CEN/TR 16673:2014
(Main)Information technology - RFID privacy impact assessment analysis for specific sectors
Information technology - RFID privacy impact assessment analysis for specific sectors
The scope of this Technical Report is to use the RFID PIA Framework as the basis for exploring issues with four major sectors involved with RFID:
— libraries;
— retail;
— e-Ticketing, toll roads, fee collection, events management;
— banking and financial services.
After specific sector research and consolidation of the results of industry workshops and seminars that take place in several EU Member States, this Technical Report will identify the characteristics that need to be taken into consideration by operators of RFID systems in the example sectors. In addition it will provide advice to operators in the sector on significant variants both in terms of technology and application data. This will enable the appropriate risk factors to be taken into account.
Based on the synthesis of the applications in the chosen sectors, this Technical Report will also identify a set of factors relevant to specific RFID technologies and features that will need to be taken into account in preparing a Privacy and Data Protection Impact Assessment for many RFID applications.
Informationstechnik - Verfahren zur Datenschutzfolgenabschätzung (PIA) von RFID für spezifische Sektoren
Technologies de l’information - Évaluation d'impact sur la vie privée des applications RFID dans des secteurs spécifiques
Informacijska tehnologija - Ocenjevanje vpliva RFID na zasebnost za določene sektorje
Področje uporabe tega tehničnega poročila je uporaba ogrodja ocenjevanja vpliva RFID na zasebnost kot osnovo za raziskovanje težav v štirih glavnih sektorjih, ki upravljajo z RFID: - knjižnice; - maloprodaja; - elektronska prodaja kart, pobiranje cestnin, pobiranje pristojbin, upravljanje dogodkov; - bančne in finančne storitve. Po raziskavi določenega sektorja in konsolidaciji rezultatov industrijskih delavnic in seminarjev, ki se odvijajo v več državah članicah EU, bo to tehnično poročilo določilo lastnosti, ki jih morajo upoštevati izvajalci sistemov RFID v podanih sektorjih. Poleg tega bo zagotovilo nasvete za izvajalce v sektorjih o pomembnih različicah tako na področju tehnologije kot tudi uporabe podatkov. To bo omogočilo upoštevanje ustreznih dejavnikov tveganja. Na podlagi sinteze uporabe v izbranih sektorjih bo to tehnično poročilo določilo tudi niz dejavnikov, ki so pomembni za posamezne tehnologije RFID in lastnosti, ki jih ni treba upoštevati pri pripravi ocene vpliva na zasebnost in varnost podatkov za številne uporabe RFID.
General Information
Standards Content (Sample)
SLOVENSKI STANDARD
01-september-2014
Informacijska tehnologija - Ocenjevanje vpliva RFID na zasebnost za določene
sektorje
Information technology - RFID privacy impact assessment analysis for specific sectors
Informationstechik - Verfahren zur Datenschutzfolgenabschätzung (PIA) von RFID für
spezifische Sektoren
Technologie de l’information - Évaluation de l’impact sur la vie privée de la RFID pour
des secteurs spécifiques
Ta slovenski standard je istoveten z: CEN/TR 16673:2014
ICS:
35.040.50 Tehnike za samodejno Automatic identification and
razpoznavanje in zajem data capture techniques
podatkov
2003-01.Slovenski inštitut za standardizacijo. Razmnoževanje celote ali delov tega standarda ni dovoljeno.
TECHNICAL REPORT
CEN/TR 16673
RAPPORT TECHNIQUE
TECHNISCHER BERICHT
June 2014
ICS 35.240.60
English Version
Information technology - RFID privacy impact assessment
analysis for specific sectors
Technologies de l'information - Évaluation d'impact sur la Informationstechnik - Verfahren zur
vie privée des applications RFID dans des secteurs Datenschutzfolgenabschätzung (PIA) von RFID für
spécifiques spezifische Sektoren
This Technical Report was approved by CEN on 20 January 2014. It has been drawn up by the Technical Committee CEN/TC 225.
CEN members are the national standards bodies of Austria, Belgium, Bulgaria, Croatia, Cyprus, Czech Republic, Denmark, Estonia,
Finland, Former Yugoslav Republic of Macedonia, France, Germany, Greece, Hungary, Iceland, Ireland, Italy, Latvia, Lithuania,
Luxembourg, Malta, Netherlands, Norway, Poland, Portugal, Romania, Slovakia, Slovenia, Spain, Sweden, Switzerland, Turkey and United
Kingdom.
EUROPEAN COMMITTEE FOR STANDARDIZATION
COMITÉ EUROPÉEN DE NORMALISATION
EUROPÄISCHES KOMITEE FÜR NORMUNG
CEN-CENELEC Management Centre: Avenue Marnix 17, B-1000 Brussels
© 2014 CEN All rights of exploitation in any form and by any means reserved Ref. No. CEN/TR 16673:2014 E
worldwide for CEN national Members.
Contents Page
Foreword .4
Introduction .5
1 Scope .6
2 Terms and definitions .6
3 Symbols and abbreviations .8
4 Brief description of an RFID system .9
4.1 Infrastructure of an RFID system .9
4.2 Components of an RFID system .9
4.2.1 Transponder/Tag.9
4.2.2 RFID reader or writer . 10
4.2.3 Backend system. 10
4.3 Characteristics of RFID technology compared to other data capture techniques . 10
5 Privacy concept in RFID-based applications . 11
5.1 Interaction between data protection, data security and privacy . 11
5.2 Data protection . 12
5.3 Data security . 13
5.4 Privacy . 13
5.5 General privacy risks . 13
5.6 Challenges for a privacy concept in context with RFID. 14
5.7 Need for transparency . 15
6 Library sector overview . 15
6.1 Aspects of the library sector . 15
6.2 RFID technology overview . 16
6.3 Applications and parties involved . 17
6.4 Privacy considerations . 18
6.4.1 Privacy of possession . 18
6.4.2 Privacy of personal data in the central system . 18
6.4.3 The impact of NFC-enabled phones . 19
6.5 Prospects for PIA templates . 19
7 Retail sector overview . 20
7.1 Aspects of the retail sector . 20
7.2 RFID Technology Overview . 21
7.3 Applications and parties involved . 21
7.3.1 General . 21
7.3.2 Use of RFID in retail logistics . 21
7.3.3 The role of the solution provider . 22
7.3.4 Impact of RFID technology for the consumer . 22
7.4 Privacy considerations . 23
7.5 Technological prospects for privacy enhancements. 25
8 Transport sector overview . 25
8.1 Aspects of the transport sector . 25
8.2 RFID Technology Overview . 25
8.3 Applications and parties involved . 26
8.3.1 General . 26
8.3.2 Types of tickets, features and characteristics . 26
8.3.3 Characteristics of automatic fare calculation. 27
8.3.4 Sales channels and their impact on the products . 27
8.4 Privacy considerations . 29
8.5 Other applications not covered in detail . 29
8.5.1 General . 29
8.5.2 Toll roads and fee collection using RFID . 29
8.5.3 Event management using RFID . 30
9 Banking and financial services sector overview . 30
9.1 Aspects of the finance sector . 30
9.2 RFID Technology Overview . 31
9.2.1 General . 31
9.2.2 Contactless payment cards . 32
9.2.3 NFC based payment by mobile phones . 32
9.2.4 Micro-tags or stick-on-tags . 32
9.3 Applications and parties involved . 32
9.4 Privacy considerations . 32
9.4.1 General . 32
9.4.2 Security of contactless payment cards . 33
9.4.3 Organisations . 33
9.4.4 Impact of privacy in the banking and finance sector . 34
9.4.5 Vulnerabilities . 34
9.4.6 Transparency, consumer information, commercial confidentiality and security . 35
9.4.7 Implications for the PIA . 35
10 Conclusion and recommendations . 36
10.1 Diversity of RFID based applications . 36
10.2 Benefits of and recommendation for sector or application specific templates . 36
10.3 Recommendation for a general approach to PIA . 37
Bibliography . 38
Foreword
This document (CEN/TR 16673:2014) has been prepared by Technical Committee CEN/TC 225 “AIDC
Technologies”, the secretariat of which is held by NEN.
Attention is drawn to the possibility that some of the elements of this document may be the subject of patent
rights. CEN [and/or CENELEC] shall not be held responsible for identifying any or all such patent rights.
This Technical Report is one of a series of related deliverables, which comprise mandate 436 Phase 2. The
other deliverables are:
— EN 16570, Information technology — Notification of RFID — The information sign and additional
information to be provided by operators of RFID application systems
— EN 16571, Information technology — RFID privacy impact assessment process
— EN 16656, Information technology - Radio frequency identification for item management - RFID Emblem
(ISO/IEC 29160:2012, modified)
— CEN/TR 16684, Information technology — Notification of RFID — Additional information to be provided
by operators
— CEN/TS 16685, Information technology — Notification of RFID — The information sign to be displayed in
areas where RFID interrogators are deployed
— CEN/TR 16669, Information technology — Device interface to support ISO/IEC 18000-3 Mode 1
— CEN/TR 16670, Information technology — RFID threat and vulnerability analysis
— CEN/TR 16671, Information technology — Authorisation of mobile phones when used as RFID
interrogators
— CEN/TR 16672, Information technology — Privacy capability features of current RFID technologies
— CEN/TR 16674, Information technology — Analysis of privacy impact assessment methodologies relevant
to RFID
SIST-TP CEN/TR 1667
...
SLOVENSKI STANDARD
01-september-2014
,QIRUPDFLMVNDWHKQRORJLMD2FHQMHYDQMHYSOLYD5),'QD]DVHEQRVW]DGRORþHQH
VHNWRUMH
Information technology - RFID privacy impact assessment analysis for specific sectors
Informationstechik - Verfahren zur Datenschutzfolgenabschätzung (PIA) von RFID für
spezifische Sektoren
Technologie de l’information - Évaluation de l’impact sur la vie privée de la RFID pour
des secteurs spécifiques
Ta slovenski standard je istoveten z: CEN/TR 16673:2014
ICS:
35.020 Informacijska tehnika in Information technology (IT) in
tehnologija na splošno general
2003-01.Slovenski inštitut za standardizacijo. Razmnoževanje celote ali delov tega standarda ni dovoljeno.
TECHNICAL REPORT
CEN/TR 16673
RAPPORT TECHNIQUE
TECHNISCHER BERICHT
June 2014
ICS 35.240.60
English Version
Information technology - RFID privacy impact assessment
analysis for specific sectors
Technologies de l'information - Évaluation d'impact sur la Informationstechnik - Verfahren zur
vie privée des applications RFID dans des secteurs Datenschutzfolgenabschätzung (PIA) von RFID für
spécifiques spezifische Sektoren
This Technical Report was approved by CEN on 20 January 2014. It has been drawn up by the Technical Committee CEN/TC 225.
CEN members are the national standards bodies of Austria, Belgium, Bulgaria, Croatia, Cyprus, Czech Republic, Denmark, Estonia,
Finland, Former Yugoslav Republic of Macedonia, France, Germany, Greece, Hungary, Iceland, Ireland, Italy, Latvia, Lithuania,
Luxembourg, Malta, Netherlands, Norway, Poland, Portugal, Romania, Slovakia, Slovenia, Spain, Sweden, Switzerland, Turkey and United
Kingdom.
EUROPEAN COMMITTEE FOR STANDARDIZATION
COMITÉ EUROPÉEN DE NORMALISATION
EUROPÄISCHES KOMITEE FÜR NORMUNG
CEN-CENELEC Management Centre: Avenue Marnix 17, B-1000 Brussels
© 2014 CEN All rights of exploitation in any form and by any means reserved Ref. No. CEN/TR 16673:2014 E
worldwide for CEN national Members.
Contents Page
Foreword .4
Introduction .5
1 Scope .6
2 Terms and definitions .6
3 Symbols and abbreviations .8
4 Brief description of an RFID system .9
4.1 Infrastructure of an RFID system .9
4.2 Components of an RFID system .9
4.2.1 Transponder/Tag.9
4.2.2 RFID reader or writer . 10
4.2.3 Backend system. 10
4.3 Characteristics of RFID technology compared to other data capture techniques . 10
5 Privacy concept in RFID-based applications . 11
5.1 Interaction between data protection, data security and privacy . 11
5.2 Data protection . 12
5.3 Data security . 13
5.4 Privacy . 13
5.5 General privacy risks . 13
5.6 Challenges for a privacy concept in context with RFID. 14
5.7 Need for transparency . 15
6 Library sector overview . 15
6.1 Aspects of the library sector . 15
6.2 RFID technology overview . 16
6.3 Applications and parties involved . 17
6.4 Privacy considerations . 18
6.4.1 Privacy of possession . 18
6.4.2 Privacy of personal data in the central system . 18
6.4.3 The impact of NFC-enabled phones . 19
6.5 Prospects for PIA templates . 19
7 Retail sector overview . 20
7.1 Aspects of the retail sector . 20
7.2 RFID Technology Overview . 21
7.3 Applications and parties involved . 21
7.3.1 General . 21
7.3.2 Use of RFID in retail logistics . 21
7.3.3 The role of the solution provider . 22
7.3.4 Impact of RFID technology for the consumer . 22
7.4 Privacy considerations . 23
7.5 Technological prospects for privacy enhancements. 25
8 Transport sector overview . 25
8.1 Aspects of the transport sector . 25
8.2 RFID Technology Overview . 25
8.3 Applications and parties involved . 26
8.3.1 General . 26
8.3.2 Types of tickets, features and characteristics . 26
8.3.3 Characteristics of automatic fare calculation. 27
8.3.4 Sales channels and their impact on the products . 27
8.4 Privacy considerations . 29
8.5 Other applications not covered in detail . 29
8.5.1 General . 29
8.5.2 Toll roads and fee collection using RFID . 29
8.5.3 Event management using RFID . 30
9 Banking and financial services sector overview . 30
9.1 Aspects of the finance sector . 30
9.2 RFID Technology Overview . 31
9.2.1 General . 31
9.2.2 Contactless payment cards . 32
9.2.3 NFC based payment by mobile phones . 32
9.2.4 Micro-tags or stick-on-tags . 32
9.3 Applications and parties involved . 32
9.4 Privacy considerations . 32
9.4.1 General . 32
9.4.2 Security of contactless payment cards . 33
9.4.3 Organisations . 33
9.4.4 Impact of privacy in the banking and finance sector . 34
9.4.5 Vulnerabilities . 34
9.4.6 Transparency, consumer information, commercial confidentiality and security . 35
9.4.7 Implications for the PIA . 35
10 Conclusion and recommendations . 36
10.1 Diversity of RFID based applications . 36
10.2 Benefits of and recommendation for sector or application specific templates . 36
10.3 Recommendation for a general approach to PIA . 37
Bibliography . 38
Foreword
This document (CEN/TR 16673:2014) has been prepared by Technical Committee CEN/TC 225 “AIDC
Technologies”, the secretariat of which is held by NEN.
Attention is drawn to the possibility that some of the elements of this document may be the subject of patent
rights. CEN [and/or CENELEC] shall not be held responsible for identifying any or all such patent rights.
This Technical Report is one of a series of related deliverables, which comprise mandate 436 Phase 2. The
other deliverables are:
— EN 16570, Information technology — Notification of RFID — The information sign and additional
information to be provided by operators of RFID application systems
— EN 16571, Information technology — RFID privacy impact assessment process
— EN 16656, Information technology - Radio frequency identification for item management - RFID Emblem
(ISO/IEC 29160:2012, modified)
— CEN/TR 16684, Information technology — Notification of RFID — Additional information to be provided
by operators
— CEN/TS 16685, Information technology — Notification of RFID — The information sign to be displayed in
areas where RFID interrogators are deployed
— CEN/TR 16669, Information technology — Device interface to support ISO/IEC 18000-3 Mode 1
— CEN/TR 16670, Information technology — RFID threat and vulnerability analysis
— CEN/TR 16671, Information technology — Authorisation of mobile phones when used as RFID
interrogators
— CEN/TR 16672, Information technology — Privacy capability features of current RFID technologies
— CEN/TR 16674, Information technology — Analysis of privacy impact assessment methodologies relevant
to RFID
CEN/T
...
Questions, Comments and Discussion
Ask us and Technical Secretary will try to provide an answer. You can facilitate discussion about the standard in here.