Biometric Identifier Protection Standard


Standard Number: 1.11.3.3.2

Responsible Unit: Information Technology Services

Effective Date: November 17, 2022

Revision History: Originally effective August 30, 2019

Next Review Date: November 16, 2025



1. Purpose, Scope, and Responsibilities:

1.1. Biometric Identifiers are biologically unique to an individual and once compromised, the individual has no recourse, is at heightened risk for Identity Theft, and is likely to withdraw from biometric-facilitated transactions. Therefore, pursuant to the Data Classification Policy, the University has designated Biometric Identifiers as Sensitive Data.  


1.2. The purpose of this Standard is to ensure the privacy and Security of Biometric Identifiers collected, stored, and/or used at the University for business and administrative purposes. 


1.3. This Standard applies to all University employees, students, volunteers, as well as any third-party individuals and entities who are doing work on behalf of the University that generate, have access to, collect, store, or use Biometric Identifiers.  


1.4. The Chief Information Officer or their designee, in conjunction with the Executive Director of Enterprise Infrastructure and Operations and the Chief Information Security Officer, is responsible for implementing and enforcing this Standard.  


1.5. Data Custodians are responsible for ensuring the Biometric Identifiers for which they are responsible are classified, kept private, and secured appropriately.  


1.6. It is the responsibility of Data Users authorized to generate, maintain, and/or access Biometric Identifiers to abide by this Standard. Data Users should avoid collecting, accessing, or sharing Biometric Identifiers whenever possible.  



2. Collection of Biometric Identifiers:

2.1. Information Technology Services (“ITS”) must approve all business units to collect Biometric Identifiers prior to collection. Requests must be submitted to the Executive Director of Enterprise Infrastructure and Operations. 


2.2. Biometric Identifiers must not be collected, captured, purchased, received through trade, or otherwise obtained until: 


2.2.1. The identity of the individual is confirmed by providing a valid University Identification Card; 


2.2.2. The individual, or their legally authorized representative, has been informed in writing that a Biometric Identifier is being collected or stored; 


2.2.3. The individual, or their legally authorized representative, has been informed in writing of the specific purpose and length of term for which a Biometric Identifier is being collected, stored, and used; and, 


2.2.4. The individual, or their legally authorized representative, has executed a written or electronic release of the Biometric Identifier. See Exhibit A.



3. Storage of Biometric Identifiers:

3.1. Data Custodians and Data Users must access, share, store, use, transmit, dispose, and protect Biometric Identifiers in accordance with the Sensitive Data Protection Standard and the following requirements:  


3.1.1. Biometric Identifiers must only be retained in an ITS-approved information system; 


3.1.2. Biometric Identifiers must be encrypted while stored or transmitted; 


3.1.3. Access logs must be kept for all information systems that store or transmit Biometric Identifiers; and, 


3.1.4. All data processors must employ proper technical and organizational procedures, such as one-way coding, to keep Biometric Identifiers secure.



4. Disclosure of Biometric Identifiers:

4.1. Biometric Identifiers collected must not be sold, leased, traded, or otherwise profited from. 


4.2. Biometric Identifiers must not be disclosed, redisclosed, or otherwise disseminated unless:  


4.2.1. The individual of the Biometric Identifier(s) or their legally authorized representative consents to the disclosure or redisclosure; 


4.2.2. The disclosure or redisclosure completes a financial transaction requested or authorized by the individual of the Biometric Identifier(s) or their legally authorized representative; 


4.2.3. The disclosure or redisclosure is required by state or federal law or municipal ordinance; or 


4.2.4. The disclosure is required pursuant to a valid warrant or subpoena. 



5. Secure Deletion of Biometric Identifiers:

5.1. Biometric access will be disabled within two (2) years of the last consent date, or when the initial purpose for collecting or obtaining such identifiers has been satisfied, whichever occurs first.  


5.2. Biometric Data will be deleted 105 days after access has been disabled.



6. Exceptions:

6.1. Biometric Identifiers do not include an X-ray, roentgen process, computed tomography, MRI, PET scan, mammography, or other image or film of the human anatomy used to diagnose, prognose, or treat an illness or other medical condition or to further validate scientific testing or screening. 


6.2. Biometric Identifiers collected for University research purposes are not subject to the requirements identified within this document.



 

7. Definitions:

7.1. “Biometric Identifier” means a retina or iris scan, fingerprint, voiceprint, or scan of hand or face geometry used to identify an individual.  


7.2. “Data Custodians” means University subject matter experts within their functional area who are responsible for enforcing the rules and decisions established by Data Stewards. 


7.3. "Data User" means University staff members that, under the direction of the Data Custodians, have day-to-day operational responsibility for data capture, maintenance, and dissemination while performing their assigned duties or to fulfill their role within the University community.


7.4. “Identity Theft” means fraud committed or attempted using identifying information of another without authorization. 


7.5. “Security” means the strategies for managing University Sensitive Data to ensure the confidentiality (the rules that limit access), integrity (the assurance that data will remain uncorrupted), and availability (the assurance that data will continue to be available) of it, including the requirements to collect, store, transmit, and access Sensitive Data. 


7.6. “University Identification Card” means a University-issued identification card used for accessing University Services and Facilities. The University Identification Card is referred to as the Mountaineer Card on the Morgantown campus, the Catamount Card on the Keyser Campus, and the WVU Tech ID Card on the Beckley campus.



Exhibit A: Biometrics Information Privacy Release Form

I have been advised and understand that West Virginia University (the “University”) will collect, retain, and use one or more of my Biometric Identifiers (e.g., a retina or iris scan, fingerprint, voiceprint, or scan of hand or face geometry) for the purpose of identifying me when utilizing specific University facilities, systems, and services. The University will use a computer-based system to collect a mathematical pattern of my Biometric Identifier. The University will not retain a copy of my Biometric Identifiers, only the mathematical pattern.


The University will retain this data for two (2) years at which time it will be securely destroyed. The University will not sell, lease, trade, or otherwise profit from the collection of this data.


I understand that I am free to decline to provide my Biometric Identifiers to the University and instead use a University Identification Card or physical key to access University facilities, systems, and services. I also understand that I can revoke my consent at any time by notifying the University in writing.


By scanning my finger, hand, iris, retina, or other Biometric Identifier, I voluntarily consent to the University collecting this information.


Exhibit last updated 9/18/2021