Tuesday, May 12, 2009

RFID Privacy and Data Protection Principles

Contributed by Joanne C. Kelleher

The Commission of The European Communities issued a recommendation today “on the implementation of privacy and data protection principles in applications supported by radio-frequency identification.”

Their “recommendation provides guidance to Member States on the design and operation of RFID applications in a lawful, ethical and socially and politically acceptable way, respecting the right to privacy and ensuring protection of personal data.”

Here is a summary of the recommendations:
  • Develops a framework for privacy and data protection impact assessments
  • Identify those applications that might raise information security threats then develop new schemes, or apply existing schemes, in order to demonstrate that an appropriate level of information security and protection of privacy is established in relation to the assessed risks.
  • Develop and publish a concise, accurate and easy to understand information policy for each RFID application and inform individuals of the presence of RFID readers for the application.
  • Inform individuals of the presence of RFID tags that are placed on or embedded in products in the retail trade, determine whether tags placed on or embedded in products sold to consumers through retailers by others represent a likely threat to privacy or the protection of personal data and deactivate or remove at the point of sale tags used in their application.
  • Take appropriate measures to inform and raise awareness among public authorities and companies of the potential benefits and risks associated with the use of RFID technology, especially information security and privacy aspects.
  • Stimulate and support the introduction of the ‘security and privacy by design’ principle at an early stage in the development of RFID applications.
These first two recommendations sound awfully familiar to those involved in the RFID Security Alliance. Performing risk assessments, which should cover both data protection and privacy issues, and then implementing the appropriate level of security and protection is a recommendation that we have been making since the RFIDSA’s formation. We also support designing privacy and security into the application at the beginning of the technology development process, not shoehorning it in at the end (like with DVDs).

I also found several of the Commission’s reasons behind these recommendations (the “whereas” clauses in the beginning of the document) to be right on target:

6.) Because of its potential to be both ubiquitous and practically invisible, particular attention to privacy and data protection issues is required in the deployment of RFID. Consequently, privacy and information security features should be built into RFID applications before their widespread use (principle of ‘security and privacy-bydesign’).

13.) RFID application operators should take all reasonable steps to ensure that data does not relate to an identified or identifiable natural person through any means likely to be used by either the RFID application operator or any other person, unless such data is processed in compliance with the applicable principles and legal rules on data protection.

19.) An assessment of the privacy and data protection impacts carried by the operator prior to the implementation of an RFID application will provide the information required for appropriate protective measures. Such measures will need to be monitored and reviewed throughout the lifetime of the RFID application.

22.) RFID applications with implications for the general public, such as electronic ticketing in public transport, require appropriate protective measures. RFID applications that affect individuals by processing, for example, biometric identification data or health related data, are especially critical with regard to information security and privacy and therefore require specific attention.

26.) Research and development on low-cost privacy-enhancing technologies and information security technologies is essential at Community level to promote a wider take-up of these technologies under acceptable conditions.

A full copy of the document, issued May 12, 2009, is at http://ec.europa.eu/information_society/policy/rfid/documents/recommendationonrfid2009.pdf. Also check out their RFID page at http://ec.europa.eu/information_society/policy/rfid/index_en.htm.

No comments: