New Ontario RFID guidelines emphasize ‘consumer consent’


Consumer consent must be obtained before personal information linked to a radio frequency identification (RFID) tag is collected, used and disclosed, according to a new set of guidelines issued by Ontario’s Information and Privacy Commission (IPC).

The guidelines also recommend automatic deactivation of the tags at the point of sale. Consumers should be able to choose to re-activate the tags at a later date, repurpose them, or otherwise have control over the manner in which tags interact with RFID readers.

Ann Cavoukian, Ontario’s Information and Privacy Commissioner said data protection has evolved to include the right of people to exercise control over personal information. “The right may be expressed as informational self-determination. Privacy protection extends to exerting controls over the collection, use and disclosure of personal information.”

The guidelines released earlier this week flow from the IPC’s work in 2003, when Cavoukian first identified potential privacy concerns raised by RFID technology.

“These made-in-Canada guidelines provide guidance and solutions regarding item-level consumer RFID applications and uses,” she said.

Considered the natural evolution of barcodes, RFID tags contain microchips and tiny radio antennas that can be attached to products. The device transmits a unique identifying number to an electronic reader, which in turn links to a computer database where information about the item is stored. The tags can be read from a distance quickly and easily, making them valuable for managing inventory.

The IPC considers RFID tags as a minimal threat to privacy when deployed for supply chain management purposes. However, item-level use of the tags in the retail sector, when linked to personally identifiable data, can facilitate tracking and surveillance of individuals, the IPC said.

The issue of whether RFID threatens personal privacy is a controversial one.

Some experts say the dangers of the technology, in this regard, have been highly exaggerated.

Marc Giroux, systems engineer for Symbol Technologies Inc. of Holtsville, NY, says RFID is sometimes given a bad rap based on a misunderstanding of the technology.

In a talk last month in Toronto Giroux refuted some common objections – specifically, that RFID is an intrusive technology, and that it may abet unauthorized access to private information. “The idea that RFID could lead to identity theft or to uncontrolled release of personal data is a myth,” he said. “RFID tags are nothing more than barcodes. A person without access to the database that interprets the barcode cannot access personal information.”

In that sense, he said, an RFID tag is much like a car license plate that’s also linked to a bunch of personal information about the car owner. “But that information is secured. Not everyone can access it. It’s the same with RFID.” He said it’s helpful to think of an RFID tag as a “license plate number tied to a database. Without database access, all you’ve got is a bunch of [meaningless] numbers.”

Far from impinging on consumer rights, he said, visibility and traceability capabilities offered by EPC/RFID technology can be used to protect the consumer. He cited the instance of how RFID is being “effectively” used to prevent the theft of OxyCotin, a synthetic morphine-based pain killer – and “one of the most addictive, black marketed and counterfeited prescription drugs ever.”

In the past, he said, some dishonest distributors used to open OxyCotin bottles shipped to them, remove a couple of capsules from each bottle, and then reseal the bottles. “Basically, they were skimming off the top; the [stolen] pills would be sold for $100 – $200 in the black market, and nobody would know.”

Giroux said OxyCotin manufacturers, Purdue Pharma L.P. in Stamford, Conn. have been able to contain this practice by putting RFID tags on every bottle shipped to the distributor network. These tags enable the company to track the journey of every bottle – where it has been, where it is, and where it’s going. (E-pedigree software from SupplyScape in Cambridge, Mass. tracks the flow of serial and lot numbers and RFID-tag data. Project information is shared through a secure, internal database). “Now every single [OxyCotin] prescription is also tracked,” Geroux said. “Which doctor has prescribed it, and which pharmacy it’s coming from. You have visibility and traceability.

The Ontario Privacy Commission’s guidelines are based on the principle that the problem does not lie with RFID technology, but with the way it is sometimes deployed

It directs that privacy and security issues be built into the development of devices early in the design stage; and use of RFID information systems should be transparent and afford individuals as much opportunity to participate and make informed decisions.

Apart from emphasizing the importance of consent and control, the 10-point guidelines also stipulate that retailers or organizations appoint a person who would be accountable for compliance and training of personnel on the use of the technology.

Organizations, it says, should clearly communicate in a timely and effective manner to consumers the purpose of collecting personal data.

It also places an onus on retailers not to collect or link an RFID tag to personally identifiable information indiscriminately, covertly or through misleading statements or actions.

Instead, it says, the individual’s consent must be obtained to use, disclose or link personal information for any new purpose. The data should only be retained for the stated purpose, protected from theft or unauthorized use and destroyed securely.

Personal and related RFID-linked data must be accurate and kept up-to-date for the stated purposes, especially when used to make decisions affecting the individual.