Biometric Information Privacy Policy
ETS committed to respecting your privacy. Our Privacy and Security Policy describes how we handle your personal information generally. ETS has adopted the following biometric information privacy policy:
“Biometric Data” means any Biometric Identifier (as defined below) and any other personal information resulting from specific technical processing relating to the physical, psychological, or behavioral characteristics of a natural person, which allow or confirm the unique identification of that natural person.
“Biometric identifier” means a retina or iris scan, fingerprint, voiceprint, or scan of hand or face geometry. Biometric identifiers do not include audio recordings, writing samples, written signatures, photographs, or physical descriptions such as height, weight, hair color, or eye color, absent mathematical analysis or creation of templates for automated identification.
Purposes for Processing Biometric Data
Subject to applicable laws, ETS may collect, use and retain Biometric Data to identify and authenticate test takers and test center administrators in connection with its approved multi-factor authentication programs. Biometric Information is also be processed to support test security and integrity and for related purposes, such prosecution of fraud or intellectual property theft.
Rules for Processing Biometric Information
The processing of Biometric Data is subject to the following requirements:
- Biometric Data are classified as Sensitive Personal Information (and Special Categories of Data) under the ETS Data Privacy Policy.
- ETS (or any service provider that is collecting Biometric Data on ETS’ behalf) must inform the individual in writing (a) that ETS is collecting, capturing, or otherwise obtaining the individual’s Biometric Data, and (if applicable) providing such Biometric Data to its vendors and/or the licensors of the data collection software; (b) of the specific purpose and length of time for which the individual’s Biometric Data is being collected, stored, and used. Biometric Data collection notices must meet applicable legal requirements, e.g., under the EU General Data Protection Regulation (GDPR) and the Illinois Biometric Information Privacy Act (BIPA).
- ETS (or any service provider that is collecting Biometric Data on ETS’ behalf) must obtain affirmative written consent from the individual (or his or her legally authorized representative) authorizing ETS’ processing of the Biometric Data.
- ETS shall not sell, lease, trade, or otherwise profit from individuals’ Biometric Data. ETS shall not permit is vendors or licenses to sell, lease, trade or otherwise profit for them data; provided, however, that ETS’ vendors and licensors may be paid for products or services used by ETS that utilize such Biometric Data.
- ETS shall not disclose any Biometric Data to anyone other than its service providers and licensors unless: (a) the individual (or their representative) has provided affirmative consent for the disclosure, (b) the disclosure is required by law, (c) the disclosure is required pursuant to a valid warrant or subpoena issued by a court of competent jurisdiction, (d) the disclosure is otherwise legally permitted, as documented by the ETS Privacy Office.
- ETS shall retain Biometric Data only as needed for test security and integrity and related purposes. Unless Biometric Data are needed in connection with an investigation or prosecution of wrong-doing, ETS will retain Biometric Data for a maximum of three (3) years from the date it was collected.[1] At the end of the retention period, ETS shall secure delete and/or destroy the Biometric Data and shall request that its vendors and licensors also securely delete and/or destroy the data. Exceptions to the retention limits must be approved by the ETS Privacy Office.
- ETS shall protect the security, confidentiality and integrity of the Biometric Data using organizational, technical and physical controls that are reasonably designed to prevent unauthorized access to or use of the Biometric Data. These security controls will be no less stringent than the controls used by ETS to protect other sensitive personal information. The Corporate Information Protection Policy, Biometric Policy, sets the minimum security controls necessary for Biometric Data.
1 The Privacy Office will consult with Compliance and other ETS stakeholders regarding retention limits under specific biometric privacy laws. Some laws require Biometric Data to be deleted in less than three (3) years.