Thought for the day:
The ethical use of RFID
- Posted:
- 16:01 07 Sep 2004
- Topics:
- IT Legislation & Regulation | Regulatory Compliance
Radio frequency identification (RFID), the new smart-tag
technology which can help identify, distribute and keep track of
practically anything, is set to have a impact on a wide variety of
business sectors from manufacturing to retailing.
In fact, the US military has recently announced it will tag all its
assets - apart from liquid and sand - using RFID. However, as is
often the case with new technologies, RFID is currently testing and
redefining the balance between efficiency and convenience and
personal privacy.
It is the depth of information which can be held by these tiny
intelligent devices, the ease with which they can be incorporated
into products and the ability to interrogate them at a distance
that have consumer groups and privacy campaigners up in arms.
A concern is that the same technology which can be used to automate
supply chain management and keep track of products can also be used
to follow individuals, using tags in their clothes, for
example.
From a technological viewpoint, it is up to legislators and those
implementing these systems to ensure they are used ethically.
Distinguishing between personally identifiable data and simple
product information is key to this debate and will determine the
future role of RFID.
Currently, most uses of RFID involve nothing more sophisticated
than tracking tagged products around a defined space. According to
the Data Protection Act 1998, this does not constitute "personal
data" and is, therefore, not covered by the legislation.
Diversity of use
However, this could quickly change as use of RFID becomes more
diverse. For retailers, one obviously profitable application of
RFID would be in loyalty and personalisation programmes. As soon as
retailers move beyond simple stock-tracking and supply chain
management by combining personally identifiable loyalty information
with RFID-tracked goods, the handling of such data moves within the
scope of the Data Protection Act.
Although this would not prohibit the collection of data from RFID
tags, it would require the owners of such systems to adhere to the
DataProtection Act's eight data protection principles. These
principles place responsibilities on the data controller, in this
case the retailer, to ensure that collection and handling of such
data is dealt with fairly and lawfully.
Retailers or any other party looking to process RFID data would
have to justify this under the terms of the Data Protection Act.
Any processing would have to be shown to have been done in their
own legitimate interests and without prejudicing any individual's
rights and freedoms. Alternatively, consent could be obtained from
the individual.
Although it may be possible to use other justifications, these are
likely to be the most common. But for certain types of sensitive
data, such as health-related information, there are more stringent
requirements.
The option of consent
Obtaining consent may not only be the more legally safe option, but
also less onerous than it sounds. Simply by describing how RFID
data will be collected and processed on the product packaging or by
using a sign it will be possible to give consumers an implicit
choice: buy the product and consent to be tracked or don't buy it
at all.
But if RFID is abused for competitive gain, how easy will it be to
detect, let alone punish? Enforcing the Data Protection Act is
mainly conducted through the investigation of complaints and, as
there is no obvious processing of personal data in RFID tracking,
consumers probably would not be aware their data is being abused.
Therefore, the most likely course for enforcement of the Data
Protection Act under the current framework would be if the
Information Commissioner undertook a rare "own initiative"
investigation into unscrupulous RFID system owners.
Ultimately, it is possible for sophisticated RFID tracking to be
rolled out in a way that is both technologically and legally sound.
Some might argue that the UK data protection regime already offers
a degree of protection. However, it remains to be seen whether this
is enough to deal with potential abuses or whether further
legislation will be necessary.
Gillian Cameron is an IP and technology
specialist with corporate lawyers Maclay Murray &
Spens
