BIOMETRIC-RELATED INFORMATION POLICY

 

The purpose of this policy is to define the policy and procedures for the collection, use, safeguarding, storage, disclosure, and retention of certain Biometric-Related Information. It is Staffmark Group’s policy to protect, use, store, and disclose Biometric-Related Information in accordance with applicable law.

 

The Company and all its related entities maintains a time management system (the “TMS”) to ensure proper identification for time and attendance management purposes, as well as to reduce the likelihood of fraud when using the TMS and has instituted the following Biometric-Related Information Policy.

 

Biometric-Related Information Defined

Biometric-Related Information (“BRI”) means the information collected by the Company and/or its vendors, and/or the licensor of the Company’s TMS software about an individual’s physical characteristics that can be used to identify that person. BRI may include fingerprints, voiceprints, a retina scan, scans of hand or face

geometry, or other data.  BRI also includes any information that is derived from such information and used to identify the employee

 

Collection of BRI

In connection with the collection of BRI from employees, the Company will obtain a written release/consent, as applicable, from employees in the form approved by the Company. The form will inform the employee about the information being collected; the purpose of the collection; and the period of time the BRI is being collected, stored, and used.  BRI is collected when utilizing the Company’s, its vendor’s, and/or the licensor’s TMS, including as applicable, biometric timeclocks or timeclock attachments.

Purpose for Collection of Biometric Data

The Company, its vendors, and/or the licensor of the Company’s TMS software collect, store, and use BRI solely for the purpose of administering the TMS and other lawful purposes.  These purposes shall include, but not be limited to, identifying employees, recording time entries, time management verification processes, and fraud prevention and investigations.

Access to BRI

In general, Company employees are permitted to access personal information, including BRI, only as necessary and appropriate to carry out their assigned job responsibilities. Consistent with the Company’s access management procedures, certain employees or vendors will be designated to administer the TMS and, as such, may from time to time need access to BRI and related data.

Disclosure

In general, the Company does not make available or disclose BRI to third parties, other than its vendors that support the TMS for the Company and/or the licensor of the Company’s TMS software. In the event additional access is necessary for technical support, administration or other lawful purposes, the Company will obtain (i) written consent from the individual to whom the BRI relates and (ii) the written assurances from the third party that the BRI will be safeguarded in accordance with applicable law and other best practices. The written consent will inform the individual that BRI is being collected or stored as well as the purpose and length of time for which BRI is being collected, stored, and used.  The Company may disclose or disseminate BRI if required by state or

federal law or municipal ordinance or pursuant to a valid warrant or subpoena issued by a court of competent jurisdiction. The Company, its vendors, and/or the licensor of the Company's TMS software will not sell, lease, trade, or otherwise profit from an individual’s BRI.

Retention and Destruction

Absent a valid warrant or subpoena issued by a court of competent jurisdiction, the Company, its vendors, and/or the licensor of the Company’s TMS software will, in accordance with its or their Record Retention Policy, retain BRI only for as long as the initial purpose for collecting or obtaining such information has been satisfied, subject to any legal obligation for a longer retention period. In general, the Company will permanently destroy, and request that its vendors and/or the licensor of the TMS software destroy, as applicable, BRI as soon as practicable following the cessation of employee’s employment with the Company or the change in the employee’s role to a position for which BRI is not used, except as otherwise required by law. In no event shall BRI be retained for longer than 1 year following the termination of the employee's employment.

Data Storage, Transmission, and Protection

Consistent with the Company’s information security policies, procedures and practices, which are incorporated herein by reference, as applicable, the Company will store, transmit, and protect BRI using a reasonable standard of care. Such storage, transmission, and protection from disclosure will be performed in a manner that

is the same as or more protective than the manner in which the Company stores, transmits, and protects from disclosure other confidential and sensitive information.

Amendment, Enforcement, and Violations

The Company reserves the right to amendment this Policy at any time for any reason.

 

The Chief Human Resources Officer shall be responsible to interpret and enforce this Policy in collaboration with other appropriate Company departments or officers.

 

Employees who violate this Policy shall be subject to discipline up to an including termination of employment.