Privacy commissioner looking at RFID technology

Wants feedback from employers on implications of using radio frequency identification systems in the workplace

The privacy commissioner is shining the spotlight on the use of radio frequency identification (RFID) systems in the workplace.

Jennifer Stoddart, the Privacy Commissioner of Canada, is looking for feedback on the use of RFID in the workplace.

“While there is no doubt this technology can be used to improve productivity and enhance security, we are nevertheless concerned that it can also be used as a surveillance tool, undermining the dignity and autonomy of workers,” said Stoddart. “In applying RFID systems in the workplace, we believe it is necessary to strike a balance between the benefits to employers and the privacy of employees.”

Stoddart has prepared a consultation paper setting out recommended privacy practices for organizations that seek to harness the benefits of RFID technologies. The paper provides a brief overview of RFID technology and the privacy and security risks involved in the use of these systems.

It explains how federal privacy laws could apply to RFID systems and discusses reasonable expectations of privacy in the workplace. Finally, the paper outlines steps organizations should take before proceeding with RFID applications.

Stoddart is looking for feedback from the public on the consultation paper. She has invited employers, employees, trade unions and developers of RFID technology to answer the consultation questions in the paper.

The discussion paper is available online at http://www.privcom.gc.ca/information/pub/rfid_e.asp.

The deadline for submissions is April 30, 2008.



What is RFID?

The following is an unedited description of RFID taken from the consultation paper:

RFID is a generic term used to describe technologies that involve the use of data stored on small chips or tags which can be communicated to a reader from a distance by means of radio transmission. There are three basic components to the technology: the RFID tags themselves (which consist of an antenna attached to a microchip), the RFID readers, and the supporting database infrastructure (hardware and software). It is important to define the term RFID broadly, because the technical capabilities and distinctions among RF technologies will evolve over time.

A significant feature of RFID technology is that tags do not require a direct line of sight for reading and may be read through hard material such as book covers or other packaging material. Further, more than one tag can be read at a time. Each tag can identify the specific object to which it is attached, even if that object is one of a multitude of identical items. When using bar codes, for example, one bottle of water has the same barcode as all other bottles of water of that particular brand. RFID technology enables each individual bottle to have its own unique ID.

RFID is a family of technologies that varies greatly in its level of sophistication and capacity. For example, supply chain tags, known as EPC (Electronic Product Code) tags, are designed to be simple, cheap and disposable. To keep the cost of the tag as low as possible, EPC tags carry very little data in on-board memory. By contrast, some tags have the capacity to store significant amounts of data, including biometric data.

Other technologies in the RF family, such as contactless cards or “smart cards” are RF devices that may have additional layers of security. Proponents of contactless card technology argue that it is a much more complex technology. For example, in secure card access applications, the contactless smart card-based device can verify that the reader is authentic and can provide its own authentication to the reader before starting a secure transaction.11 As well, communication between the contactless smart card-based device and the reader can be encrypted to prevent eavesdropping. Yet from the perspective of employee and workplace privacy, smart cards and RFID tags raise essentially the same privacy issues. While smart cards may offer enhanced security and authenticity features, the good practices set out in this document are applicable equally to the collection of personal data through RFID and through the use of smart cards because both pose risks to privacy.

Not all devices that use radio frequencies are RFID technology. For example, anti-theft devices attached to consumer items in stores operate using radio frequencies, but they do not contain the unique identifiers that are a feature of RFID technology.

Sensors (or “motes”) also form part of the wireless device RF family. Sensors are small hardware devices that respond to physical stimulus and produce an electronic signal, similar to RFID tags, which emit information about their environments, such as movement, light, temperature or humidity. Sensors generally contain batteries and can have similar applications to the more complex RFID tags, such as sensing whether or not a secure port container has been opened.

There are also “chipless” RFID systems, where tiny chemical particles with varying degrees of magnetism respond when they are queried by a reader. A contemplated application for this RF technology would be embedding the particles in, or printing them on, paper and having readers placed inside copy machines to prevent unauthorized copying.

To the extent that any of these technologies are used in the workplace to monitor the activities or whereabouts of employees, or to gather data on identifiable employees, the good practices set out in this document will apply.

To read the full story, login below.

Not a subscriber?

Start your subscription today!