The Working Party is concerned that while there are obvious advantages in using RFID technology, the tags could also allow businesses and governments to use the devices for surveillance – a possibility aggravated by the fact that the technology will be relatively cheap, and therefore available not only to big players but also, potentially, to individuals.
RFID tags consist of a microchip and a tiny antenna that transmits data from the chip to a reader. The reader is activated whenever the antenna comes into range and the data can be used to trigger an event – such as ringing up a purchase or ordering more stock.
The tags are already in use in retail. Airports use the technology to track baggage, and hospitals to track medicine and medical equipment. In October 2004, the US Food and Drug Administration even approved the use of an RFID chip that may be implanted into a patient's skin, aiding record keeping and patient identification in hospitals.
According to Intellect, the trade body for the UK telecoms, IT and electronics industry, a recent Juniper Research report found that sales of RFID systems in Western Europe were likely to reach $1.1 billion by 2007.
With growth in the technology continuing, the Data Protection Working Party has now highlighted areas in which data protection concerns might be raised by RFID use. These include:
The collection of information linked to personal data – for example, where a retailer links the purchase of tagged goods with a loyalty card database;
The storing of personal data on each tag – such as on monthly transport tickets; and
Tracking without additional identifiers being used – where, for example, tagged shopping cart tokens are given to supermarket customers, allowing the monitoring of purchases and by association, the monitoring of the customer.
On all of these occasions, says the Working Party, there is a risk that personal data is being processed and manufacturers - and especially users – of the technology must therefore be made aware that they may be subject to the rules surrounding data protection.
The paper sets out general guidelines on the rules and the technical and organisational requirements that should be adopted in order to implement those rules.
The Working Party stresses that the guidance is offered as a first response to the developing technology, and will be revisited at a later date. In the meantime, it has launched a consultation on the paper, and invites responses by 31st March.