tigerHR tigerHR
Back

Biometric Information Privacy Policy

1. Purpose

This Biometric Information Privacy Policy ("Policy") explains how the Company collects, uses, stores, retains, and protects employee biometric data in connection with its use of biometric time and attendance devices. The Company engages vendors and service providers, including NGTECO CO., LIMITED ("NGTECO"), to provide and support the technical system, and such parties will process biometric data solely on the Company's behalf and in accordance with the Company's instructions and applicable data processing agreements. NGTECO does not determine the purpose or means of biometric data collection.

This Policy is intended to comply with applicable biometric privacy and data protection laws, including the Illinois Biometric Information Privacy Act (BIPA) and, where applicable, the EU General Data Protection Regulation (GDPR).

2. Definitions

  • Biometric Identifier: fingerprint or face geometry, as defined by applicable law.
  • Biometric Information: Any information, regardless of how it is captured, converted, stored, or shared, based on an individual's biometric identifier used to identify an individual.
  • Biometric Data: Personal information derived from biometric identifiers or biometric information that can be used to identify a person.
  • Company: The employer deploying the biometric time and attendance system.
  • NGTECO: NGTECO CO., LIMITED, a provider of biometric time and attendance devices and related software.

3. How Biometric Timeclocks Work

Biometric timeclocks are computer-based systems that identify employees by scanning their fingerprints or facial features. The system extracts unique data points and generates proprietary mathematical models, verifying identity by comparing the template hash recorded during registration with the template hash during verification. Biometric timeclocks do not store raw biometric images. Biometric templates are encrypted and stored in an irreversible binary format; hash values cannot be reverse-engineered to restore the original biometric image or raw feature points.

4. Purpose of Collection and Use

The Company, its vendors, and/or licensors (including NGTECO) may collect and use biometric data solely for:

  • employee identification;
  • recording time and attendance;
  • preventing time fraud or buddy punching; and
  • supporting payroll, scheduling, and related HR operations.

Biometric data will not be used for any other purpose without additional written authorization or as required by law.

5. Current Storage and Processing Method

Under the Company's current system configuration, biometric templates used for identification are stored and processed within the Company's biometric devices. NGTECO provides hardware and technical support services in accordance with the Company's instructions. If the manner of processing biometric data materially changes in the future, the Company will re-provide notice and obtain any additional consent as required by applicable law.

6. Voluntary Participation and Right to Withdraw

Prior to the initial collection of any biometric data, the Company will provide each employee with a separate written disclosure and consent form, outlining the specific purposes, retention schedule, and data handling practices as described in this Policy. The Company will obtain the employee's written consent before proceeding with collection.

Employees are not required to provide biometric data as a condition of employment. Employees may decline to provide biometric data without adverse employment action, subject to the Company's reasonable alternative timekeeping arrangements where applicable.

Employees may withdraw consent at any time by submitting written notice to the Company.

7. Retention and Destruction

The Company will retain biometric data only for as long as necessary to fulfill the purposes described in this Policy or as required by law. Biometric data will be permanently deleted when the earliest of the following occurs:

  • termination of employment; or
  • written withdrawal of consent; or
  • discontinuation of biometric-based timekeeping for the applicable employee or location.

8. Disclosure

Biometric data will not be sold, leased, traded, or otherwise profited from. Due to the irreversible encryption methods described in Section 3, the raw biometric image or identifiable feature points cannot be reconstructed or provided in an identifiable form. However, encrypted biometric templates or related data may be disclosed:

  • to vendors or licensors assisting the Company in operating the system, and only to the extent necessary;
  • with the employee's written consent; or
  • as required by law or valid legal process.

9. Security Measures

The Company and its vendors use reasonable administrative, technical, and physical safeguards to protect biometric data from unauthorized access, disclosure, or misuse.

10. Contact Information

For questions about this Policy or to exercise your rights, please contact your Company administrator.