Biometrics Best Practices for Colleges and Universities
With many biometric regulations already in place and more likely to come, how do institutions remain in good standing? Here are five best practices that can help colleges and universities comply with existing and emerging regulatory requirements:
1. Ensure consent for collection, use and storage: First and foremost, consent is crucial to compliance. Specifically, institutions should gain written consent prior to the collection, use and storage of biometric data. The institution must also explain why and for how long it will collect, use and store the data.
2. Understand the definitions: Most states have similar definitions for biometric data; however, each state is unique. Institutions should have a clear understanding of how its state defines biometric data and what specifically is protected under the law.
LEARN MORE: How colleges and universities can reduce their vulnerability to cyberattacks.
3. Prohibit others from profiting illegally: Selling user data is common these days, and biometrics is not excluded from this practice. However, some regulations, like BIPA, prohibit private entities from “selling, leasing, trading, or otherwise profiting from an individual’s biometric data.”
4. Don’t exceed appropriate retention: If an institution plans on retaining the biometric data it collects, it needs to outline, publish and follow a retention schedule. Part of an institution’s internal compliance is following through with the destruction of biometric data. Once data has been collected and used for its intended purpose, it must be destroyed in accordance with both the institution’s policy and with the state’s regulations.
5. Apply a reasonable standard of care: Finally, institutions must treat biometric data with a standard of care. It’s important to incorporate biometrics into an institution’s data compliance program. This encourages continuous awareness of “security threats and breach prevention.”
A proactive approach to compliance that emphasizes prevention is the best way to ensure your institution is upholding the law and taking appropriate care of students’ biometric data.