1、BSI Standards Publication PD CEN/TR 16684:2014 Information technology Notification of RFID Additional information to be provided by operatorsPD CEN/TR 16684:2014 PUBLISHED DOCUMENT National foreword This Published Document is the UK implementation of CEN/TR 16684:2014. The UK participation in its pr
2、eparation was entrusted to Technical Committee IST/34, Automatic identification and data capture techniques. A list of organizations represented on this committee can be obtained on request to its secretary. This publication does not purport to include all the necessary provisions of a contract. Use
3、rs are responsible for its correct application. The British Standards Institution 2014. Published by BSI Standards Limited 2014 ISBN 978 0 580 84084 5 ICS 35.240.60 Compliance with a British Standard cannot confer immunity from legal obligations. This Published Document was published under the autho
4、rity of the Standards Policy and Strategy Committee on 30 June 2014. Amendments/corrigenda issued since publication Date T e x t a f f e c t e dPD CEN/TR 16684:2014TECHNICAL REPORT RAPPORT TECHNIQUE TECHNISCHER BERICHT CEN/TR 16684 June 2014 ICS 35.240.60 English Version Information technology - Not
5、ification of RFID - Additional information to be provided by operators Technologies de linformation - Notification didentification par radiofrquence (RFID) - Informations complmentaires fournir par les oprateurs Informationstechnik - Notifizierung von RFID: Zustzliche vom Betreiber zur Verfgung zu s
6、tellende Information This Technical Report was approved by CEN on 8 March 2014. It has been drawn up by the Technical Committee CEN/TC 225. CEN members are the national standards bodies of Austria, Belgium, Bulgaria, Croatia, Cyprus, Czech Republic, Denmark, Estonia, Finland, Former Yugoslav Republi
7、c of Macedonia, France, Germany, Greece, Hungary, Iceland, Ireland, Italy, Latvia, Lithuania, Luxembourg, Malta, Netherlands, Norway, Poland, Portugal, Romania, Slovakia, Slovenia, Spain, Sweden, Switzerland, Turkey and United Kingdom. EUROPEAN COMMITTEE FOR STANDARDIZATION COMIT EUROPEN DE NORMALIS
8、ATION EUROPISCHES KOMITEE FR NORMUNG CEN-CENELEC Management Centre: Avenue Marnix 17, B-1000 Brussels 2014 CEN All rights of exploitation in any form and by any means reserved worldwide for CEN national Members. Ref. No. CEN/TR 16684:2014 EPD CEN/TR 16684:2014 CEN/TR 16684:2014 (E) 2 Contents Page F
9、oreword 3 0 Introduction 4 0.1 General 4 0.2 Overview .4 1 Scope 7 2 Terms and definitions .7 3 CCTV as an Exemplar 7 4 The RFID European Emblem . 10 4.1 General . 10 4.2 Guidelines on the use of the Common European RFID emblem . 11 4.3 Definition of the Common European RFID Notification Sign . 11 4
10、.4 Placement of signs . 12 4.4.1 General . 12 4.4.2 Presence of Readers 12 4.4.3 Placement of signs notifying the presence of readers . 12 4.4.4 Presence of tags . 12 4.5 Who should place signage on tagged items 13 4.6 Size of emblem 14 5 Guidelines on additional information . 14 5.1 General . 14 5.
11、2 Name of the operator of the application . 15 5.2.1 Name 15 5.2.2 Contact point . 15 5.3 Purpose of the application . 15 5.4 Data processed . 16 5.5 Summary of the privacy impact assessment . 16 5.5.1 PIA report date 16 5.5.2 RFID application operator 16 5.5.3 RFID application overview . 16 5.5.4 D
12、ata on the RFID tag 17 5.6 Likely privacy risks . 17 5.7 Measures to mitigate the risks 17 5.8 Privacy information policy for RFID 18 5.8.1 General . 18 5.8.2 Consumer and members of the public choice information promotional material 18 5.8.3 Consumer and members of the public choice information sal
13、es material and pre- contract information . 19 5.8.4 Consumer and members of the public choice information means of conveying the information 19 5.8.5 Consumer and members of the public privacy information accessibility 19 5.8.6 Privacy related contractual and privacy policy information 20 5.8.7 Con
14、sumer and members of the public post sale user privacy information . 20 5.8.8 Consumer and members of the public information means of conveying the post sale user privacy information 21 5.9 Consumer and public information non application operator RFID privacy information 21 Annex A (informative) RFI
15、D applications in retail . 22 Annex B (informative) RFID applications in library . 25 Annex C (informative) RFID applications in transportation . 26 Annex D (informative) RFID applications in banking 31 Bibliography . 34 PD CEN/TR 16684:2014 CEN/TR 16684:2014 (E) 3 Foreword This document (CEN/TR 166
16、84:2014) has been prepared by Technical Committee CEN/TC 225 “AIDC technologies”, the secretariat of which is held by NEN. Attention is drawn to the possibility that some of the elements of this document may be the subject of patent rights. CEN and/or CENELEC shall not be held responsible for identi
17、fying any or all such patent rights. This Technical Report is one of a series of related deliverables, which comprise mandate 436 Phase 2. The other deliverables are: EN 16570, Information technology Notification of RFID The information sign and additional information to be provided by operators of
18、RFID application systems EN 16571, Information technology RFID privacy impact assessment process EN 16656, Information technology Radio frequency identification for item management - RFID Emblem (ISO/IEC 29160:2012, modified) CEN/TS 16685, Information technology Notification of RFID The information
19、sign to be displayed in areas where RFID interrogators are deployed CEN/TR 16669, Information technology Device interface to support ISO/IEC 18000-3 Mode 1 CEN/TR 16670, Information technology RFID threat and vulnerability analysis CEN/TR 16671, Information technology Authorisation of mobile phones
20、when used as RFID interrogators CEN/TR 16672, Information technology Privacy capability features of current RFID technologies CEN/TR 16673, Information technology RFID privacy impact assessment analysis for specific sectors CEN/TR 16674, Information technology Analysis of privacy impact assessment m
21、ethodologies relevant to RFID PD CEN/TR 16684:2014 CEN/TR 16684:2014 (E) 4 0 Introduction 0.1 General In response to the growing deployment of RFID systems in Europe, the European Commission published in 2007 the Communication COM(2007) 96 RFID in Europe: steps towards a policy framework. This Commu
22、nication proposed steps which needed to be taken to reduce barriers to adoption of RFID whilst respecting the basic legal framework safeguarding fundamental values such as health, environment, data protection, privacy and security. In December 2008, the European Commission addressed Mandate M/436 to
23、 CEN, CENELEC and ETSI in the field of ICT as applied to RFID systems. The Mandate M/436 was accepted by the ESOs in the first months of 2009. The Mandate addresses the data protection, privacy and information aspects of RFID, and is being executed in two phases. Phase 1, completed in May 2011, iden
24、tified the work needed to produce a complete framework of future RFID standards. The Phase 1 results are contained in the ETSI Technical Report TR 187 020, which was published in May 2011. Phase 2 is concerned with the execution of the standardization work programme identified in the first phase. Th
25、is document will provide the additional information of the RFID application that will need to be provided to a citizen by accessing the source identified on the sign where the RFID application is operating. This information will be aligned with the details set out in the Recommendation, but some of
26、this might not be available at the outset, a TR is the preferred form of initial delivery to establish basic requirements. 0.2 Overview On March 15 th2007, the European Commission presented to the European Parliament a communication about the steps towards a Policy Framework for Radio Frequency Iden
27、tification in Europe. Here below is an extract: “COMMISSION RECOMMENDATION of 2009/05/12 on the implementation of privacy and data protection principles in applications supported by radio-frequency identification SEC (2009) 585SEC (2009) 586. Radio frequency identification (RFID) is a technology tha
28、t allows automatic identification and data capture by using radio frequencies. The salient features of this technology are that they permit the attachment of a unique identifier and other information using a microchip to any object, animal or even a person, and to read this information through a wir
29、eless device. RFID is not just “electronic tags“ or “electronic barcodes“. When linked to databases and communications networks, such as the Internet, this technology provides a very powerful way of delivering new services and applications, in potentially any environment. RFID technology is indeed s
30、een as the gateway to a new phase of development of the Information Society, often referred to as the “internet of things“ in which the internet does not only link computers and communications terminals, but potentially any of our daily surrounding objects be they clothes, consumer goods, etc. It is
31、 this prospect that provoked the European Council of December 2006 to ask the European Commission to review the challenges of the next generation of Internet and networks at the 2008 Spring Council. RFID is of policy concern because of its potential to become a new motor of growth and jobs, and thus
32、 a powerful contributor to the Lisbon Strategy, if the barriers to innovation can be overcome. The production price of RFID tags is now approaching a level that permits wide commercial and public sector deployment. With wider use, it becomes essential that the implementation of RFID takes place unde
33、r a legal framework that affords citizens effective safeguards for fundamental values, health, data protection and privacy. It is for these reasons that the Commission carried out a public consultation on RFID in 2006, which highlighted the expectations of the technology based on the results of earl
34、y adopters but also the concerns of citizens about RFID applications that involve identification and/or tracking of persons. PD CEN/TR 16684:2014 CEN/TR 16684:2014 (E) 5 Data protection, privacy and security In the public debate on RFID, there are serious concerns that this pervasive and enabling te
35、chnology might endanger privacy: RFID technology may be used to collect information that is directly or indirectly linked to an identifiable or identified person and is therefore deemed to be personal data; RFID tags may store personal data such as on passports or medical records; RFID technology co
36、uld be used to track/trace peoples movements or to profile peoples behaviour (e.g., in public places or at the workplace). Indeed, the Commissions public consultation underlined the concern of citizens about the potential of RFID to be an intrusive technology. Adequate privacy safeguards are called
37、for as a condition for wide public acceptance of RFID. Respondents to the online consultation expect these safeguards to emerge from privacy enhancing technologies (70%) and awareness raising (67%); specific legislation on RFID was seen as the best solution by 55%. In addition, views are evenly bala
38、nced on whether societal applications are really positive, with about 40% of responses on each side. Stakeholders have raised concerns about potential infringements of fundamental values, privacy and greater surveillance, especially in the workplace resulting in discrimination, exclusion victimisati
39、on and possible job loss. It is clear that the application of RFID must be socially and politically acceptable, ethically admissible and legally allowable. RFID will only be able to deliver its numerous economic and societal benefits if effective guarantees are in place on data protection, privacy a
40、nd the associated ethical dimensions that lie at the heart of the debate on the public acceptance of RFID. The protection of personal data is an important principle in the EU. Article 6 of the Treaty on the European Union states that the Union is founded on the principles of liberty, democracy, resp
41、ect for human rights and fundamental freedoms; Article 30 requires appropriate provisions on the protection of personal data for the collection, storage, processing, analysis and exchange of information in the field of police co-operation. The protection of personal data is set as one of the freedom
42、s in Article 8 of the Charter of Fundamental Rights. The Community legislation framework on data protection and privacy in Europe was designed to be robust in the face of innovation. The protection of personal data is covered by the general Data Protection Directive regardless of the means and proce
43、dures used for data processing. The Directive is applicable to all technologies, including RFID. It defines the principles of data protection and requires that a data controller implements these principles and ensure the security of the processing of personal data. The general Data Protection Direct
44、ive is complemented by the ePrivacy Directive which applies these principles to the processing of personal data in connection with the provision of publicly available electronic communications services in public communications networks. Due to this limitation, many RFID applications fall only under
45、the general Data Protection Directive and are not directly covered by the ePrivacy Directive. Pursuant to these Directives, public authorities in Member States are charged with the monitoring whether the provisions adopted by Member States are correctly applied. They will have to ensure that the int
46、roduction of RFID applications complies with privacy and data protection legislation. It may therefore be necessary to provide detailed guidance on practical implementation of new technologies, such as RFID. For these purposes both directives foresee the drawing up of specific codes of conduct. This
47、 process implies a review of these codes at national level by the competent data protection authority, and a review at European level through the “Article 29 Working Party“. “ One of the action items contained in the communication was the creation of a Stakeholders Group with the task to provide an
48、open platform allowing a dialogue between consumers associations, market actors and National and European authorities in order to support the European Commission in its effort to promote awareness campaigns at Member state and citizen level about the opportunities and challenges of RFID. The outcome
49、 of the work performed by this Group was the publication of a PIA Framework that was endorsed by Article 29 Working Party on February 11 th2010. In parallel, on May 12 th2009, the European Commission published a Recommendation on the implementation of Privacy and Data protection principles supported by Radio frequency Identification (RFID) . This document provides: PD CEN/TR 16684:2014 CEN/TR 16684:2014 (E) 6 guidance to Member States on the design and operation of RFID applications in a lawful, ethic
