What is RFID and should I worry about privacy issues associated with the technology?
RFID (radio frequency identification) technology is an electronic identification method that uses radio frequency signals in various applications. The most common uses are retail security and inventory management. RFID tags are essentially tiny computer chips (embedded in objects) that emit radio signals, transmitted to readers allowing for non-contact reading. RFID readers interrogate RFID chips to receive the identification number and other data.
Bar codes, which were historically the primary means of tracking products, are now giving way to RFID systems. This is because the chips offer data capacity (allowing for the provision of unique identifiers for all products worldwide), read-write capability, and allow the identification of tagged objects at a distance and through a variety of materials and substances. Along with optimizing inventory and business systems, it has added convenience to consumers’ lives.
Key privacy risk considerations
Privacy risks arise with the linking of RFID technology, with its unique identifier capability, to personally identifiable information facilitating the tracking and profiling of individual activity. Currently in corporate Canada there is no known public example of RFID linked with customer personal information and thus subject to privacy laws.
For an organization’s use of RFID technology to be subject to privacy laws in Canada, the RFID would have to be used to collect personal information, to create a link to personally identifying data, to create individual profiles or otherwise associated with personal information, as defined by privacy laws in Canada.
Under PIPEDA, the term “personal information” is defined as information about an identifiable individual, but does not include the name, title or business address or telephone number of an employee of an organization.
Some examples of RFID technology use not affected by privacy laws include on-vehicle tags for automated vehicle identification, capturing accurate information about the location or status of products and tracking them as they move from the assembly line to the retail store, and using RFID tags on clothing in a retail environment to control theft.
Mitigation consideration checklist
When privacy laws in Canada do not apply, the following are the key mitigation considerations for the use of RFID technology by organizations in consumer applications:
- Provide notice to consumers that the use of RFID technology is not linked to their personal information; and
- Provide notice to consumers about how it is used.
When privacy laws in Canada apply, the following are the key mitigation considerations for the use of RFID technology by organizations in consumer applications:
- Establish privacy policies, procedures and practices related to the use of RFID technology which must include obtaining consent to collect, use and disclose RFID-linked personal information taking into account the nature, sensitivity and intended use of products and customers’ right to challenge the organization’s compliance with privacy principles;
- Ensure that privacy protections are built into the design phase of the RFID system;
- Conduct regular audits on the use and security of RFID technology and ensure compliance with policies and procedures;
- Consider alternatives to the technology which achieve the same goal without collecting any personal information;
- Designate an accountable individual to be responsible for compliance;
- Conduct robust and comprehensive employee training and awareness on the privacy concerns and practices related to the use RFID technology;
- Provide to customers clear, conspicuous and readily available notice of RFID policies and practices regarding the collection, use, retention and disclosure of linked customer information and the existence of any databases. The complaints process must also be clearly indicated;
- Conduct tag reading openly and communicate the specific purposes for which personal information is being collected and obtain customers’ prior informed consent for collection, use or disclosure;
- Ensure data is not captured remotely without warning and without consent being provided;
- Ensure that RFID-linked personal information is collected, used or disclosed only for reasonable purposes;
- Notify customers if products contain a RFID tag through clear and conspicuous labeling;
- Use prominent signage to notify customers of RFID readers on the premises and identify the individual (and provide contact information) who can answer questions about the system and its use;
- Permit customers, upon the return of a product, to have their personal information de-linked from the item;
- Collect only personal information necessary for the disclosed purpose and limit disclosure to authorized persons and for authorized purposes;
- Permit individuals to remove, deactivate, destroy tags or otherwise refuse the technology without penalty for products that are worn or carried by them or which may reveal sensitive information;
- If requested advise customers what personal information, if any, is stored inside their RFID tags or otherwise linked to them and account fully for the uses and disclosures;
- If requested, facilitate customer access to RFID-linked personal information for rectification;
- Implement methods to maintain the accuracy of personal information collected by the technology and used to make decisions affecting individuals;
- Implement physical, technological and administrative safeguards to secure the unique tag data linked to personal information and to secure the information while being transmitted, accessed or destroyed. Access must be limited to authorized persons; and
- Implement retention procedures and practices including permanent destruction mechanisms after the purpose for which the RFID-linked customer information was collected and used are exhausted. Once the decision is made destruction must be conducted as quickly as possible.
Nymity Inc. is a privacy research firm based in Toronto providing solutions to help organizations manage the risks that lead to data breaches, privacy complaints or to non-compliance or over-compliance with privacy laws.
Contact the editor