SIST-TP CEN/TR 16674:2014

SLOVENSKI STANDARD
SIST-TP CEN/TR 16674:2014
01-september-2014
Informacijska tehnologija - Analiza metodologij za ocenjevanje vpliva na
zasebnost v povezavi z RFID
Information technology - Analysis of privacy impact assessment methodologies relevant
to RFID
Informationstechnik - Analyse der RFID- Datenschutzfolgenabschätzung für spezifische
Sektoren
Technologie de l’information - Analyse des méthodes d’évaluation de l’impact sur la vie
privée adaptées à la RFID
Ta slovenski standard je istoveten z: CEN/TR 16674:2014
ICS:
35.040.50 Tehnike za samodejno Automatic identification and
razpoznavanje in zajem data capture techniques
podatkov
SIST-TP CEN/TR 16674:2014 en,fr,de
2003-01.Slovenski inštitut za standardizacijo. Razmnoževanje celote ali delov tega standarda ni dovoljeno.

---------------------- Page: 1 ----------------------
SIST-TP CEN/TR 16674:2014

---------------------- Page: 2 ----------------------
SIST-TP CEN/TR 16674:2014

TECHNICAL REPORT
CEN/TR 16674

RAPPORT TECHNIQUE

TECHNISCHER BERICHT
June 2014
ICS 35.240.60
English Version
Information technology - RFID privacy impact assessment
analysis for specific sectors
Technologies de l'information - Analyse des méthodes Informationstechnik - Analyse der RFID-
d'évaluation de l'impact sur la vie privée adaptées à la RFID Datenschutzfolgenabschätzung für spezifische Sektoren


This Technical Report was approved by CEN on 20 January 2014. It has been drawn up by the Technical Committee CEN/TC 225.

CEN members are the national standards bodies of Austria, Belgium, Bulgaria, Croatia, Cyprus, Czech Republic, Denmark, Estonia,
Finland, Former Yugoslav Republic of Macedonia, France, Germany, Greece, Hungary, Iceland, Ireland, Italy, Latvia, Lithuania,
Luxembourg, Malta, Netherlands, Norway, Poland, Portugal, Romania, Slovakia, Slovenia, Spain, Sweden, Switzerland, Turkey and United
Kingdom.





EUROPEAN COMMITTEE FOR STANDARDIZATION
COMITÉ EUROPÉEN DE NORMALISATION

EUROPÄISCHES KOMITEE FÜR NORMUNG

CEN-CENELEC Management Centre: Avenue Marnix 17, B-1000 Brussels
© 2014 CEN All rights of exploitation in any form and by any means reserved Ref. No. CEN/TR 16674:2014 E
worldwide for CEN national Members.

---------------------- Page: 3 ----------------------
SIST-TP CEN/TR 16674:2014
CEN/TR 16674:2014 (E)
Contents Page

Foreword .4
Introduction .5
1 Scope .6
2 Terms and definitions .6
3 Symbols and abbreviations .7
4 Risk analysis for wireless RFID communications and RFID devices .8
4.1 Introduction .8
4.2 RFID technologies .8
4.3 The RFID system architecture .9
4.4 The challenge of having millions of readers in the hands of individuals . 10
4.5 Lessons from the risk environment concerning wireless networks . 11
4.6 Conclusion and a way forward . 13
5 The relationship of the RFID PIA process and methodologies standards to the privacy law . 14
5.1 Privacy requirements . 14
5.2 Definitions . 16
5.2.1 General . 16
5.2.2 Five types of privacy . 17
5.2.3 Personal data . 18
5.2.4 Processing . 18
5.2.5 Processor . 18
5.2.6 Controller . 18
5.2.7 Data security . 18
5.2.8 Data minimization . 19
5.2.9 Purpose binding . 20
5.2.10 Openness . 21
5.2.11 Individual Access. 21
5.2.12 Consent . 21
5.2.13 Limiting Use, Disclosure and Retention . 23
5.2.14 Accuracy . 23
5.2.15 Unique identifiers. 23
5.2.16 Accountability . 23
5.2.17 RFID operator . 24
5.3 Accountable Technology . 24
5.4 Applying Data Protection Concepts in practice . 24
5.5 Technical/business considerations . 25
6 RFID and personal information . 25
6.1 DPD . 25
6.2 Personal information written in a tag . 25
6.3 Unique identifier . 25
6.4 Tracking and profiling . 26
6.5 Proportionality of wearable RFID tags . 26
6.6 Technical issues with unknown legal consequences. 27
7 Standards organizations and risk management standards . 27
7.1 Standards organizations . 27
7.2 Risk management standards . 28
7.2.1 General . 28
2

---------------------- Page: 4 ----------------------
SIST-TP CEN/TR 16674:2014
CEN/TR 16674:2014 (E)
7.2.2 AS/NZS 4360 . 29
7.2.3 BS7799 (ISO17799) . 29
7.2.4 NIST SP 800-30 . 29
7.2.5 RFRM . 29
7.2.6 COBIT . 30
7.2.7 HIPAA . 30
7.2.8 ITIL . 31
7.2.9 ISMS . 31
7.2.10 ISO/IEC 27001 . 31
7.2.11 ISO/IEC 27002 . 31
7.2.12 ISO/IEC 27005 . 31
7.2.13 ISO TR 13335 . 31
8 Legal supported PIA methodology . 32
8.1 Background information . 32
8.2 Analysis of five PIAs . 34
8.3 Findings . 34
8.3.1 The application operator perspective . 34
8.3.2 The consumer and public interest perspective . 35
8.4 Audit report on the use of wireless technologies . 36
9 Proposed methodologies for RFID PIA process . 36
9.1 Initial Decision Tree . 36
9.2 Critique on the initial decision tree . 37
9.3 Relevance of the 2011 RFID PIA Framework . 38
9.3.1 General . 38
9.3.2 Framework reviews by others . 38
9.3.3 Scope of work for the 2011 RFID PIA Framework . 38
10 The reasoning for addressing the privacy assessment at the periphery for RFID. 41
10.1 The role played by RFID in the lives of individuals . 41
10.1.1 The nature of RFID possession by individuals . 41
10.1.2 The degree of exposure to RFID risks . 41
10.2 Where RFID technology is the determining factor for privacy assessment . 42
10.2.1 The Privacy assessment technology layers . 42
10.2.2 The role of RFID technology in privacy assessment . 43
10.3 Privacy assets . 43
11 The case for a cost-effective PIA process . 44
11.1 Templates . 44
11.2 Understanding the technology . 45
11.3 Monitoring RFID threats and vulnerabilities . 45
11.4 Assisting the SME PIA process . 46
12 Conclusions . 47
Bibliography . 48

3

---------------------- Page: 5 ----------------------
SIST-TP CEN/TR 16674:2014
CEN/TR 16674:2014 (E)
Foreword
This document (CEN/TR 16674:2014) has been prepared by Technical Committee CEN/TC 225 “AIDC
Technologies”, the secretariat of which is held by NEN.
Attention is drawn to the possibility that some of the elements of this document may be the subject of patent
rights. CEN [and/or CENELEC] shall not be held responsible for identifying any or all such patent rights.
This Technical Report is one of a series of related deliverables, which comprise mandate 436 Phase 2. The
other deliverables are:
— EN 16570, Information technology — Notification of RFID — The information sign and additional
information to be provided by operators of RFID application systems
— EN 16571, Information technology — RFID privacy impact assessment process
— EN 16656, Information technology - Radio frequency identification for item management - RFID Emblem
(ISO/IEC 29160:2012, modified)
— CEN/TR 16684, Information technology — Notification of RFID — Additional information to be provided
by operators
— CEN/TS 16685, Information technology — Notification of RFID — The information sign to be displayed in
areas where RFID interrogators are deployed
— CEN/TR 16669, Information technology — Device interface to support ISO/IEC 18000-3
— CEN/TR 16670, Information technology — RFID threat and vulnerability analysis
— CEN/TR 16671, Information technology — Authorisation of mobile phones when used as RFID
interrogators
— CEN/TR 16672, Information technology — Privacy capability features of current RFID technologies
— CEN/TR 16673, Information technology — RFID privacy impact assessment analysis for specific sectors
4

---------------------- Page: 6 ----------------------
SIST-TP CEN/TR 16674:2014
CEN/TR 16674:2014 (E)
Introduction
In response to the growing deployment of RFID systems in Europe, the European Commission published in
2007 the Communication COM (2007) 96 ‘RFID in Europe: steps towards a policy framework’. This
Communication proposed steps which needed to be taken to reduce barriers to adoption of RFID whilst
respecting the basic legal framework safeguarding fundamental values such as health, environment, data
protection, privacy and security.
In December 2008, the European Commission addressed Mandate M/436 to CEN, CENELEC and ETSI in the
field of ICT as applied to RFID systems. The Mandate M/436 was accepted by the ESOs in the first months of
2009. The Mandate addresses the data protection, privacy and information aspects of RFID, and is being
executed in two phases. Phase 1, completed in May 2011, identified the work needed to produce a complete
framework of future RFID standards. The Phase 1 results are contained in the ETSI Technical Report TR 187
020, which was published in May 2011.
Phase 2 is concerned with the execution of the standardization work program identified in the first phase.
This Technical Report is one of eleven deliverables for M/436 Phase 2. From a content point of view, and
despite their name, most Privacy Impact Assessments in the world have a narrow focus, namely data
protection rather than privacy protection. The result is that many PIAs are restricted to legal compliance
checks and do not include societal aspects. That is reflected in the form of some PIAs, which are limited to
checklists. Increasingly, however, PIA methodologies include narrative descriptions of the systems assessed
and the environments in which they will operate, which help to understand better the potential privacy and
data protection risks.
Also most PIAs are limited to risk assessment and do not include risk management. Thus, they can be used to
identify and assess privacy and data protection risk without suggesting solutions or mitigation strategies,
thereby restricting their usability.
This deliverable will begin with research of methodologies used for wireless technologies and the risks
associated at within that part of the wireless system from the data carrier to the communication from the
'interrogator' or data capture device to the application system. The reason for this approach is to understand
approaches used by security experts and that are not incorporated into any existing standards. This approach
makes sense because it moves from the generic wireless towards the specific RFID issues. The intention is to
draw relevant 'lessons' from a range of wireless technologies that can be applied to RFID technologies and
applications. Risk management will focus on areas that accept the inherent risks of the given technology.
5

---------------------- Page: 7 ----------------------
SIST-TP CEN/TR 16674:2014
CEN/TR 16674:2014 (E)
1 Scope
The scope of this Technical Report (TR) is to identify methodologies that are used for, or have been
considered applicable to, wireless technologies. These methodologies are analyzed to identify features that
are applicable to RFID.
Based on the Industry RFID PIA Framework endorsed by the Article 29 Data Protection Working Party, the
Technical Report focuses on proposing risk analysis methodologies suitable for the data capture area of an
RFID system. This includes the RFID tag, the interrogator, the air interface protocol used for communication
between them, and the communication from the interrogator to the application.
The Technical Report also proposes risk management features based on the inherent capabilities of a number
of RFID technologies that conform to standardized RFID air interface protocols. This should provide enough
information to enable the proposed privacy control features to be applied to other RFID technologies including
those with proprietary air interface protocols and tag architectures. The risk management features exclude
fundamental privacy by design features because these should be the subject of revisions and enhancements
to technology standards. The risk management features defined in this Technical Report are considered
applicable to current and future implementations of RFID based on existing technology. As such, this
Technical Report is considered as input into a standard procedure for undertaking an RFID Privacy Impact
Assessment.
2 Terms and definitions
For the purposes of this document, the following terms and definitions apply.
2.1
controller
natural or legal person, public authority, agency or any other body which alone or jointly with others
determines the purposes and means of the processing of personal data; where the purposes and means of
processing are determined by national or Community laws or regulations, the controller or the specific criteria
for his nomination may be designated by national or Community law
2.2
data subject
identified natural person or a natural person who can be identified, directly or indirectly, by means reasonably
likely to be used by the controller or by any other natural or legal person, in particular by reference to an
identification number, location data, online identifier or to one or more factors specific to the physical,
physiological, genetic, mental, economic, cultural or social identity of that person
2.3
data subject's consent
any freely given specific and informed indication of his wishes by which the data subject signifies his
agreement to personal data relating to him being processed
2.4
personal data
any information relating to an identified or identifiable natural person ('data subject'); an identifiable person is
one who can be identified, directly or indirectly, in particular by reference to an identification number or to one
or more factors specific to his physical, physiological, mental, economic, cultural or social identity
2.5
PIA process
process based on a privacy and data protection risk management approach focusing mainly on the
implementation of the EU RFID Recommendation and consistent with the EU legal framework and best
practices
2.6
6

---------------------- Page: 8 ----------------------
SIST-TP CEN/TR 16674:2014
CEN/TR 16674:2014 (E)
privacy
the claim of individuals (.) to determine for themselves when, how and to what extent information about them
is communicated to others" and as a mean "(.) for achieving individual goals of self-realisation
2.7
privacy impact assessment
methodology (a systematic process) for assessing the impacts on privacy of a project, policy, program,
service, product or other initiative that involves the processing of personal information and, in consultation with
stakeholders, for taking remedial actions as necessary in order to avoid or minimize negative privacy impacts
2.8
processing
any operation or set of operations which is performed upon personal data or sets of personal data, whether or
not by automated means, such as reading, collection, recording, organization, structuring, storage, adaptation
or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making
available, alignment or combination, erasure or destruction
2.9
processor
natural or legal person, public authority, agency or any other body which processes personal data on behalf of
the controller
2.10
accountability
responsibility of an organization for personal information in its possession or custody, including information
that has been transferred to a third party for processing
2.11
wireless network
any type of computer network that is not connected by cables of any kind
3 Symbols and abbreviations
CEN Comité Européen de Normalisation
COBIT Control Objectives for Information and related Technology
DPD Directive Personal Data
NOTE 1 Directive 95/46/EC on the protection of individuals with regard to the processing of
personal data and on the free movement of such data
DPIA
Data Protection Impact Assessment
DPR  General Data Protection
NOTE 2 Regulation on the Protection of Individuals with regard to the processing of personal
data and on the free movement of Such Data
ECHR
European Convention on Human Rights EU: European Union
ECtHR European Court of on Human Rights
ENISA
European Network and Information Security Agency
GDPR General Data Protection Regulation
ITIL Information Technology Infrastructure Library
NFC Near Field Communication
NIST
National Institute of Standards and Technology
OECD Organization for Economic Co-operation and Development
7

---------------------- Page: 9 ----------------------
SIST-TP CEN/TR 16674:2014
CEN/TR 16674:2014 (E)
PBD Privacy by Design
NOTE 3 Related to Data Protection.
PCC Privacy Commissioner of Canada
PIA  Privacy Impact Assessment
PLD Personal Locating Device
RTLS Real Time Location Systems
SDLC System Development Life Cycle
TAS3
Trusted Architecture for Securely Shared Services
NOTE 4 EU research project Trusted Architecture for Securely Shared Services, Privacy
Requirements, v.2.0, 2009
TDOA Time Difference Of Arrival
TRA
Threat and Risk Assessment
Tri  Triangulation
WAP
Wireless Access Point
WiFi Wireless Ethernet
4 Risk analysis for wireless RFID communications and RFID devices
4.1 Introduction
As stated in the scope, the TR is to identify methodologies that are used for, or have been considered
applicable to, wireless technologies. These methodologies are analyzed to identify features that are applicable
to RFID. Furthermore, based on the Industry RFID PIA Framework endorsed by the Article 29 Data Protection
Working Party, the TR focuses on proposing risk analysis methodologies suitable for the data capture area of
an RFID system. This includes the RFID tag, the interrogator, the air interface protocol used for
communication between them, and the communication from the interrogator to the application.
The RFID PIA framework is based on Opinion 9/2011 on “The Revised Industry Proposal for a Privacy and
Data Protection Impact Assessment Framework for RFID Applications”. Opinion 9/2011 has been influenced
by the requirements mentioned in the analysis of ENISA Position on the Industry Proposal for a Privacy and
Data Protection Impact Assessment Framework for RFID Applications [of March 31, 2010] July 2010
The title of Recommendation (2009/387/EC) makes it very clear that the Commission has an objective to see
the implementation of privacy and data protection principles in RFID applications, and for this to be partly
achieved by RFID operators undertaking a privacy impact assessment (PIA). Much of the work approved
under Mandate M436 Phase 2 extends this principle into more practical processes.
Unfortunately there is no evidence of a standards-based procedure for undertaking a PIA for applications
using RFID technology. The TR therefore focuses on three strands of research:
— principles that are appropriate to RFID based on the research undertaken to prepare this TR;
— analysis of PIAs that are relevant to the RFID PIA, but not directly associated with RFID, from five
countries (Australia, Canada, New Zealand, UK and USA) and discussed more fully in Clause 7;
— comparison between the intended approach and some European interim developments.
4.2 RFID technologies
The Recommendation, provides the following definition of RFID in Paragraph 3 (a):
8

---------------------- Page: 10 ----------------------
SIST-TP CEN/TR 16674:2014
CEN/TR 16674:2014 (E)
‘Radio frequency identification (RFID)’ means the use of electromagnetic radiating waves or reactive field
coupling in the radio frequency portion of the spectrum to communicate to or from a tag
This means that RFID applies to all RFID technologies specified by the ISO/IEC 18000 series of standards
plus what some experts consider to be a different technology: smart cards. Thus, ISO/IEC 14443,
ISO/IEC 15693, ISO/IEC 18092, ISO/IEC 21481, and the Japanese FeliCa (JIS X6319-4) all fall within the
scope of the Recommendation. In fact any standardized or proprietary radio frequency technology operating
within the regulated ranges, as listed here, fall within the scope of the Recommendation:
— <125 kHz to 134 kHz
— 13,56 MHz
— 433 MHz
— 860 MHz to 960 MHz
— 2,45 GHz
— 5,8 GHz (although there are no standards in the ISO/IEC 18000 series that address this yet.
NOTE Further details of the RFID privacy capabilities are provided in CEN/TR 16672 Information technology -
Privacy capability features of current RFID technologies.
4.3 The RFID system architecture
Each RFID air interface protocol has different
...