company news about GS1 Releases Privacy-Assessment Tool for European RFID Users

By Claire Swedberg

Nov. 23, 2011—Global standards organization GS1 has released a software application intended to help European companies assess any privacy risks that might result from their use of radio frequency identification, as well as guide them in eliminating those risks. The Microsoft Excel-based tool is designed to help firms comply with European Commission (EC) recommendations for safeguarding the privacy of consumers and others who may be in contact with RFID technology. The GS1 EPC/RFID Privacy Impact Assessment (PIA) Tool can be downloaded free of charge from GS1's Web site.

Elizabeth Board, GS1's global public policy executive director, explains that companies can use the PIA Tool to conduct self-assessments of privacy risks resulting from their use of RFID technology and the data related to that usage. The tool poses a series of questions enabling companies to determine their privacy risks, and thus where they may need to make improvements to address them. The EC RFID privacy recommendations, as well as the PIA Tool, are directed primarily at retailers and suppliers of consumer goods, because in this industry, the technology may directly impact consumers (for example, customers may see RFID tags on products they intend to buy), but the PIA Tool and EC recommendations are applicable to any company that may be employing RFID within their operations.

Elizabeth Board, GS1's global public policy executive director

The PIA Tool incorporates seven months of research with some of GS1's member companies worldwide, as well as end users of RFID, including retailers and consumer product companies such as Wal-Mart, Procter & Gamble, Metro Group, headquartered in Germany, and Carrefour Group, in France.

In 2009, the European Union (EU) issued its RFID privacy recommendations that included informing consumers of the presence of RFID tags (see European Commission Issues RFID Privacy Recommendations). The recommendation is nonbinding, but is intended to provide a framework to protect data that could potentially pose a risk of privacy intrusion for a customer or business employee. The recommendation states that privacy and data-protection impact assessments should be completed at least six weeks before the technology's deployment.

In April of this year, the EC joined forces with GS1 and the European Network and Information Security Agency (ENISA), the EU agency dedicated to improving information and cyber-security, in order to establish guidelines for all companies in Europe to address the protection of data related to RFID technology (see European Commission Issues Framework for Measuring and Mitigating RFID's Privacy Impact). The European Retail Round Table (ERRT), AIM Germany, Bitkom and the A&N Electric Cooperative (ANEC), also contributed in the development of a privacy impact assessment framework. The members of GS1, ENISA and the EC agreed that with the appropriate tool, companies using RFID could answer specific questions, determine whether they had privacy risks as described in the EC recommendation, and subsequently make the necessary adjustments. The result of that effort is the GS1 EPC/RFID Privacy Impact Assessment Tool.

The PIA Tool takes users through three steps: an assessment setup, to collect general information about an organization and how it will employ RFID; an initial assessment, to determine if a detailed PIA is necessary, as well as which of the detailed assessments are applicable; and finally, the detailed assessment itself, to identify specific risks, the likelihood that those risks might occur and what the impact might be. Users could then determine which controls would be necessary to eliminate that risk. Completing the tool's assessment process, GS1 reports, could take as little as 30 minutes for those at a low risk for privacy issues, or longer for others.

Some companies, such as those utilizing RFID tags attached to pallets and cases for supply chain efficiency, may find in the initial assessment that their RFID usage poses no privacy risk, and that they would thus not need to complete the following, more detailed assessment. If that is the case, Board says, they may print the results and store those findings as proof that privacy impacts were assessed, with no risk found (this might be helpful in the case of customer complaints involving privacy risks resulting from RFID technology usage).

The PIA Tool currently available is version 1, Board says; future versions could be made available following user feedback, as well as changes to RFID technology itself, and to the ways in which it is used. In fact, she notes, it is because RFID technology and its use cases are likely to change that the EC recommendation and a self-regulation PIA application such as the GS1 EPC/RFID PIA Tool are a preferable choice to mandates about the use of RFID for securing privacy. As new use cases arise, or as existing ones change, she says, the PIA Tool can be adjusted to continue meeting the industry's needs quickly. On the other hand, she adds, privacy legislation can take years to change.

 

Several businesses have already announced that they will be using the tool for new applications. These include retailers Carrefour, Metro Group and Wal-mart, as well as its Asda supermarket chain in Britain; manufacturers, like Procter & Gamble and Baxi, a maker of heating equipment; logistics provider Deutsche Post DHL; and technology providers Checkpoint Systems.

The GS1 EPC/RFID Privacy Impact Assessment Tool is currently available in English, with versions in other languages likely to be released in the future. Although the application was designed for the EC's privacy recommendations, Board encourages not only retailers but any company employing RFID to utilize the tool to assess and address privacy risks, regardless of their location.