CEN TR 16684-2014 Information technology - Notification of RFID - Additional information to be provided by operators《信息技术 RFID通知 运营商提供的额外信息》.pdf

1、BSI Standards PublicationPD CEN/TR 16684:2014Information technology Notification of RFID Additional information to beprovided by operatorsPD CEN/TR 16684:2014 PUBLISHED DOCUMENTNational forewordThis Published Document is the UK implementation of CEN/TR 16684:2014.The UK participation in its preparat

2、ion was entrusted to Technical Committee IST/34, Automatic identification and data capture techniques.A list of organizations represented on this committee can be obtained on request to its secretary.This publication does not purport to include all the necessary provisions of a contract. Users are r

3、esponsible for its correct application. The British Standards Institution 2014.Published by BSI Standards Limited 2014ISBN 978 0 580 84084 5ICS 35.240.60Compliance with a British Standard cannot confer immunity from legal obligations.This Published Document was published under the authority of the S

4、tandards Policy and Strategy Committee on 30 June 2014.Amendments/corrigenda issued since publicationDate T e x t a f f e c t e dPD CEN/TR 16684:2014TECHNICAL REPORT RAPPORT TECHNIQUE TECHNISCHER BERICHT CEN/TR 16684 June 2014 ICS 35.240.60 English Version Information technology - Notification of RF

5、ID - Additional information to be provided by operators Technologies de linformation - Notification didentification par radiofrquence (RFID) - Informations complmentaires fournir par les oprateurs Informationstechnik - Notifizierung von RFID: Zustzliche vom Betreiber zur Verfgung zu stellende Inform

6、ation This Technical Report was approved by CEN on 8 March 2014. It has been drawn up by the Technical Committee CEN/TC 225. CEN members are the national standards bodies of Austria, Belgium, Bulgaria, Croatia, Cyprus, Czech Republic, Denmark, Estonia, Finland, Former Yugoslav Republic of Macedonia,

7、 France, Germany, Greece, Hungary, Iceland, Ireland, Italy, Latvia, Lithuania, Luxembourg, Malta, Netherlands, Norway, Poland, Portugal, Romania, Slovakia, Slovenia, Spain, Sweden, Switzerland, Turkey and United Kingdom. EUROPEAN COMMITTEE FOR STANDARDIZATION COMIT EUROPEN DE NORMALISATION EUROPISCH

8、ES KOMITEE FR NORMUNG CEN-CENELEC Management Centre: Avenue Marnix 17, B-1000 Brussels 2014 CEN All rights of exploitation in any form and by any means reserved worldwide for CEN national Members. Ref. No. CEN/TR 16684:2014 EPD CEN/TR 16684:2014CEN/TR 16684:2014 (E) 2 Contents Page Foreword 3 0 Intr

9、oduction 4 0.1 General 4 0.2 Overview .4 1 Scope 7 2 Terms and definitions .7 3 CCTV as an Exemplar 7 4 The RFID European Emblem . 10 4.1 General . 10 4.2 Guidelines on the use of the Common European RFID emblem . 11 4.3 Definition of the Common European RFID Notification Sign . 11 4.4 Placement of

10、signs . 12 4.4.1 General . 12 4.4.2 Presence of Readers 12 4.4.3 Placement of signs notifying the presence of readers . 12 4.4.4 Presence of tags . 12 4.5 Who should place signage on tagged items 13 4.6 Size of emblem 14 5 Guidelines on additional information . 14 5.1 General . 14 5.2 Name of the op

11、erator of the application . 15 5.2.1 Name 15 5.2.2 Contact point . 15 5.3 Purpose of the application . 15 5.4 Data processed . 16 5.5 Summary of the privacy impact assessment . 16 5.5.1 PIA report date 16 5.5.2 RFID application operator 16 5.5.3 RFID application overview . 16 5.5.4 Data on the RFID

12、tag 17 5.6 Likely privacy risks . 17 5.7 Measures to mitigate the risks 17 5.8 Privacy information policy for RFID 18 5.8.1 General . 18 5.8.2 Consumer and members of the public choice information promotional material 18 5.8.3 Consumer and members of the public choice information sales material and

13、pre-contract information . 19 5.8.4 Consumer and members of the public choice information means of conveying the information 19 5.8.5 Consumer and members of the public privacy information accessibility 19 5.8.6 Privacy related contractual and privacy policy information 20 5.8.7 Consumer and members

14、 of the public post sale user privacy information . 20 5.8.8 Consumer and members of the public information means of conveying the post sale user privacy information 21 5.9 Consumer and public information non application operator RFID privacy information 21 Annex A (informative) RFID applications in

15、 retail . 22 Annex B (informative) RFID applications in library . 25 Annex C (informative) RFID applications in transportation . 26 Annex D (informative) RFID applications in banking 31 Bibliography . 34 PD CEN/TR 16684:2014CEN/TR 16684:2014 (E) 3 Foreword This document (CEN/TR 16684:2014) has been

16、prepared by Technical Committee CEN/TC 225 “AIDC technologies”, the secretariat of which is held by NEN. Attention is drawn to the possibility that some of the elements of this document may be the subject of patent rights. CEN and/or CENELEC shall not be held responsible for identifying any or all s

17、uch patent rights. This Technical Report is one of a series of related deliverables, which comprise mandate 436 Phase 2. The other deliverables are: EN 16570, Information technology Notification of RFID The information sign and additional information to be provided by operators of RFID application s

18、ystems EN 16571, Information technology RFID privacy impact assessment process EN 16656, Information technology Radio frequency identification for item management - RFID Emblem (ISO/IEC 29160:2012, modified) CEN/TS 16685, Information technology Notification of RFID The information sign to be display

19、ed in areas where RFID interrogators are deployed CEN/TR 16669, Information technology Device interface to support ISO/IEC 18000-3 Mode 1 CEN/TR 16670, Information technology RFID threat and vulnerability analysis CEN/TR 16671, Information technology Authorisation of mobile phones when used as RFID

20、interrogators CEN/TR 16672, Information technology Privacy capability features of current RFID technologies CEN/TR 16673, Information technology RFID privacy impact assessment analysis for specific sectors CEN/TR 16674, Information technology Analysis of privacy impact assessment methodologies relev

21、ant to RFID PD CEN/TR 16684:2014CEN/TR 16684:2014 (E) 4 0 Introduction 0.1 General In response to the growing deployment of RFID systems in Europe, the European Commission published in 2007 the Communication COM(2007) 96 RFID in Europe: steps towards a policy framework. This Communication proposed s

22、teps which needed to be taken to reduce barriers to adoption of RFID whilst respecting the basic legal framework safeguarding fundamental values such as health, environment, data protection, privacy and security. In December 2008, the European Commission addressed Mandate M/436 to CEN, CENELEC and E

23、TSI in the field of ICT as applied to RFID systems. The Mandate M/436 was accepted by the ESOs in the first months of 2009. The Mandate addresses the data protection, privacy and information aspects of RFID, and is being executed in two phases. Phase 1, completed in May 2011, identified the work nee

24、ded to produce a complete framework of future RFID standards. The Phase 1 results are contained in the ETSI Technical Report TR 187 020, which was published in May 2011. Phase 2 is concerned with the execution of the standardization work programme identified in the first phase. This document will pr

25、ovide the additional information of the RFID application that will need to be provided to a citizen by accessing the source identified on the sign where the RFID application is operating. This information will be aligned with the details set out in the Recommendation, but some of this might not be a

26、vailable at the outset, a TR is the preferred form of initial delivery to establish basic requirements. 0.2 Overview On March 15th2007, the European Commission presented to the European Parliament a communication about the steps towards a Policy Framework for Radio Frequency Identification in Europe

27、. Here below is an extract: “COMMISSION RECOMMENDATION of 2009/05/12 on the implementation of privacy and data protection principles in applications supported by radio-frequency identification SEC (2009) 585SEC (2009) 586. Radio frequency identification (RFID) is a technology that allows automatic i

28、dentification and data capture by using radio frequencies. The salient features of this technology are that they permit the attachment of a unique identifier and other information using a microchip to any object, animal or even a person, and to read this information through a wireless device. RFID i

29、s not just “electronic tags“ or “electronic barcodes“. When linked to databases and communications networks, such as the Internet, this technology provides a very powerful way of delivering new services and applications, in potentially any environment. RFID technology is indeed seen as the gateway t

30、o a new phase of development of the Information Society, often referred to as the “internet of things“ in which the internet does not only link computers and communications terminals, but potentially any of our daily surrounding objects be they clothes, consumer goods, etc. It is this prospect that

31、provoked the European Council of December 2006 to ask the European Commission to review the challenges of the next generation of Internet and networks at the 2008 Spring Council. RFID is of policy concern because of its potential to become a new motor of growth and jobs, and thus a powerful contribu

32、tor to the Lisbon Strategy, if the barriers to innovation can be overcome. The production price of RFID tags is now approaching a level that permits wide commercial and public sector deployment. With wider use, it becomes essential that the implementation of RFID takes place under a legal framework

33、that affords citizens effective safeguards for fundamental values, health, data protection and privacy. It is for these reasons that the Commission carried out a public consultation on RFID in 2006, which highlighted the expectations of the technology based on the results of early adopters but also

34、the concerns of citizens about RFID applications that involve identification and/or tracking of persons. PD CEN/TR 16684:2014CEN/TR 16684:2014 (E) 5 Data protection, privacy and security In the public debate on RFID, there are serious concerns that this pervasive and enabling technology might endang

35、er privacy: RFID technology may be used to collect information that is directly or indirectly linked to an identifiable or identified person and is therefore deemed to be personal data; RFID tags may store personal data such as on passports or medical records; RFID technology could be used to track/

36、trace peoples movements or to profile peoples behaviour (e.g., in public places or at the workplace). Indeed, the Commissions public consultation underlined the concern of citizens about the potential of RFID to be an intrusive technology. Adequate privacy safeguards are called for as a condition fo

37、r wide public acceptance of RFID. Respondents to the online consultation expect these safeguards to emerge from privacy enhancing technologies (70%) and awareness raising (67%); specific legislation on RFID was seen as the best solution by 55%. In addition, views are evenly balanced on whether socie

38、tal applications are really positive, with about 40% of responses on each side. Stakeholders have raised concerns about potential infringements of fundamental values, privacy and greater surveillance, especially in the workplace resulting in discrimination, exclusion victimisation and possible job l

39、oss. It is clear that the application of RFID must be socially and politically acceptable, ethically admissible and legally allowable. RFID will only be able to deliver its numerous economic and societal benefits if effective guarantees are in place on data protection, privacy and the associated eth

40、ical dimensions that lie at the heart of the debate on the public acceptance of RFID. The protection of personal data is an important principle in the EU. Article 6 of the Treaty on the European Union states that the Union is founded on the principles of liberty, democracy, respect for human rights

41、and fundamental freedoms; Article 30 requires appropriate provisions on the protection of personal data for the collection, storage, processing, analysis and exchange of information in the field of police co-operation. The protection of personal data is set as one of the freedoms in Article 8 of the

42、 Charter of Fundamental Rights. The Community legislation framework on data protection and privacy in Europe was designed to be robust in the face of innovation. The protection of personal data is covered by the general Data Protection Directive regardless of the means and procedures used for data p

43、rocessing. The Directive is applicable to all technologies, including RFID. It defines the principles of data protection and requires that a data controller implements these principles and ensure the security of the processing of personal data. The general Data Protection Directive is complemented b

44、y the ePrivacy Directive which applies these principles to the processing of personal data in connection with the provision of publicly available electronic communications services in public communications networks. Due to this limitation, many RFID applications fall only under the general Data Prot

45、ection Directive and are not directly covered by the ePrivacy Directive. Pursuant to these Directives, public authorities in Member States are charged with the monitoring whether the provisions adopted by Member States are correctly applied. They will have to ensure that the introduction of RFID app

46、lications complies with privacy and data protection legislation. It may therefore be necessary to provide detailed guidance on practical implementation of new technologies, such as RFID. For these purposes both directives foresee the drawing up of specific codes of conduct. This process implies a re

47、view of these codes at national level by the competent data protection authority, and a review at European level through the “Article 29 Working Party“. “ One of the action items contained in the communication was the creation of a Stakeholders Group with the task to provide an open platform allowin

48、g a dialogue between consumers associations, market actors and National and European authorities in order to support the European Commission in its effort to promote awareness campaigns at Member state and citizen level about the opportunities and challenges of RFID. The outcome of the work performe

49、d by this Group was the publication of a PIA Framework that was endorsed by Article 29 Working Party on February 11th2010. In parallel, on May 12th2009, the European Commission published a Recommendation on the implementation of Privacy and Data protection principles supported by Radio frequency Identification (RFID) . This document provides: PD CEN/TR 16684:2014CEN/TR 16684:2014 (E) 6 guidance to Member States on the design and operation of RFID applications in a lawful, ethical and socially and politic