European Commission Issues Framework for Measuring and Mitigating RFID's Privacy Impact
GS1 expects the voluntary guidelines will increase consumer trust in the technology, thereby advancing the adoption of RFID in Europe.
Apr 06, 2011—The European Commission (EC) has joined with commercial stakeholders, supply chain standards organization GS1, privacy watchdogs and the European Network and Information Security Agency (ENISA) in signing a voluntary agreement to establish guidelines for all companies in Europe, in order to address the data-protection implications of radio frequency identification technology prior to RFID tags being placed into the market.
In certain respects, Europe has led the way in RFID adoption. The technology is used by postal systems, transportation agencies, libraries and, increasingly, retailers across the European Union. And this strong adoption rate has been matched by coordinated efforts to ensure that the use of RFID does not erode Europeans' personal privacy, or the protection of personally identifiable information.
Privacy and Data Protection Impact Assessment (PIA) Framework for RFID Applications," is designed to address and protect consumer privacy in a proactive manner, before RFID tags become ubiquitous within consumer goods and services. It was created in response to a set of privacy objectives that the EC issued in 2009 (see European Commission Issues RFID Privacy Recommendations), and ENISA—the European Union agency dedicated to improving information and cyber-security across EU member-states—played an active role in its formation.
This new PIA framework is designed such that all end users (referred to in the document as RFID application operators), across all industries, will be able to utilize it as guidance in implementing RFID technology. The framework calls for RFID application operators to first conduct an internal review, to determine if a proposed deployment would require an assessment. This is a simple step involving a decision tree. If the proposed application will involve processing or linking to personal data, or if the tags will be carried by an individual, then an assessment is required. The PIA is a four-step process that entails a detailed description of the application, followed by a list of the potential risks to personal privacy that it represents, documentation of proposed technical and organizational controls to mitigate those identified risks, and finally a report that lays out this process in detail, outlining how the risks will be resolved, as well as any residual risks that could still remain.
Login and post your comment!
Not a member?
Signup for an account now to access all of the features of RFIDJournal.com!
SEND IT YOUR WAY
RFID JOURNAL EVENTS
ASK THE EXPERTS
Simply enter a question for our experts.