Monday, June 19, 2006

Ontario Commissioner introduces RFID Guidelines

Ontario's Information and Privacy Commissioner has just produced a set of guidelines for implementing RFID technology to better protect privacy in its implementation. The guidelines are here and are being released along with a companion Practical Tips for Implementing RFID Privacy Guidelines. Earlier this month, the Commissioner released Worried about RFIDs? in video and paper form.

The Commissioner's press release is here:

Commissioner Cavoukian issues RFID Guidelines aimed at protecting privacy

TORONTO, June 19 /CNW/ - Ontario's Information and Privacy Commissioner, Dr. Ann Cavoukian, today released privacy Guidelines for the growing field of radio frequency identification (RFID).

These Guidelines flow from her earlier work in 2003 when the Commissioner first identified the potential privacy concerns raised by RFID technology. Following a history of ground-breaking work on building privacy into the design of emerging technologies, these Guidelines are a natural progression of this pragmatic approach.

"I have always found it beneficial to assist those working on emerging technologies, and to be proactive whenever possible - to develop effective guidelines and codes before any problems arise," said Commissioner Cavoukian. "These made-in-Canada Guidelines provide guidance and solutions regarding item-level consumer RFID applications and uses."

EPCglobal Canada, an industry association that sets standards for electronic product codes, has been collaborating with the IPC in the development of these Guidelines, and will be seeking Board approval by its member companies to signify the association's endorsement of the Guidelines.

"This technology offers exciting benefits to consumers and businesses alike. As the trusted source for driving adoption of EPC/RFID technology for increased visibility within the supply chain, privacy is as important as anything else we are doing," said Art Smith, President and CEO, EPCglobal Canada. "We promote an environment that encourages ongoing innovation while respecting privacy issues."

RFID tags contain microchips and tiny radio antennas that can be attached to products. They transmit a unique identifying number to an electronic reader, which in turn links to a computer database where information about the item is stored. RFID tags may be read from a distance quickly and easily, making them valuable for managing inventory but pose potential risks to privacy if linked to personal identifiers. RFID tags are the next generation technology from barcodes.

Although RFID technology deployed in the supply chain management process poses little threat to privacy, item-level use of RFID tags in the retail sector, when linked to personally identifiable information, can facilitate the tracking and surveillance of individuals. The goal of these Guidelines is to alleviate concerns about the potential threat to privacy posed by this technology and to enhance openness and transparency about item-level use of RFID systems by retailers.

The Guidelines address key privacy issues regarding the use of RFID technology at an item-level in the retail sector, said Commissioner Cavoukian.

The Guidelines are based on three overarching principles, including:

  • Focus on RFID information systems, not technologies: The problem does not lie with RFID technologies themselves, but rather, the way in which they are deployed that can have privacy implications. The Guidelines should be applied to RFID information systems as a whole, rather than to any single technology component or function;
  • Build in privacy and security from the outset - at the design stage: Just as privacy concerns must be identified in a broad and systemic manner, so, too, must the technological solutions be addressed systemically. A thorough privacy impact assessment is critical. Users of RFID technologies and information systems should address the privacy and security issues early in the design stages, with a particular emphasis on data minimization. This means that wherever possible, efforts should be made to minimize the identifiability, observability and linkability of RFID data; and
  • Maximize individual participation and consent: Use of RFID information systems should be as open and transparent as possible, and afford individuals with as much opportunity as possible to participate and make informed decisions.

A companion piece to the Guidelines - Practical Tips for Implementing RFID Privacy Guidelines, is also being released by the Commissioner to help organizations put the Guidelines into practice.

The Guidelines and Practical Tips for Implementing RFID Privacy Guidelines are available on the IPC's website (

No comments: