy Review and Updates: Our policies will be regularly reviewed and updated to reflect changes in the law and best practices. This includes regular audits to ensure ongoing compliance with all applicable laws and regulations.
IDFPR Live Scan Fingerprint Provider Agency License #129.489367
Compliance Part 2. IdentifyVerify.Org Retention and Destruction Policy 12/2023
Section 1. Introduction
Section 2. Retention Policy 2.1 Retention
Unless obligated by customer contract or the “FBI CJIS Security Policy” to maintain fingerprint images for a specific period of time, all identifiers and other biometric information, including fingerprint images will be retained for up to 90 days from the date of receipt, fingerprint capture, or card scan date, or the “date last modified”, in the case where the original fingerprint or card scan date was modified. Exhibit A (available upon request) is part of this policy and contains an updated list of customer contract categories or names listing retention policies that differ from the above 90 days. Exhibit A will be updated from time to time. If a fatal or non-fatal error occurs requiring the retransmission of fingerprint images, the “date last modified” will be updated, beginning a new 90-day retention period.
When an error results in the need for a new set of fingerprint images to be taken, this creates a new fingerprint inquiry transaction with a new date of fingerprint capture, starting the 90-day retention date from the revised date of fingerprint capture. When obligated by customer contract or the “FBI CJIS Security Policy” to retain fingerprint images for a specific period of time other than 90 days, IVO has electronically programmed its retention database to retain the digital images to the specific requesting agency requirements.
IVO recognizes there may appear to be a conflict between the Regulation and the requirements with respect to certain contracts concerning the retention time frame but believes the intent of the Regulation is not to conflict with governmental contractual requirements and can be reconciled by the fact that the initial purpose of the contractual requirement has not been met and the governmental entity is relying upon the fingerprinting agency for archival of its records. Additionally, the Act specifically provides that it does not apply to contractors of State or local governments and this further supports that the Regulations are not intended to restrict a government contractor from retaining records longer than 3 years. Therefore, a period of retention of greater than 3 years is warranted in certain circumstances.
If IVO is sold or merged, the successor will have control over and access to all identifiers and other biometric information; however, the transaction document will require the successor to comply with the terms of the then-current version of this Policy.
2.2 Retention of Employee Records
Section 3. Permanent Destruction Policy Section 3.1 Electronic Documents
All identifiers and other biometric information which are stored electronically are (1) encrypted both in transit and at rest and (2) stored on a local server as well as on Amazon Web Services (AWS) and Amazon Web Services – GovCloud (AWSGovCloud) or similar servers in an encrypted manner so the server provides no access to them. Once the Record Retention Schedule has been met, a secure electronic “delete” function takes place. Immediately after the secure “delete” function takes place, the identifiers and other biometric information are no longer accessible and permanently destroyed on the applicable hard drive as well as any external servers.
In order to protect the privacy and confidentiality, and recoverability of our captured data and in order to comply with the FBI CJIS Security Policy and related requirements, IVO has a policy in place to ensure hard drives are backed up on other hard drives in case there is a hard drive failure. Such hard drives are encrypted and only to be used to restore data that has been lost. Once the archival period for a hard drive has expired, IVO completely erases and overwrites all data stored on each hard drive and then physically destroys the hard drive. IVO hires a certified third party to “shred” such hard drives in order to destroy the physical hardware securely.
Section 3.2 Physical Documents
Section 3.3 Employee Files
Section 4. Exceptions to Policy
Section 5. Roles and Responsibilities
Section 6. Definitions
The terms “identifiers” and “biometric information” are not defined by the Regulation; however, the terms “biometric identifier” and “biometric information” are defined in the Illinois Biometric Information Privacy Act found at 740 ILCS 14/ (the “Act”) and such definitions are applied in this Policy. Accordingly, whenever used within this Policy, unless otherwise clearly documented:
(a) “Biometric identifier” means a retina or iris scan, fingerprint, voiceprint, or scan of hand or face geometry. Biometric identifiers do not include writing samples, written signatures, photographs, human biological samples used for valid scientific testing or screening, demographic data, tattoo descriptions, or physical descriptions such as height, weight, hair color, or eye color. Biometric identifiers do not include donated organs, tissues, or parts as defined in the Illinois Anatomical Gift Act or blood or serum stored on behalf of recipients or potential recipients of living or cadaveric transplants and obtained or stored by a federally designated organ procurement agency. Biometric identifiers do not include biological materials regulated under the Genetic Information Privacy Act. Biometric identifiers do not include information captured from a patient in a health care setting or information collected, used, or stored for health care treatment, payment, or operations under the federal Health Insurance Portability and Accountability Act of 1996. Biometric identifiers do not include an X-ray, roentgen process, computed tomography, MRI, PET scan, mammography, or other image or film of the human anatomy used to diagnose, prognose, or treat an illness or other medical condition or to validate scientific testing or screening further.
(b) “Biometric information” means any information, regardless of how it is captured, converted, stored, or shared, based on an individual’s biometric identifier used to identify an individual. Biometric information does not include information derived from items or procedures excluded under the definition of biometric identifiers.
(c) “Identifiers and other biometric information” means biometric identifiers and biometric information.