Thought for the day: The ethical use of RFID

The Data Protection Act will dictate how RFID is used, says Gillian Cameron

New Asset  
The Data Protection Act will dictate how RFID is used, says Gillian Cameron





Radio frequency identification (RFID), the new smart-tag technology which can help identify, distribute and keep track of practically anything, is set to have a impact on a wide variety of business sectors from manufacturing to retailing.

In fact, the US military has recently announced it will tag all its assets - apart from liquid and sand - using RFID. However, as is often the case with new technologies, RFID is currently testing and redefining the balance between efficiency and convenience and personal privacy.

It is the depth of information which can be held by these tiny intelligent devices, the ease with which they can be incorporated into products and the ability to interrogate them at a distance that have consumer groups and privacy campaigners up in arms.

A concern is that the same technology which can be used to automate supply chain management and keep track of products can also be used to follow individuals, using tags in their clothes, for example.

From a technological viewpoint, it is up to legislators and those implementing these systems to ensure they are used ethically. Distinguishing between personally identifiable data and simple product information is key to this debate and will determine the future role of RFID.

Currently, most uses of RFID involve nothing more sophisticated than tracking tagged products around a defined space. According to the Data Protection Act 1998, this does not constitute "personal data" and is, therefore, not covered by the legislation.

Diversity of use

However, this could quickly change as use of RFID becomes more diverse. For retailers, one obviously profitable application of RFID would be in loyalty and personalisation programmes. As soon as retailers move beyond simple stock-tracking and supply chain management by combining personally identifiable loyalty information with RFID-tracked goods, the handling of such data moves within the scope of the Data Protection Act.

Although this would not prohibit the collection of data from RFID tags, it would require the owners of such systems to adhere to the DataProtection Act's eight data protection principles. These principles place responsibilities on the data controller, in this case the retailer, to ensure that collection and handling of such data is dealt with fairly and lawfully.

Retailers or any other party looking to process RFID data would have to justify this under the terms of the Data Protection Act. Any processing would have to be shown to have been done in their own legitimate interests and without prejudicing any individual's rights and freedoms. Alternatively, consent could be obtained from the individual.

Although it may be possible to use other justifications, these are likely to be the most common. But for certain types of sensitive data, such as health-related information, there are more stringent requirements.

The option of consent

Obtaining consent may not only be the more legally safe option, but also less onerous than it sounds. Simply by describing how RFID data will be collected and processed on the product packaging or by using a sign it will be possible to give consumers an implicit choice: buy the product and consent to be tracked or don't buy it at all.

But if RFID is abused for competitive gain, how easy will it be to detect, let alone punish? Enforcing the Data Protection Act is mainly conducted through the investigation of complaints and, as there is no obvious processing of personal data in RFID tracking, consumers probably would not be aware their data is being abused. Therefore, the most likely course for enforcement of the Data Protection Act under the current framework would be if the Information Commissioner undertook a rare "own initiative" investigation into unscrupulous RFID system owners.

Ultimately, it is possible for sophisticated RFID tracking to be rolled out in a way that is both technologically and legally sound. Some might argue that the UK data protection regime already offers a degree of protection. However, it remains to be seen whether this is enough to deal with potential abuses or whether further legislation will be necessary.

Gillian Cameron is an IP and technology specialist with corporate lawyers Maclay Murray & Spens

Read more on Database software