In recent years, RFID (radio frequency identification) has caught the attention of privacy watchdogs, civil organizations and the general public. Its ability to identify and track items as well as individuals raises a number of privacy and security concerns, while the potential for integration into numerous contexts has increased with the development of technology. Discussion and integration of RFID in the workplace, retail situations and other environments should be informed by a number of privacy-respecting practices that will be explored in this article.
What is RFID?
RFID is a term for a group of technologies that enable machines to identify objects. This may include bar codes, smart cards, optical character readers, biometric technologies and more. RFID uses radio waves to identify items. Its first application was the identification of aircraft during WWII. Since then, developments in technology have reduced the cost and increased potential applications of RFID technology. The automatic identification offered by RFID is attractive to many organizations and retail stores, as it reduces the time and labor necessary to manually input data and to improve data accuracy.
There are three components in an RFID system:
- Tag: this is usually made up of a microchip unit, antenna and encapsulating material. Microchips can store up to two kB of data. This may be information about a certain product, such as its destination or sell-by date. An RFID system may include multiple tags.
Tags are also referred to as transponders. They can be read-only or read-write tags. “Read-only” means that the information on the tags cannot be changed in any way. Read-write tags can have the information modified or erased multiple times. Since they offer greater functionality, their price is much higher than read-only tags.
- Reader: this is a device that has at least one antenna to communicate with the RFID tag. It emits radio waves and receives signals back from the tag. The reader passes digital information to a computer system. Readers are also known as interrogators. They can be portable, handheld devices or fixed terminals positioned in strategic places, such as loading bays or doorways.
- Infrastructure: this includes the necessary hardware and software for supporting the RFID system. The RFID software translates the data from the tag into the information about the goods and orders. This information is transmitted into other databases and applications for processing.
How can RFID be used?
RFID technology has and will be applied in a variety of public and private sector organizations. Uses include:
- Product Integrity – to ensure that products are authentic and untampered with
- Supply Chain Management – to monitor and control the flow of goods through the supply chain (i.e. from raw material to finished product to consumer)
- Warranty Services – goods with tags incorporated into the materials, in order to facilitate warranty services
- ID, Travel & Ticketing – to verify the identity of the traveller; to ensure that travel documents are genuine
- Baggage Tracking – to monitor and control the movement of baggage (e.g. from check-in to loading)
- Patient Care & Management – to rapidly, accurately verify patient information (e.g. allergies, prescription, health history, etc.)
According to the Canadian PIAC (Public Interest Advocacy Center), RFID technology presents a challenge to Canadian privacy legislation. The basic surveillance capabilities of RFID are unlikely to violate privacy, though the PIPEDA significantly limits the use of RFID for consumer surveillance purposes.
However, later Office of the Privacy Commissioner of Canada (OPC) research indicated that there were significant concerns regarding the use of RFID in the workplace. Through a number of public consultations, the OPC was able to establish the perspectives of academics, RFID vendors, industry groups and private citizens. Numerous privacy threats were identified:
Repeated collection of information
- Since RFID tags are very small, they can easily be embedded on/in objects or documents without the individual’s knowledge. It is possible to read RFID tags through fabric, plastic and other materials, as radio waves are not restricted to line of sight. Tags can also be read from a distance. These factors render it impossible for individuals to know if/when he/she is being scanned.
- If there is a sufficient network of RFID readers, the tags can be tracked in time and space. This is possible through a combination of GPS (Global Positioning Systems) and RIFD technologies.
- RFID technology means that each object has its own unique identification. This contrasts bar code technology, which gives the same identification to all similar objects (e.g. in a grocery store, all orange juice cartons of the same brand have the same bar code). If unique identifiers are associated with individuals, then profiles of purchasing habits can be compiled.
- Creating profiles and tracking individual movement can be linked to other information which the individual may not want revealed.
- RFID records may be linked with personally identifying data, which may facilitate any of the other privacy threats listed previously.
The OPC recommends that the ten principles of the CSA Model Code, as well as the PIPEDA form the basis for an RFID privacy management framework. OPC research responds to each of the ten CSA principles, with respect to RFID technologies:
- Accountability – Who has access to and who is accountable for the data generated by RFID systems, as well as other data collection systems in the workplace?
- Identifying Purposes – RFID systems that are used for legitimate business purposes (e.g. supply chain management) are more likely to be supported than RFID systems used for secondary purposes or surveillance (e.g. employee surveillance, workforce management). The OPC identified that industry standards, policies or guidelines can help to ensure that the data collected through these systems are used and disclosed for identified purposes.
- Consent – Meaningful consent must be secured before an RFID system is implemented. However, there is the challenge of securing meaningful and completely voluntary consent in a workplace setting.
- Limiting Collection – Reasonable expectations of privacy must be balanced with reasonable management of RFID systems. While reasonable expectations of employees are important, the reasonable management of the RFID system is the employer’s responsibility. This involves the protection of employee privacy.
- Limiting Use, Disclosure & Retention – The issue of RFID implants was a significant concern for OPC and other groups who were consulted, as implants present significant privacy and security issues. For instance, employee conduct might be monitored during and after work hours, at lunch, during vacation, and for tracking physical movements and conduct. This may pose a serious security issue.
Employers should limit the collection of personally identifiable information, including RFID-related data. Data from RFID systems should not be linked to other databases, unless there is a proven need.
- Accuracy – It is the responsibility of the employer to ensure that personal information is accurate, complete and up to date for the purposes for which it is to be used. An audit trail might be established and maintained regarding the lifecycle of the RFID data.
- Safeguards – RFID systems that contain personal information must be protected in a way that is proportionate to its sensitivity. Employers should be made accountable for any breach of RIFD technology. Protecting data in each distinct part of the system is an effective approach to safeguarding employee privacy.
- Openness – For instance, hidden tags or readers should not be implemented. Clients, employees and/or unions should be consulted before RFID systems are installed. Tags and readers ought to be in plain sight, never used for covert surveillance.
- Individual Access – Individuals (e.g. clients, employees, union leaders) should be guaranteed access to any personally identifiable data generated by RFID systems.
- Challenging Compliance – Individuals ought to be able to challenge compliance with other principles. This may be the ability to make inquiries or lodge a complaint if necessary.
After examining each principle individually, the OPC stated some guiding applications for the implementation of RFID technology in a way that respects Fair Information Practices:
- If the RIFD chip has an individual’s personal information contained on it, then it is defined as a repository of personal information.
- If the tag is unique, it can be associated with an individual. The tag becomes a unique identifier for that individual.
- Personal information includes information about possessions, purchases or behaviors that can be processed to create a profile.
This article provides a brief introduction to RFID (radio frequency identification) technology. It explores some uses of this technology in consumer and work settings. Privacy concerns regarding RFID systems are raised. The article also offers some responses and recommendations made by the Privacy Commissioner of Canada regarding implementation of RFID technology.
In preparation for the Certified Information Privacy Professional/Canada exam, a privacy professional should be comfortable with topics related to this post, including:
- CSA Model Code for the Protection of Personal Information (II.A.a.i.)
- Radio Frequency Identification (RFID) (V.A.a.5.)
- Security threats and vulnerabilities (V.A.b.)
- Information management (V.c.i.)