Biometric identifiers are digital representations of immutable and unique bodily features such as fingerprints, hand or face geometry, iris, retina, and voice patterns used to identify individuals. The immutable quality of the data creates a lifelong risk to the subject individuals should that data be used inappropriately. Thus, the storage of this data presents a significant liability to the university. It is also important to note that biometric identifiers can be used to verify the identity of a person but are not sufficient to authenticate a user and grant authorization to access physical or logical assets.
This policy applies to all instances in which the university collects, stores, or otherwise processes biometric identifiers for identification or authorization purposes. Devices which use biometric identifiers to grant access to an individual device where the identifiers are only stored in an inaccessible form on the device, are not within the scope of this policy.
Restricted Data: Data in any format collected, developed, maintained or managed by or on behalf of the University, or within the scope of University activities, that are subject to specific protections under federal or state law or regulations or under applicable contracts. Examples include, but are not limited to medical records, social security numbers, credit card numbers, Florida driver licenses, non-directory student records, research protocols and export controlled technical data.
- Biometric identifiers are only used to identify individuals when granting access to selected high-security facilities. Such facilities are primarily used by faculty and staff with limited numbers of students involved in special study, research or employment requiring such access.
- Biometric identifiers are only to be used as an identifier and must be used in combination with additional identifiers and authenticators (ex: ID card, PIN or password) to grant access to approved facilities and resources.
- Biometric data and systems storing, processing or transmitting it will be secured in a manner equivalent to UF Restricted Data.
- Only the following biometric identifiers may be used at UF:
- Any record of friction ridge detail
- Palm Prints
Review and Adjudication
The Vice President and Chief Information Officer, or designee, and Chief Privacy Officer, or designee, are jointly responsible for approving all uses of biometric technology.
Failure to comply with this policy could result in disciplinary action for employees, up to and including termination. Volunteers may have their volunteer status terminated.
|February 6, 2020||Policy originally adopted|