CEN/TR 16684:2014
(Main)Information technology - Notification of RFID - Additional information to be provided by operators
Information technology - Notification of RFID - Additional information to be provided by operators
This Technical Report is to assist operators of applications in areas where radio frequency interrogators are deployed, to identify the types of information that are called for in the recommendation.
The Technical Report provides all the current information to assist operators to develop and publish a concise accurate and easy to understand information policy for each of their applications.
The policy should at least include:
— the identity and address of the operators;
— the purpose of the application;
— what data are to be processed by the application, in particular if personal data will be processed, and whether the location of tags will be monitored;
— a summary of the privacy and data protection impact assessment;
— the likely privacy risks, if any, relating to the use of tags in the application and the measures that individuals can take to mitigate these risks.
Informationstechnik - Notifizierung von RFID: Zusätzliche vom Betreiber zur Verfügung zu stellende Information
Technologies de l’information - Notification d'identification par radiofréquence (RFID) - Informations complémentaires à fournir par les opérateurs
Informacijska tehnologija - Priglasitev uporabe radiofrekvenčne prepoznave (RFID) - Dodatne informacije, ki jih morajo zagotoviti izvajalci
To tehnično poročilo je namenjeno pomoči izvajalcem aplikacij na področjih, kjer se uporabljajo bralniki radijskih frekvenc, za določanje tipa informacij, ki so zahtevane v priporočilu. Tehnično poročilo zagotavlja vse trenutne informacije za pomoč izvajalcem pri razvoju in objavi jedrnate, točne in jasne informacijske politike za vsako od uporab//aplikacij???//. Politika naj bi vsebovala najmanj: - ime in naslov izvajalca; - namen uporabe; - kateri podatki se pri uporabi obdelajo, zlasti če bodo obdelani osebni podatki in če bo nadzorovana lokacija oznak; - povzetek ocene vpliva na zasebnost in varnost podatkov; - možna tveganja za zasebnost, povezana z uporabo oznak pri aplikaciji, in ukrepe, ki jih lahko izvedejo posamezniki, da omilijo ta tveganja.
General Information
Standards Content (Sample)
SLOVENSKI STANDARD
01-september-2014
Informacijska tehnologija - Priglasitev uporabe radiofrekvenčne prepoznave (RFID)
- Dodatne informacije, ki jih morajo zagotoviti izvajalci
Information technology - Notification of RFID - Additional information to be provided by
operators
Notifizierung von RFID: Zusätzliche vom Betreiber zur Verfügung zu stellende
Information
Technologies de l’information - Notification d'identification par radiofréquence (RFID) -
Informations complémentaires à fournir par les opérateurs
Ta slovenski standard je istoveten z: CEN/TR 16684:2014
ICS:
03.080.99 Druge storitve Other services
35.040.50 Tehnike za samodejno Automatic identification and
razpoznavanje in zajem data capture techniques
podatkov
2003-01.Slovenski inštitut za standardizacijo. Razmnoževanje celote ali delov tega standarda ni dovoljeno.
TECHNICAL REPORT
CEN/TR 16684
RAPPORT TECHNIQUE
TECHNISCHER BERICHT
June 2014
ICS 35.240.60
English Version
Information technology - Notification of RFID - Additional
information to be provided by operators
Technologies de l'information - Notification d'identification Informationstechnik - Notifizierung von RFID: Zusätzliche
par radiofréquence (RFID) - Informations complémentaires vom Betreiber zur Verfügung zu stellende Information
à fournir par les opérateurs
This Technical Report was approved by CEN on 8 March 2014. It has been drawn up by the Technical Committee CEN/TC 225.
CEN members are the national standards bodies of Austria, Belgium, Bulgaria, Croatia, Cyprus, Czech Republic, Denmark, Estonia,
Finland, Former Yugoslav Republic of Macedonia, France, Germany, Greece, Hungary, Iceland, Ireland, Italy, Latvia, Lithuania,
Luxembourg, Malta, Netherlands, Norway, Poland, Portugal, Romania, Slovakia, Slovenia, Spain, Sweden, Switzerland, Turkey and United
Kingdom.
EUROPEAN COMMITTEE FOR STANDARDIZATION
COMITÉ EUROPÉEN DE NORMALISATION
EUROPÄISCHES KOMITEE FÜR NORMUNG
CEN-CENELEC Management Centre: Avenue Marnix 17, B-1000 Brussels
© 2014 CEN All rights of exploitation in any form and by any means reserved Ref. No. CEN/TR 16684:2014 E
worldwide for CEN national Members.
Contents Page
Foreword .3
0 Introduction .4
0.1 General .4
0.2 Overview .4
1 Scope .7
2 Terms and definitions .7
3 CCTV as an Exemplar .7
4 The RFID European Emblem . 10
4.1 General . 10
4.2 Guidelines on the use of the Common European RFID emblem . 11
4.3 Definition of the Common European RFID Notification Sign . 11
4.4 Placement of signs . 12
4.4.1 General . 12
4.4.2 Presence of Readers . 12
4.4.3 Placement of signs notifying the presence of readers . 12
4.4.4 Presence of tags . 12
4.5 Who should place signage on tagged items . 13
4.6 Size of emblem . 14
5 Guidelines on additional information . 14
5.1 General . 14
5.2 Name of the operator of the application . 15
5.2.1 Name . 15
5.2.2 Contact point . 15
5.3 Purpose of the application . 15
5.4 Data processed . 16
5.5 Summary of the privacy impact assessment . 16
5.5.1 PIA report date . 16
5.5.2 RFID application operator . 16
5.5.3 RFID application overview . 16
5.5.4 Data on the RFID tag . 17
5.6 Likely privacy risks . 17
5.7 Measures to mitigate the risks . 17
5.8 Privacy information policy for RFID. 18
5.8.1 General . 18
5.8.2 Consumer and members of the public choice information – promotional material . 18
5.8.3 Consumer and members of the public choice information – sales material and pre-
contract information . 19
5.8.4 Consumer and members of the public choice information – means of conveying the
information . 19
5.8.5 Consumer and members of the public privacy information accessibility . 19
5.8.6 Privacy related contractual and privacy policy information . 20
5.8.7 Consumer and members of the public post sale user privacy information . 20
5.8.8 Consumer and members of the public information – means of conveying the post sale
user privacy information . 21
5.9 Consumer and public information – non application operator RFID privacy information . 21
Annex A (informative) RFID applications in retail . 22
Annex B (informative) RFID applications in library . 25
Annex C (informative) RFID applications in transportation . 26
Annex D (informative) RFID applications in banking . 31
Bibliography . 34
Foreword
This document (CEN/TR 16684:2014) has been prepared by Technical Committee CEN/TC 225 “AIDC
technologies”, the secretariat of which is held by NEN.
Attention is drawn to the possibility that some of the elements of this document may be the subject of patent
rights. CEN [and/or CENELEC] shall not be held responsible for identifying any or all such patent rights.
This Technical Report is one of a series of related deliverables, which comprise mandate 436 Phase 2.
The other deliverables are:
— EN 16570, Information technology — Notification of RFID — The information sign and additional
information to be provided by operators of RFID application systems
— EN 16571, Information technology — RFID privacy impact assessment process
— EN 16656, Information technology — Radio frequency identification for item management - RFID Emblem
(ISO/IEC 29160:2012, modified)
— CEN/TS 16685, Information technology — Notification of RFID — The information sign to be displayed in
areas where RFID interrogators are deployed
— CEN/TR 16669, Information technology — Device interface to support ISO/IEC 18000-3 Mode 1
— CEN/TR 16670, Information technology — RFID threat and vulnerability analysis
— CEN/TR 16671, Information technology — Authorisation of mobile phones when used as RFID
interrogators
— CEN/TR 16672, Information technology — Privacy capability features of current RFID technologies
— CEN/TR 16673, Information technology — RFID privacy impact assessment analysis for specific sectors
— CEN/TR 16674, Information technology — Analysis of privacy impact assessment methodologies relevant
to RFID
0 Introduction
0.1 General
In response to the growing deployment of RFID systems in Europe, the European Commission published in
2007 the Communication COM(2007) 96 ‘RFID in Europe: steps towards a policy framework’. This
Communication proposed steps which needed to be taken to reduce barriers to adoption of RFID whilst
respecting the basic legal framework safeguarding fundamental values such as health, environment, data
protection, privacy and security.
In December 2008, the European Commission addressed Mandate M/436 to CEN, CENELEC and ETSI in the
field of ICT as applied to RFID systems. The Mandate M/436 was accepted by the ESOs in the first months of
2009. The Mandate addresses the data protection, privacy and information aspects of RFID, and is being
executed in two phases. Phase 1, completed in May 2011, identified the work needed to produce a complete
framework of future RFID standards. The Phase 1 results are contained in the ETSI Technical Report TR 187
020, which was published in May 2011.
Phase 2 is concerned with the execution of the standardization work programme identified in the first phase.
This document will provide the additional information of the RFID application that will need to be provided to a
citizen by accessing the source identified on the sign where the RFID application is operating. This information
will be aligned with the details set out in the Recommendation, but some of this might not be available at the
outset, a TR is the preferred form of initial delivery to establish basic requirements.
0.2 Overview
th
On March 15 2007, the European Commission presented to the European Parliament a communication
about the steps towards a Policy Framework for Radio Frequency Identification in Europe. Here below is an
extract:
"COMMISSION RECOMMENDATION of 2009/05/12 on the implementation of privacy and data protection
principles in applications supported by radio-frequency identification {SEC (2009) 585}{SEC (2009) 586}.
Radio frequency identification (RFID) is a technology that allows automatic identification and data capture by
using radio frequencies. The salient features of this technology are that they permit the attachment of a unique
identifier and other information – using a microchip – to any object, animal or even a person, and to read this
information through a wireless device. RFID is not just "electronic tags" or "electronic barcodes". When linked
to databases and communications networks, such as the Internet, this technology provides a very powerful
way of delivering new services and applications, in potentially any environment.
RFID technology is indeed seen as the gateway to a new phase of development of the Information Society,
often referred to as the "internet of things" in which the internet does not only link computers and
communications terminals, but potentially any of our daily surrounding objects – be they clothes, consumer
goods, etc. It is this prospect that provoked the European Council of December 2006 to ask the European
Commission to review the challenges of the next generation of Internet and networks at the 2008 Spring
Council.
RFID is of policy concern because of its potential to become a new motor of growth and jobs, and thus a
powerful contributor to the Lisbon Strategy, if the barriers to innovation can be overcome. The production price
of RFID tags is now approaching a level that permits wide commercial and public
...
SLOVENSKI STANDARD
01-september-2014
,QIRUPDFLMVNDWHKQRORJLMD3ULJODVLWHYXSRUDEHUDGLRIUHNYHQþQHSUHSR]QDYH5),'
'RGDWQHLQIRUPDFLMHNLMLKPRUDMR]DJRWRYLWLL]YDMDOFL
Information technology - Notification of RFID - Additional information to be provided by
operators
Notifizierung von RFID: Zusätzliche vom Betreiber zur Verfügung zu stellende
Information
Technologies de l’information - Notification d'identification par radiofréquence (RFID) -
Informations complémentaires à fournir par les opérateurs
Ta slovenski standard je istoveten z: CEN/TR 16684:2014
ICS:
03.080.99 Druge storitve Other services
35.020 Informacijska tehnika in Information technology (IT) in
tehnologija na splošno general
2003-01.Slovenski inštitut za standardizacijo. Razmnoževanje celote ali delov tega standarda ni dovoljeno.
TECHNICAL REPORT
CEN/TR 16684
RAPPORT TECHNIQUE
TECHNISCHER BERICHT
June 2014
ICS 35.240.60
English Version
Information technology - Notification of RFID - Additional
information to be provided by operators
Technologies de l'information - Notification d'identification Informationstechnik - Notifizierung von RFID: Zusätzliche
par radiofréquence (RFID) - Informations complémentaires vom Betreiber zur Verfügung zu stellende Information
à fournir par les opérateurs
This Technical Report was approved by CEN on 8 March 2014. It has been drawn up by the Technical Committee CEN/TC 225.
CEN members are the national standards bodies of Austria, Belgium, Bulgaria, Croatia, Cyprus, Czech Republic, Denmark, Estonia,
Finland, Former Yugoslav Republic of Macedonia, France, Germany, Greece, Hungary, Iceland, Ireland, Italy, Latvia, Lithuania,
Luxembourg, Malta, Netherlands, Norway, Poland, Portugal, Romania, Slovakia, Slovenia, Spain, Sweden, Switzerland, Turkey and United
Kingdom.
EUROPEAN COMMITTEE FOR STANDARDIZATION
COMITÉ EUROPÉEN DE NORMALISATION
EUROPÄISCHES KOMITEE FÜR NORMUNG
CEN-CENELEC Management Centre: Avenue Marnix 17, B-1000 Brussels
© 2014 CEN All rights of exploitation in any form and by any means reserved Ref. No. CEN/TR 16684:2014 E
worldwide for CEN national Members.
Contents Page
Foreword .3
0 Introduction .4
0.1 General .4
0.2 Overview .4
1 Scope .7
2 Terms and definitions .7
3 CCTV as an Exemplar .7
4 The RFID European Emblem . 10
4.1 General . 10
4.2 Guidelines on the use of the Common European RFID emblem . 11
4.3 Definition of the Common European RFID Notification Sign . 11
4.4 Placement of signs . 12
4.4.1 General . 12
4.4.2 Presence of Readers . 12
4.4.3 Placement of signs notifying the presence of readers . 12
4.4.4 Presence of tags . 12
4.5 Who should place signage on tagged items . 13
4.6 Size of emblem . 14
5 Guidelines on additional information . 14
5.1 General . 14
5.2 Name of the operator of the application . 15
5.2.1 Name . 15
5.2.2 Contact point . 15
5.3 Purpose of the application . 15
5.4 Data processed . 16
5.5 Summary of the privacy impact assessment . 16
5.5.1 PIA report date . 16
5.5.2 RFID application operator . 16
5.5.3 RFID application overview . 16
5.5.4 Data on the RFID tag . 17
5.6 Likely privacy risks . 17
5.7 Measures to mitigate the risks . 17
5.8 Privacy information policy for RFID. 18
5.8.1 General . 18
5.8.2 Consumer and members of the public choice information – promotional material . 18
5.8.3 Consumer and members of the public choice information – sales material and pre-
contract information . 19
5.8.4 Consumer and members of the public choice information – means of conveying the
information . 19
5.8.5 Consumer and members of the public privacy information accessibility . 19
5.8.6 Privacy related contractual and privacy policy information . 20
5.8.7 Consumer and members of the public post sale user privacy information . 20
5.8.8 Consumer and members of the public information – means of conveying the post sale
user privacy information . 21
5.9 Consumer and public information – non application operator RFID privacy information . 21
Annex A (informative) RFID applications in retail . 22
Annex B (informative) RFID applications in library . 25
Annex C (informative) RFID applications in transportation . 26
Annex D (informative) RFID applications in banking . 31
Bibliography . 34
Foreword
This document (CEN/TR 16684:2014) has been prepared by Technical Committee CEN/TC 225 “AIDC
technologies”, the secretariat of which is held by NEN.
Attention is drawn to the possibility that some of the elements of this document may be the subject of patent
rights. CEN [and/or CENELEC] shall not be held responsible for identifying any or all such patent rights.
This Technical Report is one of a series of related deliverables, which comprise mandate 436 Phase 2.
The other deliverables are:
— EN 16570, Information technology — Notification of RFID — The information sign and additional
information to be provided by operators of RFID application systems
— EN 16571, Information technology — RFID privacy impact assessment process
— EN 16656, Information technology — Radio frequency identification for item management - RFID Emblem
(ISO/IEC 29160:2012, modified)
— CEN/TS 16685, Information technology — Notification of RFID — The information sign to be displayed in
areas where RFID interrogators are deployed
— CEN/TR 16669, Information technology — Device interface to support ISO/IEC 18000-3 Mode 1
— CEN/TR 16670, Information technology — RFID threat and vulnerability analysis
— CEN/TR 16671, Information technology — Authorisation of mobile phones when used as RFID
interrogators
— CEN/TR 16672, Information technology — Privacy capability features of current RFID technologies
— CEN/TR 16673, Information technology — RFID privacy impact assessment analysis for specific sectors
— CEN/TR 16674, Information technology — Analysis of privacy impact assessment methodologies relevant
to RFID
0 Introduction
0.1 General
In response to the growing deployment of RFID systems in Europe, the European Commission published in
2007 the Communication COM(2007) 96 ‘RFID in Europe: steps towards a policy framework’. This
Communication proposed steps which needed to be taken to reduce barriers to adoption of RFID whilst
respecting the basic legal framework safeguarding fundamental values such as health, environment, data
protection, privacy and security.
In December 2008, the European Commission addressed Mandate M/436 to CEN, CENELEC and ETSI in the
field of ICT as applied to RFID systems. The Mandate M/436 was accepted by the ESOs in the first months of
2009. The Mandate addresses the data protection, privacy and information aspects of RFID, and is being
executed in two phases. Phase 1, completed in May 2011, identified the work needed to produce a complete
framework of future RFID standards. The Phase 1 results are contained in the ETSI Technical Report TR 187
020, which was published in May 2011.
Phase 2 is concerned with the execution of the standardization work programme identified in the first phase.
This document will provide the additional information of the RFID application that will need to be provided to a
citizen by accessing the source identified on the sign where the RFID application is operating. This information
will be aligned with the details set out in the Recommendation, but some of this might not be available at the
outset, a TR is the preferred form of initial delivery to establish basic requirements.
0.2 Overview
th
On March 15 2007, the European Commission presented to the European Parliament a communication
about the steps towards a Policy Framework for Radio Frequency Identification in Europe. Here below is an
extract:
"COMMISSION RECOMMENDATION of 2009/05/12 on the implementation of privacy and data protection
principles in applications supported by radio-frequency identification {SEC (2009) 585}{SEC (2009) 586}.
Radio frequency identification (RFID) is a technology that allows automatic identification and data capture by
using radio frequencies. The salient features of this technology are that they permit the attachment of a unique
identifier and other information – using a microchip – to any object, animal or even a person, and to read this
information through a wireless device. RFID is not just "electronic tags" or "electronic barcodes". When linked
to databases and communications networks, such as the Internet, this technology provides a very powerful
way of delivering new services and applications, in potentially any environment.
RFID technology is indeed seen as the gateway to a new phase of development of the Information Society,
often referred to as the "internet of things" in which the internet does not only link computers and
communications terminals, but potentially any of our daily surrounding objects – be they clothes, consumer
goods, etc. It is this prospect that provoked the European Council of December 2006 to ask the European
Commission to review the challenges of the next generation of Internet and networks at the 2008 Spring
Council.
RFID is of policy concern because of its potential to become a new motor of growth and jobs, and thus a
powerful contributor to the Lisbon Strategy, if the barriers to innovation can be overcome. The production price
of RFID tags is now approaching a level that permits wide commercial and public sector deploy
...
Questions, Comments and Discussion
Ask us and Technical Secretary will try to provide an answer. You can facilitate discussion about the standard in here.