The use of Radio Frequency Identification (otherwise known as RFID) technology
is on the increase. The broad scope of its application, and decreasing cost
of its implementation as second generation models are marketed, have lead to
RFID technology being hailed as the barcode of the future. However, many people
are concerned that the increased use of RFID in many industry sectors, and
the perceived inevitability of RFID becoming commonplace on the high street
will have data protection implications, which are at present being overlooked
by the industry.
RFID technology works by means of a tag and reader. The tag comprises an electronic
circuit contained on a silicon chip. This stores information which is transmitted
in analogue radio waves by an antenna forming part of the tag. The reader
contains an antenna and demodulator which allows it to receive the incoming
radio signal and convert it into a digital format capable of being processed
by computer. As the information contained in the tag can be programmed in
advance to include information specific to any application, RFID can be applied
to a large number of sectors.
RFID chips have a wide range of potential applications. Their use to track
products in transit is now established as a key element of logistics and
distribution industries. The US Ministry of Defence use the technology to
track weapons. The chips cannot be demagnetised and, with some models having
a surface area of just 0.3 millimetres square, the potential for covert surveillance
and information gathering is immediately apparent. The advantages of this
technology are obvious. However, concern is growing that RFID may be applied
at the consumer level to collate data and monitor individuals without the
customer being aware of the presence of the tag.
In a retail context, RFID tagging is used to perform operational functions
including efficient inventory tracking upon receipt of stock at the store,
monitoring stock levels on the shelves and again at the point of sale as a
loss prevention mechanism. However, as RFID does not rely on line of sight
scanning, there are concerns that the tags will continue to be interrogated
once the customer has left the store and information used collated to establish
customer or product profiles by linking RFID signals from other products or
clothes worn or carried by the customer.
Further examples of the application of RFID include personalised RFID tags
as an efficient form of transport ticketing or the proposed insertion of RFID
chips in credit cards. This entails details of the tag holder including their
name and address being transmitted to RFID readers. An obvious threat to personal
privacy arises when those signals are intercepted by the readers of third parties.
This threat could be circumvented by suitable encryption policies being put
in place, but calls have been made for increased regulation in this area to
safeguard individuals' data.
The Data Protection Act 1998 introduced certain rules which broadly seek to
improve individuals' access to information held about them and to safeguard
privacy. The rules apply to any person or organisation which processes personal
data relating to an individual ("a Data Controller"). For the purpose
of the legislation, "processing" includes the collection, updating,
storing, transmitting, retrieving, disclosing or destruction of personal
information. Organisations using RFID technology must ensure that such use
does not breach the data protection rules.
Individuals have the right to be informed upon request whether any personal
data relating to them is being processed by or on behalf of a Data Controller.
In addition, the individual has the right to be given a description of any
such personal data held, to be informed of the purpose for which it is used
and the class of recipient to whom the information may be disclosed. This will
have an obvious administrative and potential cost impact for any organisation
which seeks to rely upon RFID for the purpose of gathering personal information
or information from which individuals can be identified. This will be particularly
acute in the context of consumer data.
As awareness of RFID on the high street increases, civil libertarians are
pressing for increased regulation of its use. Organisations must be aware of
any new or developing rules to ensure that maximum benefit can be derived from
the technology, while remaining Data Protection compliant.
For further information on Data Protection contact Elaine McKinney on 0141
566 7202 or Elaine.firstname.lastname@example.org.