Effective Date: January 2019
Last Updated: November 2020
Alight has instituted the following policy related to any biometric data that Alight possesses as a result of Alight's operations, or of Alight's and client employees' use of Alight products and services. Alight's clients are responsible for developing and complying with their own biometric data retention and destruction policies as may be required under applicable law.
As used in this policy, biometric data means any physiological or behavioral characteristics of a person, or information based upon such a characteristic, including characteristics such as those defined as "biometric identifiers" and "biometric information" under the Illinois Biometric Information Privacy Act, 740 ILCS 14/1, et seq. "Biometric identifier" means a retina or iris scan, fingerprint, voiceprint, or scan of hand or face geometry. "Biometric information" means any information, regardless of how it is captured, converted, stored, or shared, based on an individual's biometric identifier used to identify an individual.
Alight and/or its vendors also may collect, store, use and/or transmit biometric data during the course of conducting Alight's operations and of providing products or services to Alight clients and client employees. With respect to biometric data collected, stored, used and/or transmitted by Alight and/or its vendors, to the extent required by law, Alight and/or its vendors will obtain written authorization from each individual prior to the collection of such data.
Alight and/or its vendors will collect, store, use and/or transmit any biometric data solely for identity verification and fraud prevention. Neither Alight nor its vendors will sell, lease or trade any biometric data that it receives from clients or client employees as a result of their use of Alight services.
Alight will not disclose, disseminate and/or transmit any client's employee's biometric data to any person or entity other than the client and Alight's authorized licensors or vendors without/unless:
Alight will retain any client's employee's biometric data in Alight's possession and generated by Alight until three years after the client's employee's last call to Alight, or until the employee or client advise Alight that the data should be deleted, whichever occurs first.
Alight and/or its vendors shall use a reasonable standard of care to store, transmit and protect from disclosure any paper or electronic biometric data collected, and shall store, transmit, and protect from disclosure all biometric data in a manner that is the same as or more protective than the manner in which Alight stores, transmits, and protects other personal information that can be used to uniquely identify an individual or an individual's account or property, such as genetic markers, genetic testing information, account numbers, PINs, driver's license numbers, and social security numbers.