This Act requires private entities who collect biometric identifiers, such as iris scans, fingerprints, and even photos to create a written retention schedule. This schedule must be available to the public, specify why this data is collected, and include plans to destroy the records as soon as the retention period ends. Before they collect data, the company must have a written release from an individual.
So, how long can the company keep the records? Just long enough to use them for the purpose for which they were collected.
This group of employees said Peacock Foods violated all three areas of this act. The employees claim they didn’t know why the company collected their fingerprints. They also assert that they didn’t permit the company to collect and retain their fingerprint records. To add to that, they weren’t given a written notice of this policy. They also allege that they didn’t know the retention period for those records.
Peacock Foods Lessons for Records and Information Management
Although this lawsuit stems from a specific U.S. state law, the issue of unlawful collection of sensitive personally identifiable information (PII) is an issue that affects every company. This lawsuit and other similar suits should put all companies on notice. Stricter laws that control how companies collect and retain this category of PII are increasing across the U.S. These records are subject to even stricter standards across Europe. The European Union General Data Protection Regulation (GDPR), which goes into effect May, 2018, will increase regulations on these records.
Records and information management professionals should consider the following steps as they deal with PII:
- Keep a list of the of biometric identifier records the company maintains.
- Ensure policies, procedures, and retention schedules consider the sensitivity of PII.
- Identify the need for PII information. Make reasons to collect PII public knowledge.
- Adopt tailored retention periods so records aren’t kept longer than necessary;
- Stay up-to-date on relevant privacy laws. Your company is subject to privacy laws in most U.S. and international jurisdictions.
As a records and information management expert, you can prepare by staying on top of evolving privacy laws. A proactive approach is the best way to adapt to new changes. Preparation ensures that your company remains compliant and reduces risks.
Disclaimer: The purpose of this post is to provide general education on Information Governance topics. The statements are informational only and do not constitute legal advice. If you have specific questions regarding the application of the law to your business activities, you should seek the advice of your legal counsel.
Author: Jennifer Chadband, IGP, CRM, ECMp
Senior Analyst / Licensed Attorney