RFID, data security and the law

The European Commission's new consultation on RFID...

The European Commission's new consultation on RFID highlights its importance to the Commission, particularly as far as security and privacy are concerned, write Vinod Bange and Catherine White of law firm Eversheds. Issues include whether organisations simply have too much data about people, the so-called Big Brother syndrome, and the risk of interception of data during its transmission.

By looking at the existing legal framework it is possible to identify organisational and technical measures to minimise data protection risks, but defining the exact degree of risk can be more complex. To minimise risks, organisations should pay close attention to the legal contracts governing the relationships between the parties involved in the production and use of RFID technology. Planning ahead is key.

Measures to protect data

Shoppers are beginning to get comfortable with the idea of RFID tags to manage stock control. But what about the use of RFID tags that personally link the shopper with the item purchased?

In such a case, the information is personal data as defined in the Data Protection Act 1998, as it relates to an identifiable individual. This means that the user of the RFID tag must ensure that principles relating to the collection and use of the information are adhered to, or face the prospect of sanctions.

The Act's 7th principle tasks data controllers with taking measures to prevent unauthorised or unlawful processing and to guard against the risks of accidental loss, destruction or damage to data.

The measures fall into two categories:

  • technical measures, such as installing a firewall or encryption
  • organisational measures, such as adequate access control

Implementing such measures are expected practice for data controllers, but assessing what the measures are intended to protect against can be a challenge. There is no statutory security risk profile. The obligation is on the data controller to assess the shape of the security risk profile and apply protective measures to minimise that risk.

Technical measures

Recently, smartcards have appeared with increased functionality - for example, to pay for low-value items - but greater functionality can increase risk.

One way of boosting the technical safeguards could be to use cryptography. However, encryption requires a chip big enough (both in size and processing power) to hold sufficient data, which could be problematic if the RFID tag needs to be small and passive. When deciding on chip type and the level of encryption, if any, consider the potential threat if the data was cloned or misused. RFID tags must be tailored to the level of threat of interception and misuse of data they contain.

Finally, post-transmission, consideration must be given to the integration of the RFID data into existing systems that hold or use it.

What's around the corner?

The European Commission consultation points toward self-regulation via codes of conduct endorsed by each EU country's data regulator. This will affect key sectors such as retail where self-regulatory measures should include:

  • telling consumers if a product contains RFID tags
  • explaing the privacy implications to consumers
  • an RFID tag deactivation option at the point of sale

Time will tell if sectors such as retail readily adopt the suggested self-regulatory measures, and whether this implementation assuages the public's fears about increased RFID usage in the longer term.

Vinod Bange and Catherine White work at law firm Eversheds


RFID: expert view >>

What CIOs should do about security in 2008 >>

Infosecurity: the lessons of sumo >>

Read more on IT risk management