For security and similar purposes, Freddie Mac uses various tools that capture biometric data from certain individuals seeking entry to our buildings or particular portions of them. Biometric data may include identifiers such as retina or iris scan, fingerprint, voice print or scan of hand or face geometry and information derived from those identifiers (as the term "identifiers" is defined under applicable law).
As of the Effective Date of this policy, as noted below, Freddie Mac only captures facial or fingerprint scans of employees, on-site contractors, and other individuals who work for or with Freddie Mac. The scanned facial or fingerprint image is analyzed by software that identifies major features of the image and converts those features into a mathematical code that, to the best of our knowledge, cannot be reverse-engineered or converted back to the scanned image. We do not retain the scanned image itself, and we only use it to create this mathematical code (referred to as "biometric information"). Only the biometric information is retained.
We retain and use this biometric information as follows:
- Purpose of Collection. We use the biometric information solely in connection with security and access control for our offices, buildings and other facilities.
- Opportunity to Consent. Where required by law and in certain other circumstances, individuals from whom we collect this information are first asked to complete and sign a release. Consent for fingerprint scan collection and the applicable release can be declined or revoked; employees may do so without any adverse employment action. Individuals who decline a scan and the applicable release must use two-factor authentication (e.g., badge and PIN) to access our facilities.
- Storage and Third-Party Disclosure. Biometric information is stored only on segregated, company-owned servers and equipment or disclosed to and stored with trusted third-party service providers who provide security, authentication, or fraud-prevention services to Freddie. We do not sell, lease, trade or otherwise profit from biometric data.
- Disclosure for Legal Purposes. Freddie will not otherwise disclose any biometric information to anyone other than as described above or as required by law.
- Retention. Freddie retains biometric information only until, and permanently destroys such data when, the initial purpose for collection or obtaining such biometric information has been satisfied. Typically, this occurs within 30 days of the date when an individual who works for or with Freddie Mac and requires access to our facilities last interacts with Freddie Mac (typically when they stop working for or with us). In all cases, permanent destruction occurs no later than one (1) year after that date.
- Data Security. Freddie Mac uses, and requires its vendors who store or have access to biometric information to use, a reasonable standard of care to store, transmit and protect from disclosure any biometric information collected. Such storage, transmission, and protection from disclosure is performed in a manner that is the same as or more protective than the manner in which we store, transmit and protect from disclosure other confidential and sensitive information, including personal information that can be used to uniquely identify an individual.
For questions about this policy or other privacy matters at Freddie Mac, contact: [email protected].
Revision Effective Date: April 13, 2021