Biometric Identifier Protection Standard
Standard Number: IT.3.3.2S
Category: Information Privacy
Owner: Information Technology Services
Effective: August 30, 2019
Revision History: None
Review Date: August 28, 2022
Purpose, Scope, and Responsibilities
- Biometric Identifiers are biologically unique to an individual and once compromised, the individual has no recourse, is at heightened risk for Identity Theft, and is likely to withdraw from biometric-facilitated transactions. Therefore, pursuant to the Sensitive Data Policy, the University has designated Biometric Identifiers as Sensitive Data.
- The purpose of this Standard is to ensure the privacy and Security of Biometric Identifiers collected, stored, and/or used at the University for business and administrative purposes.
- This Standard applies to all University employees, students, volunteers, as well as any third-party individuals and entities who are doing work on behalf of the University that generate, have access to, collect, store, or use Biometric Identifiers.
- The Chief Information Officer, in conjunction with the Executive Director of Enterprise Support and Chief Information Security Officer, is responsible for implementing and enforcing this Standard.
- University Data Stewards are responsible for ensuring the Biometric Identifiers for which they are responsible are classified, kept private, and secured appropriately.
- It is the responsibility of Data Users authorized to generate, maintain, and/or access Biometric Identifiers to abide by this Standard. Data Users should avoid collecting, accessing, or sharing Biometric Identifiers whenever possible.
Collection of Biometric Identifiers
- Information Technology Services (“ITS”) must approve all business units to collect Biometric Identifiers prior to collection. Requests must be submitted to the Executive Director of Enterprise Support.
- Biometric Identifiers must not be collected, captured, purchased, received
through trade, or otherwise obtained until:
- The identity of the individual is confirmed by providing a valid University Identification Card;
- The individual, or their legally authorized representative, has been informed in writing that a Biometric Identifier is being collected or stored;
- The individual, or their legally authorized representative, has been informed in writing of the specific purpose and length of term for which a Biometric Identifier is being collected, stored, and used; and,
- The individual, or their legally authorized representative, as executed a written or electronic release of the Biometric Identifier. See Exhibit A.
Storage of Biometric Identifiers
- Data Stewards and Data Users must access, share, store, use, transmit, dispose,
and protect Biometric Identifiers in accordance with the Sensitive Data Protection
Standard and the following requirements:
- Biometric Identifiers must only be retained in an ITS-approved information system;
- Biometric Identifiers must be encrypted while stored or transmitted;
- Access logs must be kept for all information systems that store or transmit Biometric Identifiers; and,
- All data processors must employ proper technical and organizational procedures, such as one-way coding, to keep Biometric Identifiers secure.
- Data Stewards and Data Users must access, share, store, use, transmit, dispose, and protect Biometric Identifiers in accordance with the Sensitive Data Protection Standard and the following requirements:
Disclosure of Biometric Identifiers
- Biometric Identifiers collected must not be sold, leased, traded, or otherwise profited from.
- Biometric Identifiers must not be disclosed, redisclosed, or otherwise disseminated
- The individual of the Biometric Identifier(s) or their legally authorized representative consents to the disclosure or redisclosure;
- The disclosure or redisclosure completes a financial transaction requested or authorized by the individual of the Biometric Identifier(s) or their legally authorized representative;
- The disclosure or redisclosure is required by State or federal law or municipal ordinance; or
- The disclosure is required pursuant to a valid warrant or subpoena.
Secure Deletion of Biometric Identifiers
- Biometric Identifiers must be securely deleted within two (2) years of the last interaction with the Biometric Identifier, or when the initial purpose for collecting or obtaining such identifiers has been satisfied, whichever occurs first.
- Biometric Identifiers do not include an X-ray, roentgen process, computed tomography, MRI, PET scan, mammography, or other image or film of the human anatomy used to diagnose, prognose, or treat an illness or other medical condition or to further validate scientific testing or screening.
- Biometric Identifiers collected for University research purposes are not subject to the requirements identified within this document.
- “Biometric Identifier” means a retina or iris scan, fingerprint, voiceprint, or scan of hand or face geometry used to identify an individual.
- “Data Steward” means the University executive officers or their designees who have planning and policy-level responsibilities for data in their functional areas and have management responsibilities for recognized University Information Systems.
- “Identity Theft” means fraud committed or attempted using identifying information of another without authorization.
- "Personally Identifiable Information (PII)” means data that specifically identifies an individual, including, but not limited to: Social Security number, driver’s license number, credit card numbers, bank account information, employee performance or salary information, student grades, disciplinary information, account passwords, Biometric Identifiers or Protected Health information (“PHI”) which is data that identifies health status, provision of health care, or payment for health care that is created or collected and can be linked to a specific individual.
- "Security” means the strategies for managing University Sensitive Data to ensure the confidentiality (the rules that limit access), integrity (the assurance that data will remain uncorrupted), and availability (the assurance that data will continue to be available) of it, including the requirements to collect, store, transmit, and access Sensitive Data.
- “University Identification Card” means a University-issued identification card used for accessing University Services and Facilities. The University Identification Card is referred to as the Mountaineer Card on the Morgantown campus, the Catamount Card on the Keyser Campus, and the WVU Tech ID Card on the Beckley campus.