1. PURPOSE
1.1. This Biometric Information and Security Policy (“Policy”) defines Medical Management Professional Services Inc’s and its affiliated entities’ (the “Practice”) policy and procedures for collection, use, safeguarding, storage, retention, and destruction of biometric data.
1.2. MMPS does not collect nor store any employee biometric data. The Practice rents time clock devices from Paychex that collect employee work time and report such information directly to Paychex. Per Paychex’s representation, such devices scan an employee’s fingerprint or iris, but Paychex DOES NOT STORE COPIES OF EMPLOYEE BIOMETRIC DATA. Instead, a Paychex mathematical algorithm creates a unique template per user (one per eye and/or per fingerprint), so employees can be easily recognized at a time clock when using it. The unique template(s) created by Paychex’s mathematical algorithm for each employee are a mathematical representation of employee biometric data not actual biometric data. Paychex has informed us that such templates, cannot be converted/reverse engineered back into an image of the individual’s eye or fingerprint, cannot be used or manipulated to gain any personal information about the individual employee, nor used to identify an employee outside of using the Paychex provided device.
1.3 Paychex collects, stores, and uses templates of biometric data (but not actual biometric data) for the purpose of giving employees secure access to the Practice’ timekeeping systems and to document employees’ (i) clock in/out time(s); (ii) clock in/out location(s); and (iii) attempts/failures/errors in system utilization.
1.4 Paychex will store such templates during the course of an employee’s employment. Upon an employee’s employment termination, we will notify Paychex to request Paychex to expeditiously delete such former employee’s template(s) from the Paychex system which Paychex has notified us it is able to delete.
2. POLICY STATEMENT
2.1. This Policy replaces and supersedes all previous policies related to biometric information. The Practice reserves the right to amend this Policy at any time, without notice. The Practice may expand utilize different service providers or adopt different requirements of employees service its use of biometric data in the future.
2.2. In the event Paychex modifies its policies the Practice will update this Policy.
2.3. A copy of this document can be found in our revised Employee Handbook.
3. DEFINITION OF BIOMETRIC DATA
3.1. Biometric data means personal information stored by the Practice about an individual’s physical characteristics that can be used to identify that person. Biometric data specifically includes fingerprints or iris scan.
3.2. As technology and systems advance, biometric data may also include voiceprints, or scan of hand or face geometry, although Paychex devices that the Practice utilizes do not current utilize such information.
4. POLICY
4.1. While neither the Practice nor Paychex collect nor store biometric data, the Practice ‘ policy is to require MMPS to demand Paychex to protect and store templates in accordance with applicable standards and laws including, but not limited to, the Illinois Biometric Information Privacy Act.
4.2. This policy contains a consent statement that employees will sign to acknowledge receiving this policy.
4.3. The Practice will not sell, lease, trade, or otherwise profit from a template of an individual’s biometric data. Paychex will not disclose templates of an employee’s biometric data unless (i) required by law or (ii) required by valid legal subpoena.
4.4. Biometric data will be stored using a reasonable standard of care for the Practice’ industry and in a manner that is the same or exceeds the standards used to protect other confidential and sensitive information held by the Practice.
4.5. The Practice may select a time clock device type of its choosing for its employees to use and thereafter change or select a different time clock device.
5. PROCEDURE
5.1. Employees must review and execute this document prior to registering with a Paychex scan device.
5.2. The Practice will not collect nor store any biometric data nor templates of biometric data. The Practice will request Paychex to store, transmit, and protect templates of employee biometric data using the same standard of care and security controls it provides other confidential and sensitive information in its possession. No Practice employee will have direct access to templates of biometric data.
6. CONSENT TO COLLECTION
Your fingerprint and/or iris scan will be utilized by Paychex to create a template which template shall be stored by Paychex for the purpose of verifying your identity for access to the Practice’ timekeeping system. The Practice will not request Paychex to disclose your templates without your consent unless the disclosure is required by law or by valid legal subpoena. Upon an employee’s employment termination, the Practice will request Paychex to permanently and expeditiously delete all templates that Paychex may have pertaining to such former employee.