Biometric Information Privacy Policy

Biometric Information Privacy Policy

Purpose of Policy

It is PCI Gaming d/b/a Wind Creek Hospitalityā€™s (ā€œPCIā€) policy to protect, use and store biometric data in accordance with the applicable laws including, but not limited to, the Illinois Biometric Information Privacy Act, 740 ILCS Ā§ 14/1, et seq. This Biometric Information Privacy Policy (ā€œPolicyā€) sets forth the data protection policies and procedures applicable to PCIā€™s treatment of employee biometric data.

The purpose of this Policy is to:

  • Define the policy and procedures for the collection, use, safeguarding, handling, storage, retention and destruction of biometric data.
  • Inform employees that PCI may, now or in the future, use biometric information for employee timekeeping, to record and track access to PCIā€™s sensitive keys and/or for security purposes at its facilities;
  • Inform employees that PCI uses equipment and software that scans employeesā€™ hands, fingers and/or faces (a ā€œBiometric Identifierā€) to create a template associated with employees (ā€œBiometric Informationā€) for purposes of identifying employees as well as recording and tracking access to PCIā€™s sensitive keys.
  • From time to time, PCI may change the specific devices, software or vendor utilized to collect Biometric Identifiers or Biometric Information. A list of vendors, software and equipment providers who may collect, retain, use or disclose Biometric Identifiers or Biometric Information is available by request from Human Resources.
  • Protect the rights of employees; and
  • Ensure that PCI complies with biometric data protection laws and follows general principles for protection of biometric data.

If any provision of this Policy is inconsistent with the Illinois Biometric Information Privacy Act, 740 ILCS Ā§ 14/1, et seq. or any other applicable state or national biometric privacy laws (to the extent applicable to PCI), this Policy will be interpreted to comply with such applicable law.

Biometric Data Defined

As used in this policy, biometric data include ā€œbiometric identifiersā€ and biometric informationā€ as defined in the Illinois Biometric Information Privacy Act, 740 ILCS Ā§ 14/10, et seq. ā€œBiometric identifierā€ means a retina or iris scan, fingerprint, voiceprint or scan of hand or face geometry. Biometric identifiers do not include writing samples, written signatures, photographs, human biological samples used for valid scientific testing or screening, demographic data, tattoo descriptions or physical descriptions such as height, weight, hair color or eye color. Biometric identifiers do not include information captured from a patient in a health care setting or information collected, used or stored for health care treatment, payment or operations under the federal Health Insurance Portability and Accountability Act of 1996.

ā€œBiometric informationā€ means any information, regardless of how it is captured, converted, stored or shared, based on an individualā€™s biometric identifier used to identify an individual. Biometric information does not include information derived from items or procedures excluded under the definition of biometric identifiers.

Purpose of Collection of Biometric Data

PCI, its vendors, of security or otherwise and/or the licensor of PCIā€™s time and attendance software may, now or in the future, collect, store and use biometric data for employee attendance to scan in and out of a biometric timeclock, identification, employee security, fraud prevention, key tracking and pre-employment hiring purposes.

Other uses may, now or in the future, include:

  • Recruiting and evaluating job applicants and candidates for employment;
  • Conducting background checks;
  • Managing and monitoring employee access to PCIā€™s facilities, equipment and systems;
  • Administering and maintaining PCIā€™s operations, including for safety purposes;
  • Immigration compliance;
  • COVID-19 health screening;
  • Any other business-related purpose.

Disclosure and Authorization

PCI will not disclose or disseminate any biometric data to anyone other than its vendors or software or equipment providers providing products and services using biometric data unless PCI receives a written release signed by the employee (or his or her legally authorized representative) authorizing PCI, its vendors and/or software or equipment providers to collect, store and use the employeeā€™s biometric data for the specific purposes disclosed by PCI and for PCI to provide such biometric data to its vendors or software or equipment providers.

PCI, its vendors and/or software and equipment providers will not sell, lease, trade or otherwise profit from employeesā€™ biometric data; provided, however, that PCIā€™s vendors and software providers may be paid for products or services used by PCI that utilize such biometric data.

PCI will not disclose or disseminate any biometric data to anyone other than its vendors and software providers providing products and services using biometric data unless:

  • The employee or the employeeā€™s legally authorized representative provides consent to such disclosures;
  • The disclosed data completes a financial transaction requested or authorized by the employee;
  • Disclosure is required by state or federal law or municipal ordinance; or
  • Disclosure is required pursuant to a valid warrant or subpoena issued by a court of competent jurisdiction.

Retention Schedule

PCI shall retain employee biometric data only until, and shall request that its vendors and software and equipment providers permanently destroy such data when, the first of the following occurs:

  • The initial purpose for collecting or obtaining such biometric data has been satisfied, such as the termination of the employeeā€™s employment with PCI or the employee moves to a role within PCI for which the biometric data is not used; or
  • Within 3 years of the employeeā€™s last interaction with PCI.

Biometric data shall be destroyed consistent with PCIā€™s information destruction policy. In any event, biometric data shall be permanently purged from equipment and devices such as fingerprint machines. Data printouts shall be shredded and disposed of securely and permanently, subject only to a log record reflecting destruction of the data.

Should PCI or one of its vendors or software or equipment providers receive a valid warrant or subpoena issued by a court of competent jurisdiction, this retention and destruction schedule may be suspended.

Storage of Data

PCI shall use a reasonable standard of care to store, transmit and protect from disclosure any paper or electronic biometric data collected. Such storage, transmission and protection from disclosure shall be performed in a manner that is the same as or more protective than the manner in which PCI stores, transmits and protects from disclosure other confidential and sensitive information, including personal information that can be used to uniquely identify an individual or an individualā€™s account or property, such as genetic markers, genetic testing information, account numbers, PINs, driverā€™s license numbers and social security numbers.

Consent Form

As a condition of employment and/or continued employment, each employee must execute a copy of this Policyā€™s Consent Form.