ID.me Policy and Standards

ID.me has developed corporate policies that identify the security requirements for its information systems and personnel to meet in order to ensure the integrity, confidentiality, and availability of its information. These policies are set forth by ID.me Management and in compliance with the Access Control family of controls found in National Institute of Standards and Technology (NIST) Special Publication (SP) 800-53, Revision 4.

The purpose of this document is to provide guidance on the policies, implementation and management of ID.me employee and applicant information. This policy will outline how ID.me collects, retains and uses employee and applicant data.

This policy applies to all ID.me applicants and employees world-wide including employees, temporary and contingent workers, independent contractors, interns, and consultants acting on behalf of ID.me, LLC. This policy must be reviewed and updated annually. This policy and associated procedures have the full commitment, and ongoing support of ID.me management.

These policies apply to all ID.me employees, contractors and applicants.

• It is the responsibility of the ID.me Head of Privacy or their designee to review and update the ID.me Employee Privacy Policy at least annually.
• It is the responsibility of the ID.me Head of Privacy to manage ID.me Privacy policies.
• It is the responsibility of the ID.me Governance, Risk, and Compliance (GRC) Team to ensure coordination among organizational entities in the fulfillment of this policy.
• It is the responsibility of all recipients to read and comply with this policy.

The ID.me Executive Team will fully commit to and support the following policies for privacy assurance.

These policies and procedures are issued under the authority of the ID.me’s System Owner. The following applicable laws, directive, policies, regulations, and standards were used as part of the development for this policy. These include (but not limited to):

• California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA)
• Fair Credit Reporting Act (FCRA)
• Americans With Disabilities Act (ADA)
• Illinois Biometric Privacy Act (BIPA)

The policies are available on the ID.me Google Drive and are protected via RBAC managed by Privacy. The procedures are stored on Google Drive or Confluence and protected by RBAC permissions managed by each team. Documentation about security practices (logs of activities, etc.) will either be kept in this SDL or the wiki.

Compliance with these policies is mandatory. It is ID.me’s policy that production systems abide by or exceed the requirements outlined in this document. The Privacy dept. will periodically assess adherence with these policies by using an independent audit performed annually by an external vendor to identify areas of non-compliance. Any findings identified in the audit will be remediated in accordance with the auditing team’s recommendations.

ID.me collects, processes and retains certain information on our applicants, contractors, and employees relating to their employment with our organization. This information is used to manage the employment relationship.

• ID.me collects, both independently and through its vendors, reviews and processes information on applicants, our employees, and contractors. This information includes but is not limited to:
  • Name, address, birth date, gender, social security number, personal email address and phone number
  • Background check information including credit report and criminal record
  • Marital status, next of kin, dependants and emergency contacts
  • Qualification details including education, skills, employment history, experience and assessment score
  • Compensation and benefit information including salary, bonus, insurance
  • Information on work hours, attendance, time off and leaves
  • Citizenship and immigration status information
  • Health information including ADA accommodations, doctors notes, FMLA requests
  • Financial information such as bank account, 401K participation
  • Job performance, disciplinary, investigation or grievance processes
  • Performance assessments and reviews
  • Demographic information collected for regulatory reporting purposes such as gender, race, ethnicity, veteran’s status, and disability
  • Internet information such as IP address, web views, network information, geolocation
  • Biometric information (where required for the position)
  • Video and audio recordings
• ID.me may collect this information through internal process and systems or through third parties including but not limited to: 
  • Resumes, applications and other employment related materials
  • Background check providers
  • Government identification
  • Email 
  • Slack
  • Video and live meetings
  • ID.me hardware and software applications
  • Video surveillance in designated locations in ID.me facilities
• ID.me monitors the use of ID.me owned equipment and systems including computers, mobile devices, applications and software. Geolocation functions may be utilized to find lost or compromised equipment. ID.me may have access to personal information like email and social media if an ID.me owned system or equipment is used to access that information.
  
• ID.me will monitor company information accessed and processed on personal devices under the Bring Your Own Device policy (BYOD). BYOD devices will require the installation of an ID.me profile on your personal device. Refer to the ID.me Mobile Device Policy for details. 
• Employee data may be stored in both internal and external systems. Access to these systems and information contained therein will be restricted to those employees with a need to know the information to perform their job functions. These systems include: 
  • Human Resources Information Systems 
  • Cloud storage
  • Payroll system
  • Benefits management system
  • Talent acquisition and Applicant Tracking systems
  • Talent management system
  • Performance management systems
  • Email, instant messaging, and other corporate communication systems

• ID.me limits access to employee information based on job function using various access controls. Access is limited to systems and individuals that need to have access to perform their job functions. Processes are in place to review access levels to ensure your data is protected from unauthorized access.

• ID.me will not sell, rent, or trade your Personal Information. ID.me will only transfer your Personal Information for business reasons related to your employment at ID.me for use by third parties to verify your identity, provide benefits or services, or as required for the prevention of fraud or otherwise permitted by law.
• ID.me may share employee information with various third parties including:
  • Benefit providers
  • Payroll processors
  • Law enforcement, regulatory and government agencies
  • Background check providers
  • Messaging systems
  • Auditors

• ID.me collects this information to facilitate the relationship between the organization and its employees. This information may be used to:
  • provide benefits and compensation
  • monitor performance
  • report information for various regulatory purposes
  • prevent fraud, waste, and abuse
  • Perform various business activities

• We retain your Personal Information for as long as necessary to fulfill the purposes for which we collect it, such as to provide you with services you have requested, and for the purpose of satisfying any legal, accounting, contractual, or reporting requirements that apply to us. The table below lists the retention period guidelines for each type of employee data. The retention period length may be longer depending on business need and legal and regulatory requirements.
  

  Data Type	Retention Period
  Candidate Information (non hired)	12 months
  Employee PHI	Duration of employment + 36 months
  Employee PII	Duration of employment + 36 months
  Employee matters	7 years
  Employee focus metrics	Duration of employment + 36 months
  Benefits Data	Continuing
  Employee monitoring	Duration of employment + 36 months
  Salary and pay scale	36 Duration of employment + 36 months

• To the extent your position with ID.me requires you to obtain a certain authentication level, your data will be subject to the ID.me privacy policy and Biometric Information Privacy Statement.

• We are required to provide you with additional information about how we use and disclose your information, as described below.
• Personal Information. Consistent with the “What information does ID.me collect on our employees” section above, we collect certain categories and specific pieces of information about individuals that are considered “Personal Information” in California (“CA Personal Information”). Specifically, we may collect the following types of Personal Information:
  
  • Identifiers: name, address, location or geographic data, telephone number, email address, age, date of birth, username and password for our websites, IP address, unique personal identifier (e.g., employee number), social security number, driver’s license number or state identification card number, passport number or other similar identifiers;
  • Professional or employment-related information;
  • Education information;
  • Internet or other electronic network activity information: computer and connection information, statistics on page views, traffic to and from the websites, ad data and other standard weblog information;
  • Geolocation information: physical location information through the use of some of our equipment and devices, in the operation of our business;
  • Biometric information;
  • Audio, electronic, visual, thermal, olfactory, or similar information; and
  • Other categories of Personal Information: signature, physical characteristics or description, bank account number or any other financial information, medical information, or health insurance information.
• We collect certain categories of Personal Information from you and other third parties as described in the “What information does ID.me collect on our employees” section above. The categories of third parties from whom we collect CA Personal Information include the following:Third-party companies;
  • Third party applications (including blogs, chat rooms, or support centers); and
  • Publicly available sources of information.
  • Purposes. We collect the CA Personal Information for the business purposes described in the “Who we share your information with and why?” section above. We also share and/or disclose your CA Personal Information as follows:
• Sharing your CA Personal Information for business purposes: As described above in the “Who we share your information with and why?” section, we may share the following categories of your CA Personal Information with affiliates, subsidiaries, auditors, third party companies, public or government authorities and future business partners for our business purposes:
  • Identifiers;
  • Professional or employment-related information;
  • Education information;
  • Internet or other electronic network activity;
  • Geolocation information;
  • Biometric information;
  • Other categories of CA Personal Information (as specified above).
• As described above, examples of business purposes include establishing, managing, or terminating your employment relationship with us, internal operations, prevention of fraud and other harm, and legal compliance.
• You have the right to: 
  • Know what information in collected
  • Delete personal information collected from you (with some exceptions);
  • Opt-out of the sale or sharing of their personal information; 
  • Non-discrimination for exercising your CCPA rights
  • Correct inaccurate personal information that ID.me have have about you; 
  • Limit the use and disclosure of sensitive personal information collected about you.
• You may submit a request to know, delete, and/or correct contacting ID.me HR at EmployeePrivacy@id.me