BIOMETRIC INFORMATION PRIVACY AND SECURITY POLICY

 
Purpose

This Biometric Information Privacy and Security Policy (this “Policy”) describes the procedures used by The Autobarn (the “Company”) and its third-party vendors and licensors to collect, use, safeguard, store, retain, and destroy biometric identifiers and biometric information received by the Company.

The Company uses biometric time clocks at certain work sites through which an employee’s fingerprint is scanned for time and attendance purposes.  The Company currently uses the MXS2111/K01 “Maximus” Biometric Clock AIO as its time and attendance tracking hardware, in conjunction with support from Paycom as its payroll vendor.  Although the Company’s payroll vendor may change in the future, all biometric privacy and security measures set forth in this Policy will remain the same with regard to any subsequent payroll vendor used by the Company.

All employees from whom biometric information is collected by the Company will be required to sign an Employee Consent Form upon hire and as requested thereafter by the Company.

Biometric Data Defined

As used in this Policy, biometric data includes “biometric identifiers” and “biometric information” as defined in the Illinois Biometric Information Privacy Act, 740 ILCS § 14/1, et seq.  “Biometric identifier” means a unique retina or iris scan, fingerprint, voiceprint, or scan of hand or face geometry.  Biometric identifiers do not include writing samples, written signatures, photographs, human biological samples used for scientific testing or screening, demographic data, tattoo descriptions, or physical descriptions such as height weight, hair color, or eye color.  Biometric identifiers do not include information captured from a patient in a health care setting or information collected, used or stored for health care treatment, payment, or operations under the federal Health Insurance Portability and Accountability Act of 1996.

“Biometric information” means any information regardless of how it is captured, converted, stored, or shared based on an individual’s biometric identifier used to identify an individual.  Biometric information does not include information derived from items or procedures excluded under the definition of biometric identifiers.

Purpose for Collection of Biometric Data

The Company and its third-party vendors and licensors collect, store, and use biometric data solely for employee identification, fraud prevention, and tracking of employee time and attendance.  For more information on the biometric timeclock currently used by the Company, please visit:

https://www.accu-time.com/maximus-employee-time-clock-3/

Disclosure

The Company will not disclose or disseminate any biometric data to anyone other than its third-party vendors and licensors who support the Company’s use of the MXS2111/K01 “Maximus” Biometric Clock AIO without first informing employees of the identity of any additional parties to whom biometric data is being provided, and without first obtaining the written consent of employees to any such disclosures.  The Company will also inform employees in writing of the specific purpose and length of time for which the employee biometric data is being collected, stored, and used, as discussed more fully below.  All employees are asked to provide written consent to the collection, storage, and use of biometric data by the Company and any third-party vendors or licensors supporting the Company’s use of the MXS2111/K01 “Maximus” Biometric Clock AIO.

The Company and any third-party vendors or licensors supporting the Company will not sell, lease, trade, or otherwise profit from employees’ biometric data; provided however, that the Company’s third-party vendors and licensors may be paid for products or services used by the Company that utilize such biometric data.

Retention Schedule

The Company and/or its vendors will retain employee biometric data collected pursuant to this  Policy only until the first of the following events has occurred:  (1) the initial purpose for collecting or obtaining the employee’s biometric data has been satisfied; or (2) thirty (30) days have elapsed since the employee’s termination or last interaction with the Company.  The Company will also request its third-party vendors and licensors who support the use of the Company’s biometric timekeeping equipment to destroy biometric data on the same schedule.

This retention schedule will be made publicly available by posting a copy in an area that is accessible to the public at all Company facilities and in proximity to any biometric timekeeping equipment.  Any member of the public may also obtain a copy of this publicly on our website at autobarncars.com.

Data Storage

The Company uses a reasonable standard of care to store, transmit, and protect from disclosure any biometric data collected.  Such storage, transmission, and protection from disclosure is performed in a manner that is the same as or more protective than the manner in which the Company stores, transmits, and protects from disclosure other confidential and sensitive information, including personal information that can be used to uniquely identify an individual or an individual’s account or property, such as genetic markers, genetic testing information, account numbers, PINs, driver’s license numbers, and social security numbers.  Additional safeguards include firewalls, physical and digital security barriers, encryption, access restrictions, password authorization, system logging, and file backup.