Biometric Authentication Information and Device Handling Policy

Scope

This policy applies to all collection and/or use of biometric information and/or technologies by OVPIT/UITS.

Rationale

OVPIT and UITS deploy various access protections commensurate with the sensitivity and criticality of the information, systems, or facilities being accessed, and recognize that authentication based on personal characteristics, or what can broadly be termed as "biometric authentication," can provide enhanced protection. The integrity of the underlying information generated to support biometric authentication is essential not only for the integrity of the supported access protections, but also because such information may have its own inherent sensitivity. For these reasons, the information and devices supporting biometric authentication must be handled with due care.

Policy Statement

The Office of the Vice President for Information Technology and Chief Information Officer may deploy biometric access control technologies for OVPIT facilities housing the most sensitive and critical information systems and functions. Personal data collected by these biometric access control technologies are in the most sensitive category defined by university classification criteria, will be protected in accordance with applicable standards, and will be purged when no longer required to support the access protection function.

Procedures

All collection and/or use of biometric information and/or technologies by OVPIT/UITS will be reviewed and approved by the Vice President for Information Technology and CIO, or designate, before any actual collection or use, in order to ensure appropriate security and privacy safeguards are planned and implemented. Approved implementations will be listed below.

List of Approved Implementations

  • Hand Geometry Scanner
    Approved: August 2009
    The Bloomington Data Center employs a hand geometry scanner as an additional layer of verification (not identification) to ensure that only authorized individuals can gain access.

    In consultation with the Chief Privacy Officer and the Chief Security Officer, OVPIT/UITS will treat hand geometry verification data as Restricted/Limited-Use data using the IU Data Steward Classification Scheme. As such, it will be protected according to university policies and standards for Restricted/Limited-Use data. OVPIT/UITS will ensure that impacted employees receive information describing the technology and the handling and use of the data.

Definitions

Biometric
Methods for uniquely recognizing humans based upon one or more intrinsic physical or behavioral traits.
Biometric verification
A one-to-one comparison of a captured biometric with a stored template to verify an individual.
Biometric data
Stored template describing biometric trait.
Hand Geometry Scanner
The device uses a simple process to measure and record the length, width, thickness, and curvature of the individual's hand, and compares it to a template.

Sanctions

Indiana University will handle reports of misuse and abuse of information and information technology resources in accordance with existing policies and procedures issued by appropriate authorities. Depending on the individual and circumstances involved, this could include the offices of Human Resources, Dean of Faculties (or campus equivalent), Dean of Students (or campus equivalent), Office of the General Counsel, and/or appropriate law enforcement agencies. See policy Misuse and Abuse of Information Technology Resources (IT-02) for more detail.

Failure to comply with Indiana University information technology policies may result in sanctions relating to the individual's use of information technology resources (such as suspension or termination of access, or removal of online material); the individual's employment (up to and including immediate termination of employment in accordance with applicable university policy); the individual's studies within the university (such as student discipline in accordance with applicable university policy); civil or criminal liability; or any combination of these.

Related Policies, Laws, and Documents

Responsible Organization

Office of the Vice President for Information Technology
University Information Technology Services
dcops@indiana.edu

Policy History

Draft: November 10, 2010
Revised: December 10, 2010

This is document bapr in the Knowledge Base.
Last modified on 2017-07-31 13:00:28.

Contact us

For help or to comment, email the UITS Support Center.