BS EN 16571-2014 Information technology RFID privacy impact assessment process《信息技术 射频识别隐私影响评估过程》.pdf

上传人:bonesoil321 文档编号:573930 上传时间:2018-12-13 格式:PDF 页数:108 大小:1.80MB
下载 相关 举报
BS EN 16571-2014 Information technology RFID privacy impact assessment process《信息技术 射频识别隐私影响评估过程》.pdf_第1页
第1页 / 共108页
BS EN 16571-2014 Information technology RFID privacy impact assessment process《信息技术 射频识别隐私影响评估过程》.pdf_第2页
第2页 / 共108页
BS EN 16571-2014 Information technology RFID privacy impact assessment process《信息技术 射频识别隐私影响评估过程》.pdf_第3页
第3页 / 共108页
BS EN 16571-2014 Information technology RFID privacy impact assessment process《信息技术 射频识别隐私影响评估过程》.pdf_第4页
第4页 / 共108页
BS EN 16571-2014 Information technology RFID privacy impact assessment process《信息技术 射频识别隐私影响评估过程》.pdf_第5页
第5页 / 共108页
点击查看更多>>
资源描述

1、BSI Standards PublicationBS EN 16571:2014Information technology RFIDprivacy impact assessmentprocessBS EN 16571:2014 BRITISH STANDARDNational forewordThis British Standard is the UK implementation of EN 16571:2014.The UK participation in its preparation was entrusted to TechnicalCommittee IST/34, Au

2、tomatic identification and data capturetechniques.A list of organizations represented on this committee can beobtained on request to its secretary.This publication does not purport to include all the necessaryprovisions of a contract. Users are responsible for its correctapplication. The British Sta

3、ndards Institution 2014. Published by BSI StandardsLimited 2014ISBN 978 0 580 81786 1ICS 35.240.60Compliance with a British Standard cannot confer immunity fromlegal obligations.This British Standard was published under the authority of theStandards Policy and Strategy Committee on 30 June 2014.Amen

4、dments issued since publicationDate Text affectedBS EN 16571:2014EUROPEAN STANDARD NORME EUROPENNE EUROPISCHE NORM EN 16571 June 2014 ICS 35.240.60 English Version Information technology - RFID privacy impact assessment process Technologies de linformation - Processus dvaluation dimpact sur la vie p

5、rive des applications RFID Verfahren zur Datenschutzfolgenabschtzung (PIA) von RFID This European Standard was approved by CEN on 14 May 2014. CEN members are bound to comply with the CEN/CENELEC Internal Regulations which stipulate the conditions for giving this European Standard the status of a na

6、tional standard without any alteration. Up-to-date lists and bibliographical references concerning such national standards may be obtained on application to the CEN-CENELEC Management Centre or to any CEN member. This European Standard exists in three official versions (English, French, German). A v

7、ersion in any other language made by translation under the responsibility of a CEN member into its own language and notified to the CEN-CENELEC Management Centre has the same status as the official versions. CEN members are the national standards bodies of Austria, Belgium, Bulgaria, Croatia, Cyprus

8、, Czech Republic, Denmark, Estonia, Finland, Former Yugoslav Republic of Macedonia, France, Germany, Greece, Hungary, Iceland, Ireland, Italy, Latvia, Lithuania, Luxembourg, Malta, Netherlands, Norway, Poland, Portugal, Romania, Slovakia, Slovenia, Spain, Sweden, Switzerland, Turkey and United Kingd

9、om. EUROPEAN COMMITTEE FOR STANDARDIZATION COMIT EUROPEN DE NORMALISATION EUROPISCHES KOMITEE FR NORMUNG CEN-CENELEC Management Centre: Avenue Marnix 17, B-1000 Brussels 2014 CEN All rights of exploitation in any form and by any means reserved worldwide for CEN national Members. Ref. No. EN 16571:20

10、14 EBS EN 16571:2014EN 16571:2014 (E) 2 Contents Page Foreword 5 Introduction .6 1 Scope 7 2 Normative references 7 3 Terms and definitions .7 4 Symbols and abbreviations . 11 5 Structure of this European Standard 12 6 Field of reference for this European Standard 12 6.1 RFID as defined by the EU RF

11、ID Recommendation 12 6.2 RFID application as defined by the EU RFID Recommendation 13 6.3 RFID operator as defined by the EU RFID Recommendation . 13 6.4 Relationship between the RFID PIA and data protection and security . 14 6.5 Relevant inputs for the PIA process . 17 6.5.1 General . 17 6.5.2 The

12、privacy capability statement 17 6.5.3 The Registration Authority 17 6.5.4 RFID PIA templates . 17 7 RFID operators organizational objectives of the RFID PIA . 17 7.1 Overview 17 7.2 Meeting and exceeding legal requirements . 18 7.3 When to undertake the RFID PIA . 19 7.3.1 General . 19 7.3.2 Underta

13、king a PIA at the design stage before the RFID system becomes operational 19 7.3.3 Undertaking a PIA at a review and update the design-based PIA . 19 7.3.4 Undertaking a PIA to contribute to the development of a template 19 7.3.5 Undertaking a PIA with an established template . 20 7.3.6 Undertaking

14、a PIA at the introduction of a new function within the RFID application 20 7.3.7 Undertaking a PIA based on changes in RFID technology 20 7.3.8 Undertaking a PIA when a privacy breach has been reported . 20 8 Tools to simplify the process 21 8.1 RFID operator responsibility . 21 8.2 RFID technology

15、privacy capability tools - overview 21 8.3 Registration of RFID privacy capability statements by RFID product manufacturers 21 8.3.1 General . 21 8.3.2 Obligations of the Registration Authority 21 8.3.3 Appointment 22 8.3.4 Resignation . 22 8.3.5 Responsibilities of the RFID product manufacturers .

16、22 8.4 RFID technology privacy capability tools - details 23 8.4.1 RFID integrated circuit privacy capabilities . 23 8.4.2 RFID tag privacy capabilities . 23 8.4.3 RFID interrogator privacy capabilities 23 8.4.4 The default privacy capability statement . 23 8.4.5 Using CEN/TR 16672 to construct priv

17、acy capabilities for products using proprietary protocols 24 8.5 Templates 24 8.5.1 General . 24 BS EN 16571:2014EN 16571:2014 (E) 3 8.5.2 Developing a template 24 8.5.3 Who should prepare the templates? . 25 8.5.4 The role of stakeholders in template development . 25 9 RFID PIA - a process approach

18、 26 9.1 Introduction 26 9.2 Process Steps 26 9.3 Achieving the correct level of detail 27 9.3.1 General . 27 9.3.2 Level 0 no PIA . 27 9.3.3 Level 1 small scale PIA 27 9.3.4 Level 2 PIA focussed on the controlled domain of the application 27 9.3.5 Level 3 Full scale (complete) PIA of the application

19、 . 28 9.3.6 Reducing the effort for the SME organization 28 9.4 Process methodology . 29 10 Preparing the RFID functional statement 30 11 Preparing the description of the RFID applications 31 11.1 Introduction 31 11.2 Multiple applications . 31 11.3 RFID application overview 32 11.3.1 General . 32 1

20、1.3.2 Determine which RFID technology is intended or being used . 32 11.3.3 Determine the RFID components used in the application 33 11.3.4 RFID applications on portable devices . 34 11.4 Data on the RFID tag . 36 11.4.1 General . 36 11.4.2 Determine what inherent identifiable features are possessed

21、 by the RFID tag 36 11.4.3 Listing the data elements encoded on the RFID tag 37 11.4.4 Determine whether encoded data can be considered identifiable . 37 11.4.5 Determine whether personal data is encoded on the tag . 38 11.5 Additional data on the application . 38 11.6 RFID data processing 38 11.7 I

22、nternal transfer of RFID data . 39 11.8 External transfer of RFID data 39 11.9 RFID application description sign off 39 12 Risk Assessment . 40 12.1 Procedural requirements derived from the RFID Recommendation 40 12.1.1 Common procedure requirements for all RFID operators 40 12.1.2 Requirements for

23、retailers that are RFID operators 41 12.1.3 Procedure requirements for manufacturers of products eventually sold to consumers 42 12.2 Asset identification and valuation . 42 12.2.1 General . 42 12.2.2 Identification of assets 43 12.2.3 Valuing assets . 44 12.3 Threat identification and evaluation 47

24、 12.3.1 General . 47 12.3.2 Identification and classification of threats . 48 12.3.3 Evaluating threats . 49 12.3.4 The process for the SME organization 50 12.4 Identifying vulnerabilities and enumerating the associated risk levels 50 12.4.1 Basic procedure 50 12.4.2 Procedure to account for exposur

25、e time 51 12.5 Initial risk level . 51 12.6 Countermeasures 53 12.6.1 General . 53 12.6.2 Identifying countermeasures . 53 BS EN 16571:2014EN 16571:2014 (E) 4 12.6.3 Reassessing risk levels . 55 12.7 Residual risks 55 12.8 RFID PIA endorsement . 56 13 Worked example of the risk assessment process 56

26、 14 The PIA summary report 56 14.1 PIA report date 56 14.2 RFID application operator 56 14.3 RFID application overview . 56 14.4 Data on the RFID tag 56 14.5 RFID Privacy Impact Assessment score 57 14.6 RFID countermeasures 57 15 Revision control 57 16 Monitoring and incident response 58 Annex A (no

27、rmative) Details of Registration Authority 59 Annex B (informative) RFID manufacturers product privacy capability statements 60 B.1 RFID integrated circuit (chip) privacy features 60 B.2 RFID interrogator privacy features . 62 Annex C (informative) RFID Privacy Impact Assessment flowchart . 65 Annex

28、 D (informative) Template development 67 Annex E (informative) Flowchart to determine the RFID PIA level 68 Annex F (informative) RFID functional statement . 69 Annex G (normative) RFID application description 70 Annex H (informative) Identification and valuation of personal privacy assets 71 H.1 In

29、dividually held personal privacy asset 71 H.2 Assets that apply to the organization . 76 Annex I (informative) RFID threats . 77 I.1 Threats associated with the data encoded on the RFID tag and the RFID tag (or RF card) itself 77 I.2 Threats associated with the air interface or the device interface

30、communication 80 I.3 Threats associated with the interrogator (or reader) 85 I.4 Threats associated with the host application 85 Annex J (informative) Countermeasures . 88 J.1 List of countermeasures 88 J.2 Threat and countermeasure mappings 90 Annex K (informative) PIA risk assessment example . 94

31、K.1 Introduction . 94 K.2 Ranking the assets . 94 K.3 Considering threats at the tag layer and air interface layer . 95 K.4 Considering threats at the interrogator layer 96 K.5 Considering threats at the device interface layer . 97 K.6 Considering threats at the application layer 97 K.7 Considering

32、vulnerabilities 98 K.8 Risk scores after considering all the threats and vulnerabilities 98 K.9 Applying countermeasures . 99 K.10 Overall risk 99 Annex L (informative) RFID Privacy Impact Assessment summary . 101 Bibliography . 102 BS EN 16571:2014EN 16571:2014 (E) 5 Foreword This document (EN 1657

33、1:2014) has been prepared by Technical Committee CEN/TC 225 “AIDC technologies”, the secretariat of which is held by NEN. This European Standard shall be given the status of a national standard, either by publication of an identical text or by endorsement, at the latest by December 2014, and conflic

34、ting national standards shall be withdrawn at the latest by December 2014. Attention is drawn to the possibility that some of the elements of this document may be the subject of patent rights. CEN and/or CENELEC shall not be held responsible for identifying any or all such patent rights. This docume

35、nt has been prepared under a mandate given to CEN by the European Commission and the European Free Trade Association. This European Standard is one of a series of related deliverables, which together comprise M/436 Phase 2. The other deliverables are: EN 16570, Information technology Notification of

36、 RFID The information sign and additional information to be provided by operators of RFID application systems; EN 16656, Information technology Radio frequency identification for item management RFID Emblem (ISO/IEC 29160:2012, modified); CEN/TR 16669, Information technology Device interface to supp

37、ort ISO/IEC 18000-3; CEN/TR 16670, Information technology RFID threat and vulnerability analysis; CEN/TR 16671, Information technology Authorisation of mobile phones when used as RFID interrogators; CEN/TR 16672, Information technology Privacy capability features of current RFID technologies; CEN/TR

38、 166731), Information technology RFID privacy impact assessment analysis for specific sectors; CEN/TR 16674, Information technology Analysis of privacy impact assessment methodologies relevant to RFID; CEN/TR 166842), Information technology Notification of RFID Additional information to be provided

39、by operators; CEN/TS 16685, Information technology Notification of RFID The information sign to be displayed in areas where RFID interrogators are deployed. According to the CEN/CENELEC Internal Regulations, the national standards organizations of the following countries are bound to implement this

40、European Standard: Austria, Belgium, Bulgaria, Croatia, Cyprus, Czech Republic, Denmark, Estonia, Finland, Former Yugoslav Republic of Macedonia, France, Germany, Greece, Hungary, Iceland, Ireland, Italy, Latvia, Lithuania, Luxembourg, Malta, Netherlands, Norway, Poland, Portugal, Romania, Slovakia,

41、 Slovenia, Spain, Sweden, Switzerland, Turkey and the United Kingdom. 1) CEN/TR 16673 contains practical examples of PIA systems. 2) CEN/TR 16684 contains practical examples of notification signage systems. BS EN 16571:2014EN 16571:2014 (E) 6 Introduction In response to the growing deployment of RFI

42、D systems in Europe, the European Commission published in 2007 the Communication COM (2007) 96 RFID in Europe: steps towards a policy framework. This Communication proposed steps which needed to be taken to reduce barriers to adoption of RFID whilst respecting the basic legal framework safeguarding

43、fundamental values such as health, environment, data protection, privacy and security. In December 2008, the European Commission addressed Mandate M/436 to CEN, CENELEC and ETSI in the field of ICT as applied to RFID systems. The Mandate M/436 was accepted by the ESOs in the first months of 2009. Th

44、e Mandate addresses the data protection, privacy and information aspects of RFID, and is being executed in two phases. Phase 1, completed in May 2011, and identified the work needed to produce a complete framework of future RFID standards. The Phase 1 results are contained in the ETSI Technical Repo

45、rt TR 187 020, which was published in May 2011. Phase 2 is concerned with the execution of the standardization work programme identified in the first phase. This European Standard is one of 11 deliverables for M/436 Phase 2. It builds on the research undertaken in the two related Technical Reports:

46、CEN/TR 16673 provides an insight into how RFID privacy issues have been addressed in four sectors: libraries; retail; e-ticketing, toll roads, fee collection, events management; and banking and financial services. CEN/TR 16674 considers formal PIAs that are already in place, but not necessarily pres

47、ented as formal national standards. The procedures defined in this European Standard are intended to be used by individual RFID operators or entire sectors for conducting a PIA for RFID. As such, it will cite as references other deliverables included in M/436 Phase 2. A sector-based PIA can act as a

48、 template to assist in the development of a specific PIA. BS EN 16571:2014EN 16571:2014 (E) 7 1 Scope This European Standard has been prepared as part of the EU RFID Mandate M/436. It is based on the Privacy and Data Protection Impact Assessment Framework for RFID Applications, which was developed b

49、y industry, in collaboration with the civil society, endorsed by Article 29, Data Protection Working Party, and signed by all key stakeholders, including the European Commission, in 2011. It defines aspects of that framework as normative or informative procedures to enable a common European method for undertaking an RFID PIA. It provides a standardized set of procedures for developing PIA templates, including tools compatible with the RFID PIA methodology. In addition, it identifies the conditions that req

展开阅读全文
相关资源
猜你喜欢
  • ASTM D2632-2001(2014) Standard Test Method for Rubber PropertyResilience by Vertical Rebound《橡胶特性标准试验方法 垂直回跳法测定橡胶弹性》.pdf ASTM D2632-2001(2014) Standard Test Method for Rubber PropertyResilience by Vertical Rebound《橡胶特性标准试验方法 垂直回跳法测定橡胶弹性》.pdf
  • ASTM D2632-2014 Standard Test Method for Rubber PropertyResilience by Vertical Rebound《橡胶特性的标准试验方法 垂直回跳法测定橡胶弹性》.pdf ASTM D2632-2014 Standard Test Method for Rubber PropertyResilience by Vertical Rebound《橡胶特性的标准试验方法 垂直回跳法测定橡胶弹性》.pdf
  • ASTM D2632-2015 Standard Test Method for Rubber Property&x2014 Resilience by Vertical Rebound《橡胶特性的标准试验方法 采用垂直回弹法测定橡胶弹性》.pdf ASTM D2632-2015 Standard Test Method for Rubber Property&x2014 Resilience by Vertical Rebound《橡胶特性的标准试验方法 采用垂直回弹法测定橡胶弹性》.pdf
  • ASTM D2633-2002 Standard Test Methods for Thermoplastic Insulations and Jackets for Wire and Cable《电线及电缆用热塑绝缘材料和护套的标准试验方法》.pdf ASTM D2633-2002 Standard Test Methods for Thermoplastic Insulations and Jackets for Wire and Cable《电线及电缆用热塑绝缘材料和护套的标准试验方法》.pdf
  • ASTM D2633-2008 Standard Test Methods for Thermoplastic Insulations and Jackets for Wire and Cable《电线及电缆用热塑绝缘材料和护套的标准试验方法》.pdf ASTM D2633-2008 Standard Test Methods for Thermoplastic Insulations and Jackets for Wire and Cable《电线及电缆用热塑绝缘材料和护套的标准试验方法》.pdf
  • ASTM D2633-2012 Standard Test Methods for Thermoplastic Insulations and Jackets for Wire and Cable《电线及电缆用热塑绝缘材料和护套的标准试验方法》.pdf ASTM D2633-2012 Standard Test Methods for Thermoplastic Insulations and Jackets for Wire and Cable《电线及电缆用热塑绝缘材料和护套的标准试验方法》.pdf
  • ASTM D2633-2013 Standard Test Methods for Thermoplastic Insulations and Jackets for Wire and Cable《电线及电缆用热塑绝缘材料和护套的标准试验方法》.pdf ASTM D2633-2013 Standard Test Methods for Thermoplastic Insulations and Jackets for Wire and Cable《电线及电缆用热塑绝缘材料和护套的标准试验方法》.pdf
  • ASTM D2633-2013a Standard Test Methods for Thermoplastic Insulations and Jackets for Wire and Cable《电线及电缆用热塑绝缘材料和护套的标准试验方法》.pdf ASTM D2633-2013a Standard Test Methods for Thermoplastic Insulations and Jackets for Wire and Cable《电线及电缆用热塑绝缘材料和护套的标准试验方法》.pdf
  • ASTM D2634-2007 Standard Specification for Methyl Amyl Acetate (95 % Grade)《乙酸甲基戊酯标准规范(95%级)》.pdf ASTM D2634-2007 Standard Specification for Methyl Amyl Acetate (95 % Grade)《乙酸甲基戊酯标准规范(95%级)》.pdf
  • 相关搜索

    当前位置:首页 > 标准规范 > 国际标准 > BS

    copyright@ 2008-2019 麦多课文库(www.mydoc123.com)网站版权所有
    备案/许可证编号:苏ICP备17064731号-1