The software application is intended to help companies assess any privacy risks that may result from their use of RFID technology, determine if they meet the European Commission's privacy recommendations and show them how to take corrective actions, if necessary.
|Elizabeth Board, GS1's global public policy executive director|
The PIA Tool incorporates seven months of research with some of GS1's member companies worldwide, as well as end users of RFID, including retailers and consumer product companies such as Wal-Mart, Procter & Gamble, Metro Group, headquartered in Germany, and Carrefour Group, in France.
In 2009, the European Union (EU) issued its RFID privacy recommendations that included informing consumers of the presence of RFID tags (see European Commission Issues RFID Privacy Recommendations). The recommendation is nonbinding, but is intended to provide a framework to protect data that could potentially pose a risk of privacy intrusion for a customer or business employee. The recommendation states that privacy and data-protection impact assessments should be completed at least six weeks before the technology's deployment.
In April of this year, the EC joined forces with GS1 and the European Network and Information Security Agency (ENISA), the EU agency dedicated to improving information and cyber-security, in order to establish guidelines for all companies in Europe to address the protection of data related to RFID technology (see European Commission Issues Framework for Measuring and Mitigating RFID's Privacy Impact). The European Retail Round Table (ERRT), AIM Germany, Bitkom and the A&N Electric Cooperative (ANEC), also contributed in the development of a privacy impact assessment framework. The members of GS1, ENISA and the EC agreed that with the appropriate tool, companies using RFID could answer specific questions, determine whether they had privacy risks as described in the EC recommendation, and subsequently make the necessary adjustments. The result of that effort is the GS1 EPC/RFID Privacy Impact Assessment Tool.
The PIA Tool takes users through three steps: an assessment setup, to collect general information about an organization and how it will employ RFID; an initial assessment, to determine if a detailed PIA is necessary, as well as which of the detailed assessments are applicable; and finally, the detailed assessment itself, to identify specific risks, the likelihood that those risks might occur and what the impact might be. Users could then determine which controls would be necessary to eliminate that risk. Completing the tool's assessment process, GS1 reports, could take as little as 30 minutes for those at a low risk for privacy issues, or longer for others.
Some companies, such as those utilizing RFID tags attached to pallets and cases for supply chain efficiency, may find in the initial assessment that their RFID usage poses no privacy risk, and that they would thus not need to complete the following, more detailed assessment. If that is the case, Board says, they may print the results and store those findings as proof that privacy impacts were assessed, with no risk found (this might be helpful in the case of customer complaints involving privacy risks resulting from RFID technology usage).
The PIA Tool currently available is version 1, Board says; future versions could be made available following user feedback, as well as changes to RFID technology itself, and to the ways in which it is used. In fact, she notes, it is because RFID technology and its use cases are likely to change that the EC recommendation and a self-regulation PIA application such as the GS1 EPC/RFID PIA Tool are a preferable choice to mandates about the use of RFID for securing privacy. As new use cases arise, or as existing ones change, she says, the PIA Tool can be adjusted to continue meeting the industry's needs quickly. On the other hand, she adds, privacy legislation can take years to change.
Several businesses have already announced that they will be using the tool for new applications. These include retailers Carrefour, Metro Group and Wal-mart, as well as its Asda supermarket chain in Britain; manufacturers, like Procter & Gamble and Baxi, a maker of heating equipment; logistics provider Deutsche Post DHL; and technology providers Checkpoint Systems.
The GS1 EPC/RFID Privacy Impact Assessment Tool is currently available in English, with versions in other languages likely to be released in the future. Although the application was designed for the EC's privacy recommendations, Board encourages not only retailers but any company employing RFID to utilize the tool to assess and address privacy risks, regardless of their location.
Contact Person: Mr. Kenny Huang