right_division Green SCM Distribution
Bookmark us
SCDigest Logo

Focus: RFID and Automated Identification and Data Collection (AIDC)

Feature Article from Our RFID and AIDC Subject Area - See All

From SCDigest's OnTarget e-Magazine

May 19, 2011

RFID and AIDC News: Understanding Europe's RFID Privacy and Data Protection Framework - And Whether Companies in US Should Consider such a Process


Framework Calls for Companies to Document Process for Categorizing Privacy/Security Risks - and How They Will be Mitigated

SCDigest Editorial Staff

Earlier this year, an arm of European Commission issued a framework for companies developing or deploying RFID-based applications to manage privacy and data protection concerns.

With Europe clearly leading the US in thinking about these sorts of issues, a review of that document is worthwhile for those considering RFID technologies across the globe. The full document is available here: Privacy and Data Protection Impact Assessment Framework for RFID Applications.

SCDigest Says:


it is clear Europe is taking the lead on addressing these issues, and that this could have lots of implications for companies operating in the Euro zone and eventually inside the US and elsewhere.

What Do You Say?
Click Here to Send Us Your Comments
Click Here to See Reader Feedback

The report says that the term and acronym "privacy impact assessments," or PIAs, is used to summarize the processes of how a given RFID application may impact the privacy of others or present data security issues.

By conducting formal PIAs using a standardized process, companies, be they technology vendors or firms deploying RFID applications, can:

• Establish and maintain compliance with privacy and data protection laws and regulations [of which there is little in the US today, we note]

• Manage risks to its organization and to users of the RFID application (both privacy and data protection compliance-related and from the standpoint of public perception and consumer confidence)

• Provide public benefits of RFID applications while evaluating the success of privacy by design efforts at the early stages of the specification or development process

The report notes that a PIA process will help "uncover the privacy risks associated with an RFID application, assess their likelihood, and document the steps taken to address those risks. These impacts (if any) could vary significantly, depending on the presence or lack of personal information processing by the RFID application."

It also says that this general framework could be subsequently used to develop more specific industry-based, sector-based, and/or application-based PIA templates.

Noteworthy is the fact that the output of the PIA process for each application is a report "that is made available to competent authorities."

It is not clear who these "competent authorities" are? Would it include any privacy group that wanted to interrogate a company (say a retailer) about its RFID program, for example? Just the government?

The report says that "The manner in which the PIA should be made available (e.g., upon request or not) will be determined by member states {of the European Union]. In particular, the use of special categories of data may be taken into account, as well as other factors such as the presence of a "data protection officer" at a company."

Regardless, the PIA framework has two phases:

1. Initial Analysis Phase, in which it is determined whether a PIA of its RFID application is required or not; and if so a full or small scale PIA is warranted.

2. Risk Assessment Phase, which outlines the criteria and elements of full and small scale PIAs (see below)

Key to all this is the "level" of information an RFID tag may capture or contain. For example, applications that process personal information are deemed to be at Level 2, while applications where the RFID tag contains personal data are a Level 3. While both Level 2 and Level 3 result in a "full scale" PIA, they will have different mitigation strategies because of the different levels of risk involved.

(RFID and AIDC Story Continued Below)


Learn More about Softeon's Innovative Supply Chain Solutions



For example, the report says that Level 2 applications may need to have controls to protect back-end data, while Level 3 applications may have controls to protect both back-end data and tag data."

The report contains a graphic of the decision tree shown below that RFID developers should follow to determine what level of analysis and report, if any, is necessary.


RFID PIA Decision Tree

In the risk assessment stage of the recommendation, an application developer determines whether with regard to privacy/security:

1. The significance of a risk and the likelihood of its occurrence

2. The magnitude of the impact should the risk occur

The resulting risk level can then be classified as low, medium or high.

A risk that the report says that has caused a lot of debate is that RFID tags could be used for profiling and/or tracking of individuals. In this case the RFID tag’s information – in particular its identifier(s) – would be used to re-identify a particular individual.

Retailers who pass RFID tags on to customers without automatically deactivating or removing them at the checkout may unintentionally enable this risk. A key question, however, becomes is whether this risk is likely and actually materializes into an "undismissable" risk or not.

Referencing other European guidelines, the report says that even in the case where there is personal data, retailers are not required to deactivate or remove tags even if the PIA report concludes that tags that are used in a retail application and would remain operational after the point of sale, but do not represent a likely threat to privacy or the protection of personal data.

Regardless, the PIA report would document how a company proceeded through the four steps of this process, and how decisions were made on these privacy/security issues at each phase.

The report notes that "To save time and cost, it is recommended to run through [the initial] risk assessment phase well before final decisions on an RFID application’s architecture are taken so that technical privacy mitigation strategies can be embedded into the system’s design, and do not need to be ‘bolted on’ later."

There is more detail of course in the full report, but it is clear Europe is taking the lead on addressing these issues, and that this could have lots of implications for companies operating in the Euro zone and eventually inside the US and elsewhere. While some RFID privacy legislation has been proposed here with limited actual adoption, the stakes are probably less high than in Europe, but some companies may want to consider using the PIA process to assuage customer or regulator fear of RFID-related privacy and security issues even in the absence of such regulation.

That said, there is still a lot of subjective judgment involved here that could cause a company problems if it made such PIA analysis public or available to groups requesting the documents.


What is your opinion of this RFID privacy framework? Should companies in the US use such a process? Should the reports be made available? Let us know your thoughts at the Feedback button below.


ur feedback

Recent Feedback


No Feedback on this article yet