EN 16571:2014
(Main)Information technology - RFID privacy impact assessment process
Information technology - RFID privacy impact assessment process
This European Standard has been prepared as part of the EU RFID Mandate M/436. It is based on the Privacy and Data Protection Impact Assessment Framework for RFID Applications, which was developed by industry, in collaboration with the civil society, endorsed by Article 29, Data Protection Working Party, and signed by all key stakeholders, including the European Commission, in 2011.
It defines aspects of that framework as normative or informative procedures to enable a common European method for undertaking an RFID PIA.
It provides a standardized set of procedures for developing PIA templates, including tools compatible with the RFID PIA methodology.
In addition, it identifies the conditions that require an existing PIA to be revised, amended, or replaced by a new assessment process.
Informationstechnik - Verfahren zur Datenschutzfolgenabschätzung (PIA) von RFID
Diese Europäische Norm wurde im Rahmen des EU-RFID-Mandats M/436 erarbeitet. Grundlage ist ein von der Industrie in Zusammenarbeit mit Organisationen der Zivilgesellschaft aufgestellter Folgenabschätzungs-rahmen in Bezug auf den Datenschutz und die Wahrung der Privatsphäre in RFID-Anwendungen, der von der Artikel-29-Datenschutzgruppe gebilligt und von allen wichtigen Interessenverbänden einschließlich der Europäischen Kommission im Jahr 2011 unterzeichnet wurde.
Es werden normative sowie informative Verfahren des Rahmenwerks einer gesamteuropäischen PIA für RFID-Anwendungen festgelegt.
Es sind eine Reihe normierter Verfahren zur Erarbeitung von PIA-Vorlagen enthalten, dazu gehören Werk-zeuge, die mit RFID betreffenden PIA-Methoden kompatibel sind.
Zusätzlich werden die Bedingungen aufgeführt, die erforderlich sind, um eine vorhandene PIA durch einen neuen Bewertungsprozess zu überarbeiten, zu ändern oder zu ersetzen.
Technologies de l'information - Processus d'évaluation d'impact sur la vie privée des applications RFID
La présente Norme européenne a été élaborée dans le cadre du mandat M/436 de l'Union européenne relatif à l'identification RFID. Elle se base sur le Cadre d’évaluation d’impact des applications RFID sur le respect de la vie privée et la protection des données, qui a été développé par l'industrie, en collaboration avec la société civile, approuvé par le Groupe de travail « Article 29 » et signé par tous les principaux intervenants, y compris la Commission européenne, en 2011.
Elle définit les aspects dudit cadre sous forme de procédures normatives ou informatives pour permettre une méthode européenne commune afin d’entreprendre une EIVP des applications RFID.
Elle fournit un ensemble normalisé de procédures pour l’élaboration de modèles d'EIVP, comprenant des outils compatibles avec la méthodologie d'EIVP des applications RFID.
De plus, elle identifie les conditions qui requièrent qu’une EIVP existante soit révisée, amendée ou remplacée par un nouveau processus d'évaluation.
Informacijska tehnologija - Postopek ocenjevanja vpliva RFID na zasebnost
Ta evropski standard je bil pripravljen kot del mandata EU RFID M436. Temelji na okviru ocenjevanja vpliva na zasebnost in varnost podatkov za aplikacije RFID, ki ga je razvila industrija v sodelovanju s civilno družbo, določa ga člen 29 Delovne skupine za varstvo podatkov, leta 2011 pa so ga podpisali vsi ključni deležniki, vključno z Evropsko komisijo.
Vidike tega okvira določa kot normativne ali informativne postopke, da se omogoči skupna evropska metoda za izvajanje ocenjevanja vpliva RFID na zasebnost.
Zagotavlja standardiziran sklop postopkov za pripravo predlog za ocenjevanje vpliva na zasebnost, vključno z orodji, združljivimi z metodologijo ocenjevanja vpliva RFID na zasebnost.
Poleg tega določa pogoje, ki zahtevajo revizijo, spremembo ali zamenjavo obstoječega ocenjevanja vpliva na zasebnost z novim postopkom ocenjevanja.
General Information
Standards Content (Sample)
2003-01.Slovenski inštitut za standardizacijo. Razmnoževanje celote ali delov tega standarda ni dovoljeno.Informacijska tehnologija - Postopek ocenjevanja vpliva RFID na zasebnostVerfahren zur Datenschutzfolgenabschätzung (PIA) von RFIDProcessus d'évaluation de l'impact en termes de respect de la vie privée de l'identification RFIDInformation technology - RFID privacy impact assessment process35.020Informacijska tehnika in tehnologija na splošnoInformation technology (IT) in generalICS:Ta slovenski standard je istoveten z:EN 16571:2014SIST EN 16571:2014en,fr,de01-december-2014SIST EN 16571:2014SLOVENSKI
STANDARD
EUROPEAN STANDARD NORME EUROPÉENNE EUROPÄISCHE NORM
EN 16571
June 2014 ICS 35.240.60 English Version
Information technology - RFID privacy impact assessment process
Technologies de l'information - Processus d'évaluation d'impact sur la vie privée des applications RFID
Verfahren zur Datenschutzfolgenabschätzung (PIA) von RFID This European Standard was approved by CEN on 14 May 2014.
CEN members are bound to comply with the CEN/CENELEC Internal Regulations which stipulate the conditions for giving this European Standard the status of a national standard without any alteration. Up-to-date lists and bibliographical references concerning such national standards may be obtained on application to the CEN-CENELEC Management Centre or to any CEN member.
This European Standard exists in three official versions (English, French, German). A version in any other language made by translation under the responsibility of a CEN member into its own language and notified to the CEN-CENELEC Management Centre has the same status as the official versions.
CEN members are the national standards bodies of Austria, Belgium, Bulgaria, Croatia, Cyprus, Czech Republic, Denmark, Estonia, Finland, Former Yugoslav Republic of Macedonia, France, Germany, Greece, Hungary, Iceland, Ireland, Italy, Latvia, Lithuania, Luxembourg, Malta, Netherlands, Norway, Poland, Portugal, Romania, Slovakia, Slovenia, Spain, Sweden, Switzerland, Turkey and United Kingdom.
EUROPEAN COMMITTEE FOR STANDARDIZATION
COMITÉ EUROPÉEN DE NORMALISATION EUROPÄISCHES KOMITEE FÜR NORMUNG
CEN-CENELEC Management Centre:
Avenue Marnix 17,
B-1000 Brussels © 2014 CEN All rights of exploitation in any form and by any means reserved worldwide for CEN national Members. Ref. No. EN 16571:2014 ESIST EN 16571:2014
...
SLOVENSKI STANDARD
01-december-2014
Informacijska tehnologija - Postopek ocenjevanja vpliva RFID na zasebnost
Information technology - RFID privacy impact assessment process
Verfahren zur Datenschutzfolgenabschätzung (PIA) von RFID
Processus d'évaluation de l'impact en termes de respect de la vie privée de
l'identification RFID
Ta slovenski standard je istoveten z: EN 16571:2014
ICS:
35.040.50 Tehnike za samodejno Automatic identification and
razpoznavanje in zajem data capture techniques
podatkov
2003-01.Slovenski inštitut za standardizacijo. Razmnoževanje celote ali delov tega standarda ni dovoljeno.
EUROPEAN STANDARD
EN 16571
NORME EUROPÉENNE
EUROPÄISCHE NORM
June 2014
ICS 35.240.60
English Version
Information technology - RFID privacy impact assessment
process
Technologies de l'information - Processus d'évaluation Verfahren zur Datenschutzfolgenabschätzung (PIA) von
d'impact sur la vie privée des applications RFID RFID
This European Standard was approved by CEN on 14 May 2014.
CEN members are bound to comply with the CEN/CENELEC Internal Regulations which stipulate the conditions for giving this European
Standard the status of a national standard without any alteration. Up-to-date lists and bibliographical references concerning such national
standards may be obtained on application to the CEN-CENELEC Management Centre or to any CEN member.
This European Standard exists in three official versions (English, French, German). A version in any other language made by translation
under the responsibility of a CEN member into its own language and notified to the CEN-CENELEC Management Centre has the same
status as the official versions.
CEN members are the national standards bodies of Austria, Belgium, Bulgaria, Croatia, Cyprus, Czech Republic, Denmark, Estonia,
Finland, Former Yugoslav Republic of Macedonia, France, Germany, Greece, Hungary, Iceland, Ireland, Italy, Latvia, Lithuania,
Luxembourg, Malta, Netherlands, Norway, Poland, Portugal, Romania, Slovakia, Slovenia, Spain, Sweden, Switzerland, Turkey and United
Kingdom.
EUROPEAN COMMITTEE FOR STANDARDIZATION
COMITÉ EUROPÉEN DE NORMALISATION
EUROPÄISCHES KOMITEE FÜR NORMUNG
CEN-CENELEC Management Centre: Avenue Marnix 17, B-1000 Brussels
© 2014 CEN All rights of exploitation in any form and by any means reserved Ref. No. EN 16571:2014 E
worldwide for CEN national Members.
Contents Page
Foreword .5
Introduction .6
1 Scope .7
2 Normative references .7
3 Terms and definitions .7
4 Symbols and abbreviations . 11
5 Structure of this European Standard . 12
6 Field of reference for this European Standard . 12
6.1 'RFID' as defined by the EU RFID Recommendation . 12
6.2 'RFID application' as defined by the EU RFID Recommendation . 13
6.3 'RFID operator' as defined by the EU RFID Recommendation . 13
6.4 Relationship between the RFID PIA and data protection and security . 14
6.5 Relevant inputs for the PIA process . 17
6.5.1 General . 17
6.5.2 The privacy capability statement . 17
6.5.3 The Registration Authority . 17
6.5.4 RFID PIA templates . 17
7 RFID operator's organizational objectives of the RFID PIA . 17
7.1 Overview . 17
7.2 Meeting and exceeding legal requirements . 18
7.3 When to undertake the RFID PIA . 19
7.3.1 General . 19
7.3.2 Undertaking a PIA at the design stage before the RFID system becomes operational . 19
7.3.3 Undertaking a PIA at a review and update the design-based PIA . 19
7.3.4 Undertaking a PIA to contribute to the development of a template . 19
7.3.5 Undertaking a PIA with an established template . 20
7.3.6 Undertaking a PIA at the introduction of a new function within the RFID application . 20
7.3.7 Undertaking a PIA based on changes in RFID technology . 20
7.3.8 Undertaking a PIA when a privacy breach has been reported . 20
8 Tools to simplify the process . 21
8.1 RFID operator responsibility . 21
8.2 RFID technology privacy capability tools - overview. 21
8.3 Registration of RFID privacy capability statements by RFID product manufacturers . 21
8.3.1 General . 21
8.3.2 Obligations of the Registration Authority . 21
8.3.3 Appointment . 22
8.3.4 Resignation . 22
8.3.5 Responsibilities of the RFID product manufacturers . 22
8.4 RFID technology privacy capability tools - details . 23
8.4.1 RFID integrated circuit privacy capabilities . 23
8.4.2 RFID tag privacy capabilities . 23
8.4.3 RFID interrogator privacy capabilities . 23
8.4.4 The default privacy capability statement . 23
8.4.5 Using CEN/TR 16672 to construct privacy capabilities for products using proprietary
protocols . 24
8.5 Templates . 24
8.5.1 General . 24
8.5.2 Developing a template . 24
8.5.3 Who should prepare the templates? . 25
8.5.4 The role of stakeholders in template development . 25
9 RFID PIA - a process approach . 26
9.1 Introduction . 26
9.2 Process Steps . 26
9.3 Achieving the correct level of detail . 27
9.3.1 General . 27
9.3.2 Level 0 – no PIA . 27
9.3.3 Level 1 – small scale PIA . 27
9.3.4 Level 2 – PIA focussed on the controlled domain of the application . 27
9.3.5 Level 3 – Full scale (complete) PIA of the application . 28
9.3.6 Reducing the effort for the SME organization . 28
9.4 Process methodology . 29
10 Preparing the RFID functional statement . 30
11 Preparing the description of the RFID applications . 31
11.1 Introduction . 31
11.2 Multiple applications . 31
11.3 RFID application overview . 32
11.3.1 General . 32
11.3.2 Determine which RFID technology is intended or being used . 32
11.3.3 Determine the RFID components used in the application . 33
11.3.4 RFID applications on portable devices . 34
11.4 Data on the RFID tag . 36
11.4.1 General . 36
11.4.2 Determine what inherent identifiable features are possessed by the RFID tag . 36
11.4.3 Listing the data elements encoded on the RFID tag . 37
11.4.4 Determine whether encoded data can be considered identifiable . 37
11.4.5 Determine whether personal data is encoded on the tag . 38
11.5 Additional data on the application . 38
11.6 RFID data processing . 38
11.7 Internal transfer of RFID data . 39
11.8 External transfer of RFID data . 39
11.9 RFID application description sign off . 39
12 Risk Assessment . 40
12.1 Procedural requirements derived from the RFID Recommendation . 40
12.1.1 Common procedure requirements for all RFID operators . 40
12.1.2 Requirements for retailers that are RFID operators . 41
12.1.3 Procedure requirements for manufacturers of products eventually sold to consumers . 42
12.2 Asset iden
...
Questions, Comments and Discussion
Ask us and Technical Secretary will try to provide an answer. You can facilitate discussion about the standard in here.