BSI Products Data Retention & Privacy
2. Which data do we collect and for what purposes?
2.1 Biometric Data Defined:
As defined in the Biometric Information Privacy Act (BIPA) biometric data includes “biometric identifiers” and “biometric information” (740 ILCS § 14/1, et seq).
“Biometric identifier” means a retina or iris scan, fingerprint, voice-print, or scan of a hand and or face geometry. Biometric identifiers do not include writing samples or written signatures.
"Biometric information” means any information, regardless of how it is captured, converted, stored, or shared, based on an individual’s biometric identifier used to identify an individual. Biometric information does not include information derived from items or procedures excluded under the definition of biometric identifiers.
Our primary product, BioSig-ID™ is a written signature/writing sample and does not fall into the named class of biometric identifiers under BIPA. Other product features we license and use less often include BioSight-ID™, BioProof-ID™ and they use facial detection or facial recognition, respectively. These products ask for your consent before use and other things you should know are discussed in this document. See Addendum of product examples.
Purpose for Collection of Biometric Data
Your organization has asked us to collect certain biometrics: See Addendum for images or products:
Written signatures in the form of a password you write in a drawing area with your finger, mouse, or stylus (BioSig-ID™). Note this is not a “biometric Identifier”
A picture of your face from a cell phone (BioProof-ID™) that is compared to your government issued ID that was presented.
An unidentifiable face that is blurred obtained from a web cam that does not collect your biometrics used for face recognition (BioSight-ID™).
After we collect the signature based biometric at log in, we verify your identity by matching to your original template completed during enrollment. This is called gesture biometrics and we collect only the way you write/draw. This has some major advantages versus collecting other biometrics, one is that hackers cannot do anything with this data if ever breached so your identity remains intact and fraud possibilities are basically nil.
For the BioSight-ID™ feature, collection of a blurred face through a web cam does not reveal your identity, and we use this to detect only if a human person is present taking an exam (versus not being present or an inanimate object).
With BioProof-ID™, when using a cell phone, or tablet to collect your facial image we compare this to your government issued picture ID to determine if you are the person who is presenting the document. We collect these biometrics and blurred face to authenticate your identity so the user can successfully access their exam, account, or device and to stop fraudulent attempts to access your account or to identify cheating. The user’s organization or association or company contracts with us, to help protect its members, employees, users, or clients from fraud and to stop attempts to cheat by having others do their work.
Other data collected:
We collect and process information about you using cookies from our web site or collect this information when you enroll or sign up for our services.
Disclosure and Authorization
When you visit our web site or use our product, we collect and process information about you using cookies. This information can include your username, email, browser used, log in date. You have a choice to let us collect this data on the web site by giving us your consent.
2.2 We ask you to not register, type, or divulge any sensitive information while using our services. Sensitive information includes information about race, ethnic origin, religion or philosophical beliefs, sexual orientation, health (except in relation to specific ADA accommodations required), political preferences and workers’ union membership.
2.3 We believe you should be made aware of the following obligations we or your organization, association or company have when collecting biometric information:
Inform you before use, that we are going to collect biometric identifiers (if applicable) and biometric information (if applicable), get your consent (if we are using a biometric identifier), describe the specific purpose, length of time we will use/store your data and make a statement about we will not sell your data.
This document has been prepared to answer these questions, provide full disclosure, and provide you a way to contact us with any questions.
3. On what legal basis do we process your data?
Our processing of your Cookie data is necessary for the purposes of our legitimate interests in improving the user experience and to provide our customers the best and most relevant service and products.
Our processing of your data including any biometric data is necessary to perform the contract we have with you or the organization who has asked you to complete activity using our services. Specifically, we utilize your data for the purposes of identity verification, document verification, to determine if there is a human face that is present inside a frame (like taking a picture in your cell phone). We also send data back to the organization who is paying for our services who wants to see trend data.
Your organization may have certain State or Federal requirements to provide ID authentication throughout the course and to maintain the privacy of users or verify identity required by the Safe Act or other regulations. Some requirements for accreditation or other regulations your organization must comply with are reasons why we are one of or the companies they have selected to provide these services.
4. Do we transfer your data to others?
We are obligated to share data with government sources by law, if and when they ask for this. We only share your data to perform the contract we have with your organization on whose behalf we provide our ID authentication exam monitoring, document verification, and secure exam browser services.
We will not share your data with any 3rd party outside of data analysis purposes for internal use. These external suppliers are called data processors and they may, in some instances process your data in connection with performing the services they have been contracted to provide. Our data processors only process your data in accordance with our instructions and agree to all the privacy and access restrictions we place upon them for your data to be safe and secure.
We will not ever sell, lease, trade or otherwise profit from your data to a third party other than from your own organization who contracts for our services. Your data remains safe and secure with us.
5. How long do we keep and store your data?
To ensure the preservation of ID verification integrity including any analysis of individual and collaborative atypical access behaviors, we retain your data for only a period long enough to verify your identity and the initial purpose for collection has been satisfied. Your organization may have purchased additional audit trail and forensics services. If so, we retain user data for as long as we provide services to the organization. This provides your school with continuing data used to look at trend data such as comparing your signature password template to subsequent log ins and allows users to keep their original passwords without having to re-enroll.
All data is kept encrypted with 256-bit encryption (one of the strongest encryption standards) in our secure data base. To protect your data, we use acceptable standards of care to store, transmit and protect from disclosure any paper or electronic data collected in a manner that is the same as the company uses.
6. What rights do you have as a data subject?
You have a number of rights under BIPA, GDPR or CCPA. Your rights in most cases include the following:
You have the right of access your data that is collected, stored, or used about you and information on any transfer of your data to any third parties.
You have the right of rectification of your data.
In some instances, and under certain conditions, you have the right to have your data not collected, which means you agree to not participate in your organization’s program and any consequences thereof.
If we ever process data about you based on your consent to do so you have the right, under certain circumstances, to withdraw such consent.
If you wish to enforce your rights and get our help, please contact us using the address listed at the end of this Policy.
7. Changes to this Policy
Changes to this Policy may be necessary due to changes in the way we process data or changes in the regulatory environment. If we change this Policy, we will renew the date and version below. If we make any material changes, we will communicate this via our website, e-mail, or other means.
Please do not hesitate to contact us here if you have any questions related to our Data Protection Policy.