RFID is still an emerging technology and its regulation is a
source of global debate. While the new Guidelines may only apply to
the libraries of Ontario, they will likely be viewed with interest
by privacy regulators worldwide.
Background
RFID, or Radio Frequency Identification, tags comprise a
microchip, loaded with a unique code number and a tiny antenna that
transmits data from the chip to a reader. In general the reader is
activated whenever the antenna comes into range and the data can be
used to trigger an event – such as ringing up a purchase or
ordering more stock.
Some tags are passive, which means that they have to be
activated by a reader physically close to them, while others are
active and have their own power supply, allowing them to send
information directly to a reader some distance away.
Other variations relate to the amount of information that may be
retained on the chip. Read-only chips have information already
planted on them and cannot be changed. Read-write chips can have
their memory changed many times.
The chips can be incorporated into a range of products and could
largely replace barcodes, their big advantage being that they do
not require a line of sight between the chip and the reader. They
offer a means of navigating complex global supply chains, allowing
companies to track their products from factory to distribution
centre, from warehouse to sales floor.
But RFID tags have their critics. In general the chips are too
small to be removed, and if they are embedded in the product itself
– clothes or shoes – rather than the packaging, then they will
remain in it. It is also possible for them to remain trackable and
this, say privacy groups, is an unacceptable breach of privacy.
They worry that criminals, governments or other agencies will be
able to identify and track an individual by the RFID tags on his or
her person.
Such is the concern of privacy groups that in November last
year, some issued a joint statement calling on manufacturers and
retailers "to agree to a voluntary moratorium on the item-level
RFID tagging of consumer items until a formal technology assessment
process involving all stakeholders, including consumers, can take
place."
The Guidelines
In Ontario some public libraries are looking to implement RFID
systems in order to improve stock checking and efficiency levels,
and this month Ann Cavoukian, the Information and Privacy
Commissioner of Ontario, published Guidelines setting out the
standards that should be followed.
Following on from the Ontario Municipal Freedom of Information
and Protection of Privacy Act (the Act) the Guidelines approach
RFID from the viewpoint of its privacy implications – in particular
how and when information held by a library on its users can be
linked in with RFID tags on individual books.
According to the Guidelines, the best practice for the use of
RFID within public libraries requires the creation of a written
policy covering the operation of the system.
This should include details of the rationale behind the system;
the library's obligations under the Act; who is responsible for
complying with the Act, and procedures to deal with any breach.
The RFID records themselves should only be used for the purposes
detailed in the written policy, say the Guidelines. In addition the
library should notify the Commissioner if it is collecting patron
information in a way that has not been done before.
There must also be some form of public notification, at the
library, explaining that RFID is being used to collect personal
information, and providing details of a member of staff who can
answer questions about it.
