Biometric Technologies (S-14)

Standard: S-14
Responsible Executive: Vice President for Information Technology and Chief Information Officer
Responsible Office: Office of the Vice President for Information Technology
Date Issued: July 15, 2019
Date Last Revised: December 12, 2024

Table of Contents

Contacts
Individuals and Entities Affected
Statement of Standard
Responsibilities
Definitions (defined terms are capitalized throughout the document)
Related Documents, Forms and Tools
History and Updates
Appendix 

Contacts

Clarification of Standard

Purdue Systems Security (PSS)
765-494-4000 | itpolicyanswers@purdue.edu

Individuals and Entities Affected

University students, faculty, staff and all other individuals or entities using University IT Resources.

This standard is not intended to apply to those departments and/or personnel conducting research of Biometric Technologies or Biometric Data for academic purposes. Refer to the Human Research Protection Program for requirements and approvals related to such activities.

Statement of Standard

Due to the unique and immutable nature of Biometric Data, any deployment of technologies using Biometric Data for identification and/or authentication purposes must be specifically approved by the University’s Chief Information Security Officer. Deployment of Biometric Technologies must comply with the following requirements:

• No biometric images may be stored.
• Biometric Data must be encrypted via the use of an algorithmic process to transform the data into a form in which there is a low probability of assigning meaning to that Biometric Data without use of a confidential process or key.
• Biometric hashes are considered Restricted Data under the University’s data classification schema and must be handled in accordance with the University’s Data Handling Procedures.
• Biometrics may be used only for identification of an individual, not authentication. If authentication is needed, an additional factor is required, such as a PIN, password or other user credential.
• No information may be returned to a user other than public information provided in the Purdue Directory without the provision of an additional factor, such as a PIN, password or other user credential.
• Student Biometric Data are considered personally identifiable information under the Family Educational Rights and Privacy Act of 1974 (FERPA). Departments and units considering implementation of Biometric Technologies involving student Biometric Data must consult with the FERPA data steward in the West Lafayette Office of the Registrar.
• Prior to implementation of Biometric Technologies, a Request to Use Biometric Data Form must be submitted to the Chief Information Security Officer.

Responsibilities

Centralized and Departmental IT Units and IT Resource Owners (and designees)

• Implement and support compliance with this standard and any related policies, standards and best practices for University IT Resources within their areas of responsibility.
• Establish additional guidelines, procedures or other requirements that exceed this standard, as necessary, to secure Biometric Technologies and Biometric Data.
• Consult the Purdue Office of the Registrar FERPA consultant or data steward when considering use of student Biometric Data.
• Prior to implementation of Biometric Technologies, submit to the Chief Information Security Officer a Request to Use Biometric Data Form.

Purdue Systems Security (PSS) – Chief Information Security Officer

• Review and make determinations on requests to use Biometric Data.

University students, faculty, staff and all other individuals or entities granted use of University IT Resources

• Comply with the requirements of this standard and any related policies, standards or security guidelines and procedures that may be issued by their departmental IT units and/or owners of the IT Resource(s) they access.

Definitions

All defined terms are capitalized throughout the document. Additional defined terms may be found in the policy on Acceptable Use of IT Resources and Information Assets (VII.A.4) and in the central Policy Glossary.

Biometric Technologies
In information technology, biometrics typically refers to those technologies using a person’s Biometric Data for identification and/or authentication purposes.

Biometric Data
The unique physical attributes, including but not limited to, fingerprints, hand geometry, retina and iris patterns, voice waves, signatures, and facial patterns, used to identify a person.

Related Documents, Forms and Tools

This standard is issued in support of the policies on Acceptable Use of IT Resources and Information Assets (VII.A.4), as amended or superseded.

Request to Use Biometric Data Form

Office of the Registrar FERPA information 

Purdue IT policies, standards and guidelines

National Institute of Standards and Technology (NIST) resources related to biometrics use:

• NIST Special Publications (SP) 800 series (see 800-111 Guide to Storage Encryption Technologies for End User Devices, 800-52 Guidelines for the Selection and Use of Transport Layer Security (TLS) Implementations, 800-77 Guide to IPsec VPNs, and 800-113 Guide to SSL VPNs)
• NIST Federal Information Processing Standards (FIPS) series (see 140-2 Security Requirements for Cryptographic Modules)

History and Updates

December 12, 2024: Document reviewed; minor administrative updates made to titles, offices and links.

July 15, 2019: This standard supersedes Biometric Technologies Implementation Standard issued December 21, 2009 from the Purdue University Security Officer’s Group, University Data Stewards, and IT Networks and Security (ITNS).

Appendix

There are no appendices to this standard.