In dealing with external parties, the Biometrics Institute adopts the following principles:
- The Biometrics Institute is governed by local privacy regulation e.g. EU’s General Data Protection Regulation (GDPR), British Privacy law which mirrors the GDPR and the Australian Privacy Act.
- We will collect only the minimum amount of personal data required to provide a service to your organisation
- We will do our utmost to collect, process, store and transfer personal data in an effective and responsible manner. This will include IT equipment being secured, audits being conducted, appropriate logs kept, checks on the system security being conducted from time to time and privacy impact assessments being conducted when significant privacy impacting new business is being planned.
- We will not sell any personal details to third parties for promotional or other commercial purposes.
- Personal details will not be sent to, nor processed in, countries where a less stringent privacy jurisdiction is applied.
- In keeping with the key privacy protection principle “the right to be forgotten”, the Biometrics Institute will maintain personal data only as long as necessary. Should we receive a request that the organisation’s active participant/s should be deleted from our record, we will do so.
- Individuals in their own right or as individuals who have authority to sign for their organisation should give informed consent when they provide their personal data; that includes the right to know how their own data will be used by the Institute.
- We have in place a Board-approved Data Breach Notification process so that in the urgent situation that follows a data breach, everyone knows what to do.
- We have a Data Protection Officer who is responsible for dealing with your queries and ensuring good privacy practice.