Electronic product codes and RFID: privacy guidance

Radio Frequency Identification (RFID) tags consist of a microchip and a tiny antenna that transmits data from the chip to a reader. The reader is activated whenever the antenna comes into range. The tags and readers can be used to track individual items, cases and pallets as they move from a manufacturer through the supply chain to the end user.An EPC tag is basically an RFID tag that follows the EPC standard so that its details can be communicated to any EPC reader. Each EPC is divided into numbers that identify the manufacturer, product type and serial number.The EPC standard has the backing of major companies like Wal-Mart, Procter & Gamble, Unilever and Tesco. Many expect it to be the successor to the ubiquitous barcode.While there are obvious advantages in using the technology, there are concerns that the tags could also allow businesses and governments to use the devices for surveillance. For while the tags do not contain personally identifiable information, the tag and its location could be linked to information held about an individual in other systems.The ICC has therefore published guidelines for what it calls the responsible deployment and operation of EPC tags. These state:

• Use of EPC systems and related technology should be legal, decent, honest and truthful.
• Notice is essential.
• Consumer choice is essential, where possible and appropriate.
• Education is key.
• Products containing the tags should be labelled and if the tag is contained in the body of the product, details of its location provided.
• Accurate information as to the collection, use and reason for the collection of personal identifiable data should be given and all data protection laws complied with.
• EPC users should make public their policies on the use of the data.
• Personally identifiable data should be protected by security safeguards.
• Consumers should be given the right to access information held by them and to correct it if necessary.