scope:

The present document provides the results of the coordinated response of the European Standards Organizations (ESOs) to Phase 1 of EC mandate M436 on the subject of Radio Frequency Identification Devices (RFID) in relation to privacy, data protection and information security.

The present document outlines a standardization roadmap for privacy and security of RFID. The development of the roadmap involved analyses of RFID from a number of perspectives:

• analysis of OECD guidelines [i.17] and relevant data protection;

• analysis of privacy and its link to behaviour;

• analysis of EU directives on data protection and privacy and their implications on RFID;

• review of the role of PETs for RFID (see clause 7); and

• analysis of security threats to RFID and their implications (see Annex C).

The resulting requirements set defines the data protection, privacy and security needs of RFID and was used as input to the standards gaps analysis and the development of requirements to PIA for RFID and RFID PEN testing frameworks. An outline of the PIA framework requirements is given in clause 9.

Overview of the standardization gaps and requirements for RFID PEN testing is given in clause 10. The standardisation gaps analysis and resulting overall RFID standardisation roadmap is given in clause 4.

The present document recommends a plan of activities for Phase 2 of EC Mandate M436 as follows:

• identifies the use of existing technical measures described by standardisation in order to promote confidence and trust (by end users organizations and the general public) in RFID technology and its applications;

• identifies where new technical measures described by standardisation are required in order to promote confidence and trust (by end users organizations and the general public) in RFID technology and its applications. These measures will be developed in the course of phase 2 of the mandate.

In addition the present document describes the results of modelling the role of RFID in privacy and personal data as defined by European Directives alongside a Threat Vulnerability and Risk Analysis (TVRA) of the use of RFID technology and its applications, including the results of a generic and an industry specific Privacy Impact Assessment (a guide to PIA is given in Annex A).

NOTE: Many of the risks identified as part of the present document are equally applicable in other tracking scenarios (e.g. CCTV, car number/licence plate recognition, face recognition, mobile phone cell tracking). Under the terms of the Mandate, the present document covers only those areas in the data acquisition part that are specific to RFID. The other tracking scenarios are included in the work of the Article 29 Data Protection Working Party.