The American Dental Association Department of Testing Services (ADA DTS) has instituted the following biometric data privacy policy:
Biometric Data Defined
As used in this policy, “biometric data” includes fingerprints or palm vein scans.
Purpose for Collection of Biometric Data
ADA DTS service providers collect, store, and use biometric data solely for identification of test candidates and other individuals participating in ADA-DTS projects and for test-taking fraud prevention.
Disclosure and Authorization
To the extent that ADA DTS service providers collect, capture, or otherwise obtain biometric data relating to an individual, the ADA DTS must first:
a. Inform the individual in writing that an ADA DTS service provider will collect the individual’s biometric data, and that ADA DTS authorizes its service provider to collect, process and maintain such biometric data;
b. Inform the individual in writing of the specific purpose and length of time for which the individual’s biometric data is being collected, stored, and used; and
c. Receive a written release signed by the individual (or his or her legally authorized representative) authorizing the ADA DTS service provider to collect, store, and use the individual’s biometric data for the specific purposes disclosed by the ADA, and for ADA DTS to so authorize its service provider.
ADA DTS shall not, nor shall it authorize its service providers, to sell, lease, trade, or otherwise profit from individuals’ biometric data; provided, however, that ADA DTS’s service providers may be paid for products or services used by ADA DTS that utilize such biometric data.
Disclosure
ADA DTS will not disclose or disseminate any biometric data, and will not authorize its service providers to disclose or disseminate any biometric data, to anyone without/unless:
a. First obtaining written consent to such disclosure or dissemination;
b. The disclosed data completes a financial transaction requested or authorized by the individual;
c. Disclosure is required by state or federal law or municipal ordinance; or
d. Disclosure is required pursuant to a valid warrant or subpoena issued by a court of competent jurisdiction.
Retention Schedule
ADA DTS shall retain biometric data only until the first of the following occurs, and shall require that its service providers permanently destroy such data at that time:
a. The initial purpose for collecting or obtaining such biometric data has been satisfied; or
b. Within 3 years of the individual’s last interaction with the ADA.
Data Storage
ADA DTS shall use, and shall require its service providers to use, a reasonable standard of care to store, transmit and protect from disclosure any paper or electronic biometric data collected. Such storage, transmission, and protection from disclosure shall be performed in a manner that is the same as or more protective than the manner in which ADA DTS or the service provider stores, respectively, transmits and protects from disclosure other confidential and sensitive information, such as personal information that can be used to uniquely identify an individual or an individual’s account or property, such as genetic markers, genetic testing information, account numbers, PINs, driver’s license numbers and social security numbers.