What is RFID?

RFID is a term for a group of technologies that enable machines to identify objects. This may include bar codes, smart cards, optical character readers, biometric technologies and more. RFID uses radio waves to identify items. Its first application was the identification of aircraft during WWII. Since then, developments in technology have reduced the cost and increased potential applications of RFID technology. The automatic identification offered by RFID is attractive to many organizations and retail stores, as it reduces the time and labor necessary to manually input data and to improve data accuracy.

There are three components in an RFID system:

1. Tag: this is usually made up of a microchip unit, antenna and encapsulating material. Microchips can store up to two kB of data. This may be information about a certain product, such as its destination or sell-by date. An RFID system may include multiple tags.

Tags are also referred to as transponders. They can be read-only or read-write tags. “Read-only” means that the information on the tags cannot be changed in any way. Read-write tags can have the information modified or erased multiple times. Since they offer greater functionality, their price is much higher than read-only tags.

1. Reader: this is a device that has at least one antenna to communicate with the RFID tag. It emits radio waves and receives signals back from the tag. The reader passes digital information to a computer system. Readers are also known as interrogators. They can be portable, handheld devices or fixed terminals positioned in strategic places, such as loading bays or doorways.
2. Infrastructure: this includes the necessary hardware and software for supporting the RFID system. The RFID software translates the data from the tag into the information about the goods and orders. This information is transmitted into other databases and applications for processing.

How can RFID be used?

RFID technology has and will be applied in a variety of public and private sector organizations. Uses include:

• Product Integrity – to ensure that products are authentic and untampered with
• Supply Chain Management – to monitor and control the flow of goods through the supply chain (i.e. from raw material to finished product to consumer)
• Warranty Services – goods with tags incorporated into the materials, in order to facilitate warranty services
• ID, Travel & Ticketing – to verify the identity of the traveller; to ensure that travel documents are genuine
• Baggage Tracking – to monitor and control the movement of baggage (e.g. from check-in to loading)
• Patient Care & Management – to rapidly, accurately verify patient information (e.g. allergies, prescription, health history, etc.)

Privacy Issues

According to the Canadian PIAC (Public Interest Advocacy Center), RFID technology presents a challenge to Canadian privacy legislation. The basic surveillance capabilities of RFID are unlikely to violate privacy, though the PIPEDA significantly limits the use of RFID for consumer surveillance purposes.

However, later Office of the Privacy Commissioner of Canada (OPC) research indicated that there were significant concerns regarding the use of RFID in the workplace. Through a number of public consultations, the OPC was able to establish the perspectives of academics, RFID vendors, industry groups and private citizens. Numerous privacy threats were identified:

Repeated collection of information

• Since RFID tags are very small, they can easily be embedded on/in objects or documents without the individual’s knowledge. It is possible to read RFID tags through fabric, plastic and other materials, as radio waves are not restricted to line of sight. Tags can also be read from a distance. These factors render it impossible for individuals to know if/when he/she is being scanned.

Tracking Movements

• If there is a sufficient network of RFID readers, the tags can be tracked in time and space. This is possible through a combination of GPS (Global Positioning Systems) and RIFD technologies.

Profiling Individuals

• RFID technology means that each object has its own unique identification. This contrasts bar code technology, which gives the same identification to all similar objects (e.g. in a grocery store, all orange juice cartons of the same brand have the same bar code). If unique identifiers are associated with individuals, then profiles of purchasing habits can be compiled.

Secondary Use

• Creating profiles and tracking individual movement can be linked to other information which the individual may not want revealed.

Massive Data Aggregation

• RFID records may be linked with personally identifying data, which may facilitate any of the other privacy threats listed previously.

OPC Responses

The OPC recommends that the ten principles of the CSA Model Code, as well as the PIPEDA form the basis for an RFID privacy management framework. OPC research responds to each of the ten CSA principles, with respect to RFID technologies:

1. Accountability – Who has access to and who is accountable for the data generated by RFID systems, as well as other data collection systems in the workplace?
2. Identifying Purposes – RFID systems that are used for legitimate business purposes (e.g. supply chain management) are more likely to be supported than RFID systems used for secondary purposes or surveillance (e.g. employee surveillance, workforce management). The OPC identified that industry standards, policies or guidelines can help to ensure that the data collected through these systems are used and disclosed for identified purposes.
3. Consent – Meaningful consent must be secured before an RFID system is implemented. However, there is the challenge of securing meaningful and completely voluntary consent in a workplace setting.
4. Limiting Collection – Reasonable expectations of privacy must be balanced with reasonable management of RFID systems. While reasonable expectations of employees are important, the reasonable management of the RFID system is the employer’s responsibility. This involves the protection of employee privacy.
5. Limiting Use, Disclosure & Retention – The issue of RFID implants was a significant concern for OPC and other groups who were consulted, as implants present significant privacy and security issues. For instance, employee conduct might be monitored during and after work hours, at lunch, during vacation, and for tracking physical movements and conduct. This may pose a serious security issue.

Employers should limit the collection of personally identifiable information, including RFID-related data. Data from RFID systems should not be linked to other databases, unless there is a proven need.

1. Accuracy – It is the responsibility of the employer to ensure that personal information is accurate, complete and up to date for the purposes for which it is to be used. An audit trail might be established and maintained regarding the lifecycle of the RFID data.
2. Safeguards – RFID systems that contain personal information must be protected in a way that is proportionate to its sensitivity. Employers should be made accountable for any breach of RIFD technology. Protecting data in each distinct part of the system is an effective approach to safeguarding employee privacy.
3. Openness – For instance, hidden tags or readers should not be implemented. Clients, employees and/or unions should be consulted before RFID systems are installed. Tags and readers ought to be in plain sight, never used for covert surveillance.
4. Individual Access – Individuals (e.g. clients, employees, union leaders) should be guaranteed access to any personally identifiable data generated by RFID systems.
5. Challenging Compliance – Individuals ought to be able to challenge compliance with other principles. This may be the ability to make inquiries or lodge a complaint if necessary.

After examining each principle individually, the OPC stated some guiding applications for the implementation of RFID technology in a way that respects Fair Information Practices:

• If the RIFD chip has an individual’s personal information contained on it, then it is defined as a repository of personal information.
• If the tag is unique, it can be associated with an individual. The tag becomes a unique identifier for that individual.
• Personal information includes information about possessions, purchases or behaviors that can be processed to create a profile.

Summary

This article provides a brief introduction to RFID (radio frequency identification) technology. It explores some uses of this technology in consumer and work settings. Privacy concerns regarding RFID systems are raised. The article also offers some responses and recommendations made by the Privacy Commissioner of Canada regarding implementation of RFID technology.

CIPP/C Preparation

In preparation for the Certified Information Privacy Professional/Canada exam, a privacy professional should be comfortable with topics related to this post, including:

• CSA Model Code for the Protection of Personal Information (II.A.a.i.)
• Radio Frequency Identification (RFID) (V.A.a.5.)
• Security threats and vulnerabilities (V.A.b.)
• Information management (V.c.i.)

The Model Code was largely based on the Guidelines Governing the Protection of Privacy and Transborder Flows of Personal Data, created by the Organization for Economic Cooperation and Development (OECD). While the Code remains a voluntary standard, it enjoys strong support and endorsement by a variety of Canadian companies as the national standard on privacy protection.

In April 2000, the Personal Information Protection and Electronic Documents Act (PIPEDA) became law. The CSA Model Code forms an important component of the PIPEDA.

What is the CSA?

The CSA is an independent, not-for-profit association that aims to serve national and international businesses, industries, governments and consumers. As a leader in standards development, the CSA involved with product certification; quality and environmental management systems registration; and information products. The CSA is a membership organization governed by a Board of Directors who are both elected and appointed.

Standards are written and developed by volunteer committees made up of representatives from government, industry, consumer groups and users. Committees are facilitated by CSA employees and use a consensus-based approach to decide on the contents of a standard and to determine if the standard will be published.

Developing the Code

The Code intends to balance the privacy rights of individuals with legitimate data requirements of industries, businesses and institutions. It was developed by a 45-member committee with representatives from the main groups concerned with personal privacy issues in Canada. Committee representatives included:

• Federal and provincial governments
• Consumer advocates
• Organized labor
• Security and IT experts
• Industries including:
  • Financial services
  • Telecommunications
  • Cable television
  • Direct marketing

What does the Code say?

The Code outlines basic guidelines for the protection of personal data. It addresses two main issues:

I)             How organizations collect, use, disclose and protect personal information.

II)            How individuals access and correct personal information collected by the organizations.

Organizations who choose to follow the Code demonstrate that they are handling the information they collect fairly. The Code offers consumers, employees and other data subjects a means for challenging an organization’s practices.

The Code is based on ten interrelated principles:

1. Accountability

This principle states that an organization is responsible for personal information under its control. The organization should designate an individual or individuals to be accountable for the organization’s compliance with the principles stated in the Code. An organization needs to implement policies and practices that will help them respect the principles.

2. Identifying Purposes

An organization should identify the purposes for collecting information at or before the time of collection. This will enable the organization to determine which information needs to be collected in order to meet their needs. This goes hand in hand with the Limiting Collection principle (#4). Depending on the manner in which information is collected, this principle can be fulfilled orally or in writing. For example, an application form may explain the purposes of information collection to an individual.

3. Consent

Where it is appropriate, an individual must have knowledge of and give consent to the collection, use or disclosure of personal information. An organization should make a reasonable effort to inform individuals of the purposes for collecting information. Consent should be meaningful; the purposes should be explained in such a way that the individual can reasonably understand the use and disclosure of their personal information. Individuals are entitled to withdraw consent at any time.

4. Limiting Collection

Personal information should only be collected as necessary for the purposes that the organization has identified. This includes limiting the amount and type of information. The information should be collected by fair and lawful means.

5. Limiting Use, Disclosure and Retention

An organization should not use personal information for new purposes, unless it has the consent of the individual, or as required by law. Personal data should only be retained as long as is necessary to fulfill the organization’s stated purposes. An organization should develop specific guidelines and procedures governing the destruction of personal information.

6. Accuracy

In order to meet the intended purposes, personal information should be accurate, complete and up-to-date. This principle aims to minimize the possibility that incorrect information is used to make a decision about an individual. This also applies to information disclosed to third parties.

7. Safeguards

An organization should implement appropriate security safeguards to protect the personal information collected. The appropriate safeguard should be determined by the sensitivity, amount, distribution, format and method of storage of the information. Employees in the organization should be aware that confidentiality of personal information should be maintained.

8. Openness

An organization should be open about its personal information policies and practices. Individuals should be able to access an organization’s policies and practices relatively easily. The method of disseminating such information depends on the nature of the organization. This may include brochures, mail to customers, online access or toll-free information lines.
9. Individual Access

Individuals should be informed of the existence, use and disclosure of their personal information. Individuals should have access to their personal information and be able to question and correct the accuracy and completeness of this information.

10. Challenging Compliance

Individuals should be able to challenge an organization’s compliance with the above principles. The person accountable for an organization’s compliance will be responsible for dealing with inquiries, challenges or complaints. An organization should investigate all complaints and if it is necessary, adjust its policies and practices appropriately.

Implementation

The Code is meant to be used by any organization that collects or uses personal information. Such organizations may include:

• Financial institutions
• Service providers
• Retailers
• Direct marketers
• Telecommunications companies
• Product manufacturers
• Schools
• Universities
• Hospitals
• Government agencies

As organizational compliance with the Code is purely voluntary, organizations may incorporate the ten principles in its policies to varying degrees. The Quality Management Institute (QMI) has a program that recognizes three levels of compliance:

Tier 1: Declaration

An organization declares its compliance with the code by signing a code of ethics or statement of their information protection principles.

Tier 2: Verification

An organization submits documented policies and procedures to the QMI, which may conduct on-site audits in order to confirm compliance with the Code.

Tier 3: Registration

The QMI reviews the organization’s documentation and carries out an audit. This establishes compliance with the CSA Model Code and with ISO 9001 or 9002.

Blind Spots

Since its introduction, a number of critiques of the Code have arisen. Many of these critiques point to the vagueness in interpretation, which have led to confusion, loss of confidence and decreased utility of the Code. Due to differences in meaning and application of the Code, a number of cases have been taken to the Canadian Privacy Commissioner. This process is slowly eliminating some uncertainties in the Code.

Some gray areas of the Code include:

• The issue of collecting personal information from or about children is not mentioned.
• Different types of consent are not distinguished (e.g. express, implied and deemed consent).
• The Code does not elaborate upon the issue of notice. What constitutes a reasonable effort to advise an individual on collection of personal information?
• It is unclear if retention of personal information constitutes a “use” under the Code. If so, retention would require consent from the individual.
• The Code does not require businesses to explain the purposes of personal information collection to its customers. This has led to widespread failure of customer service representatives to reasonably explain the purposes of information collection to the ordinary consumer.
• The principle of openness is only encouraged, rather than required.

Summary

The CSA Model Code for the Protection of Personal Information presented a foundation for Canadian privacy protection legislation, such as the PIPEDA. A number of Canadian businesses and organizations have modeled their own privacy codes, policies and practices on this standard. Individuals have also used the Code to understand their privacy rights and protect their personal information. Over time, provisions in need of greater clarity or strengthening have been identified in the CSA Code.

CIPP/C Preparation

In preparation for the Certified Information Privacy Professional/Canada exam, a privacy professional should be comfortable with topics related to this post, including:

• Canadian Standards Association (II.A.a.)
• Model Code for the Protection of Personal Information: CAN/CSA-Q830-96 (II.A.a.i.)