The European Commission'snew consultation on RFIDhighlights
its importance to the Commission, particularly as far as security
and privacy are concerned, write Vinod Bange and Catherine
White of law firm Eversheds. Issues include whether
organisations simply have too much data about people, the so-called
Big Brother syndrome, and the risk of interception of data during
its transmission.
By looking at the existing legal framework it is possible to
identify organisational and technical measures to minimise data
protection risks, but defining the exact degree of risk can be more
complex. To minimise risks, organisations should pay close
attention to the legal contracts governing the relationships
between the parties involved in the production and use of
RFID technology. Planning ahead is key.
Measures to protect data
Shoppers are beginning to get comfortable with the idea of RFID
tags to manage stock control. But what about the use of RFID tags
that personally link the shopper with the item purchased?
In such a case, the information is personal data as defined in
the
Data
Protection Act 1998, as it relates to an identifiable
individual. This means that the user of the RFID tag must ensure
that principles relating to the collection and use of the
information are adhered to, or face the prospect of sanctions.
The
Act's
7th principle tasks data controllers with taking measures to
prevent unauthorised or unlawful processing and to guard against
the risks of accidental loss, destruction or damage to data.
The measures fall into two categories:
- technical measures, such as installing a
firewall or encryption
- organisational measures, such as adequate
access control
Implementing such measures are expected practice for data
controllers, but assessing what the measures are intended to
protect against can be a challenge. There is no statutory
security risk profile. The obligation is on the data controller
to assess the shape of the security risk profile and apply
protective measures to minimise that risk.
Technical measures
Recently, smartcards have appeared with increased functionality
- for example,
to pay for low-value items - but greater functionality can
increase risk.
One way of boosting the technical safeguards could be to use
cryptography. However,
encryption requires a chip big enough (both in size and
processing power) to hold sufficient data, which could be
problematic if the RFID tag needs to be small and passive. When
deciding on chip type and the level of encryption, if any, consider
the potential threat if the data was cloned or misused. RFID tags
must be tailored to the level of threat of interception and misuse
of data they contain.
Finally, post-transmission, consideration must be given to the
integration of the RFID data into existing systems that hold or use
it.
What's around the corner?
The European Commission consultation points toward
self-regulation via codes of conduct endorsed by each EU country's
data regulator. This will affect key sectors such as retail where
self-regulatory measures should include:
- telling consumers if a product contains RFID tags
- explaing the privacy implications to consumers
- an RFID tag deactivation option at the point of sale
Time will tell if sectors such as retail readily adopt the
suggested self-regulatory measures, and whether this implementation
assuages the public's fears about increased RFID usage in the
longer term.
Vinod Bange and Catherine White work at law firm
Eversheds
RFID: expert view >>
What CIOs should do about security in 2008 >>
Infosecurity: the lessons of sumo >>