RFID - tracking privacy through the process

The retail applications for Radio Frequency Identification (RFID) – ranging from general inventory management and improving customer service, to the development of item level remote tracking - has the potential to revolutionise the shopping experience.

RFID is an easy way for retailers to store information about their products on small tags attached to individual items. Unlike a barcode, they do not need to be individually scanned, but instead allow identification using radio waves. Some tags can be read from several metres away and beyond the line of sight of the reader.

While many retail organisations are considering or adopting projects involving RFID in their stock management or logistics processes, earlier this month Ofcom produced a report on future communications technology. This report looked further ahead, considering how wireless food content scanners may change the way we shop, helping consumers identify items suitable for dietary requirements. Ofcom is keen to keep such new technologies under review to monitor any changes required to the regulatory regime in the UK, but at the present time, it does not see any such need.

However, this increased ability to track stock inventory has brought with it new concerns about privacy. Many legislative bodies are now putting their thinking caps on around these privacy issues. If remote sensors can be used to track stock inventory without contact, how will this impact upon the consumers of this inventory?

The results of a European Commission public consultation on the impact on privacy of RFID will soon be published. However, the Commission has already made it clear that while it considers the technology to be a useful one for industry and individuals, a precondition for the successful take-up of RFID is that it be introduced by industry in full respect of privacy, and that consumers remain in full control of their personal data.

The intention is that by summer 2008, a recommendation will be published requiring:

• Operators to conduct a risk assessment prior to deploying an RFID application to ensure privacy risks have been properly evaluated.
• The establishment of codes of conduct governing the use of RFID.
• The provision of a minimum level of information to users of tagged products, such as the purpose of the application or the identity of the operator.
• The use of information security measures when deploying RFID applications, such as using technology when deploying such applications (not superseded technology).
• The retail sector to take additional precautions when a product containing an RFID tag is sold. The Commission is considering a harmonised sign that would inform consumers when RFID tags are used. In addition, to guarantee consumer choice and control, RFID tags that contain personal data should be automatically deactivated at the "point of sale", unless the consumer decides otherwise.

RFID has clear benefits for the retail sector, but issues such as privacy need to be considered at an early stage in any project, to build in privacy controls and avoid expensive adjustments later on. The Information Commissioner, who regulates the processing of personal data in the UK, has encouraged the use of Privacy Impact Assessments where projects which may affect privacy are to be rolled out, publishing a handbook explaining the process required.