1) Introduction:

The purpose of this policy is to define the policy and procedures for the collection, use, safeguarding, storage, retention, and destruction of biometric data.

Definitions:

Biometric data means personal information about an individual’s physical characteristics that can be used to identify that person. Biometric data can include fingerprints, voiceprints, facial shape or scan of finger, hand or face geometry. As applicable, biometric data includes biometric identifiers and biometric information as defined under the Illinois Biometric Information Privacy Act or other Federal, State or local legislation or Ordinances.

Responsibilities:

The Facilities Department is responsible for approving the individuals that will have access to the Network Operations Centers (“NOCs”), for keeping track of these individuals and for safeguarding and permanently destroying the biometric data provided by them to access the NOC. Facilities will obtain the individuals’ informed consents for obtaining biometric data to access computer NOCs or other secured areas that have biometric readers in those states that require informed consents.

Human Resources Department is responsible for safeguarding and permanently destroying biometric data used in the timekeeping system and retaining the employees’ consents in their respective personnel records. Human Resources and/or the Payroll Department will obtain the employees’ informed consents for obtaining biometric data for use in the timekeeping system in those states that require informed consents. Human Resources is responsible for notifying the Facilities Department of employee terminations.

2) Policy:

It is Firstsource Transaction Services, LLC (“Firstsource”) policy to protect, use and store biometric data in accordance with the applicable laws including, but not limited to, the Illinois Biometric Information Privacy Act.

In those states that require consent of the individual to use or store biometric data, biometric data will not be collected or otherwise obtained by Firstsource without prior written consent of the individual. When consent is required, Firstsource will inform the individual of the reason for the collection of the biometric, the length of time the data will be stored and any other information required under applicable law. In Illinois, Firstsource will not further disclose the biometric data unless consent is obtained from the individual, disclosure is necessary to complete a financial transaction requested or authorized by the individual, disclosure is required by law or disclosure is required by subpoena.

Regardless in which state the employee is working, Firstsource will not sell, lease, trade or otherwise profit from an individual’s biometric data.

Biometric data will be stored, transmitted, and protected using a reasonable standard of care within Firstsource’s industry and in no less than the same manner that Firstsource uses to store, transmit and protect other confidential information of Firstsource.

Firstsource will destroy biometric data when the initial purpose for obtaining or collecting such data is no longer needed.

Firstsource reserves the right to amend this Biometric Information Security Policy at any time without notice.

3) Procedures:

FOR ILLINOIS EMPLOYEES:

Pursuant to the Illinois Biometric Information Act, Firstsource will obtain written informed consents from employees working in Illinois prior to the collection, storage, or use of biometric data.

a) Firstsource collects, stores, and uses an employee’s fingerprint scan in order to secure access to the NOC in the Rockford, Illinois office.
b) Prior to collecting an employee’s fingerprint scan for such purpose, Facilities will obtain the consent of the employee. Facilities will send the informed consent to Human Resources. The consent will be stored in the employee’s personnel records.
c) The Facilities team will have the employee enter or scan his or her biometric data in the biometric reader.
d) Firstsource will store, transmit, and protect biometric data using at least the same standard of care as it does to safeguard other confidential information of Firstsource.
e) The HR Department will notify the Facilities Department when an employee who has provided biometric data and/or signed an informed consent terminates from the Company.
f) Upon notice from the HR Department of termination, the Facilities team will permanently destroy the biometric data when the employee no longer needs access to the computer server room or the employee no longer works for Firstsource.

FOR EMPLOYEES IN STATES OTHER THAN ILLINOIS:

a) Access to Secure Areas
i) In certain office locations, biometric readers are utilized to access secured areas, such as, NOCs. Firstsource collects, stores, and uses an employee’s fingerprint scan for the employee to access such secured areas.
ii) The Facilities team will have the employee enter or scan his or her biometric data in the biometric reader.
iii) Upon notice from the HR Department of an employee’s termination, the Facilities team will permanently destroy the biometric data when the employee no longer needs access to the secured area or the employee no longer works for Firstsource.

b) Access to the Timekeeping System
i) In certain office locations, an employee uses his or her biometric data to access the timekeeping system to record his or her work time. Human Resources or the Payroll Department will have the employees’ scan their fingerprint in Kronos, the timekeeping system, which converts the fingerprint to a specific numbers pattern. The numbers pattern is stored in the time keeping system.
ii) Human Resources or the Payroll Department will permanently destroy the biometric data when the employee no longer needs access to the timekeeping system or the employee no longer works for Firstsource.

iii) Annexure A
Information Classification Details
Classification: Firstsource
Information Owner (IO):
Information Custodian (IC):
Authorization List (AL): All Employees
Declassify on: Never