EU: New data protection guidelines for use of RFID applications
Category: NachrichtenBy: M. Schröder, N. Bichler - 2B Advice GmbH - the privacy benchmark
On April 6, 2011 the European Commission accepted a voluntary commitment to data protection in the use of RFIDs from the industry. The commitment obliges companies to analyze the risks for data protection in the context of a "PIA" (Privacy and Data Protection Impact Assessment) and take appropriate action.
The tiny radio tags have become indispensable in today's world. All of us have already encountered RFIDs. They are found in all areas of everyday life, from bus tickets to the loading of containers. In using RFIDs, a significant amount of personal data may be accumulated. To ensure the privacy and address the concerns of those affected, the industry has established a process for risk assessment and risk avoidance, which has now been endorsed by the EU Commission.
This so-called PIA framework defines the procedures established for risk analysis and risk avoidance. PIAs are divided into two phases: The first phase consists of the analysis by the controller (RFID application operators), who checks whether any personal data are processed and thus whether a PIA is required. If one is required, it must be decided whether a full or partial analysis is necessary. The full study (Full Scale PIA) encompasses more details and a larger scope of evaluation than the partial examination (Small Scale PIA). The decision on which of the tests are needed depends on the type of data processing, which is classed in four stages (levels). There are four levels, from level 0 to level 3. The higher the level, the more personal data are processed and the higher are the requirements for the PIA.
The second phase of the PIA is the risk analysis and breakdown of security measures.
Companies should therefore direct their attention to the design of procedures for dealing with RFIDs. When RFID technology is used, the PIA offers the company the opportunity to inspect the structured RFID process in detail. A successful PIA can serve to win over and strengthen the confidence of the individuals affected.
The data protection officer should consider aligning the (preliminary) check of an RFID process to the PIA.
Further information:
ec.europa.eu/information_society/policy/rfid/documents/rfidpiapressrelease.pdf
ec.europa.eu/information_society/policy/rfid/documents/infso-2011-00068.pdf
(1515 times viewed)