1、BSI Standards PublicationBS EN 16571:2014Information technology RFIDprivacy impact assessmentprocessBS EN 16571:2014 BRITISH STANDARDNational forewordThis British Standard is the UK implementation of EN 16571:2014.The UK participation in its preparation was entrusted to TechnicalCommittee IST/34, Au
2、tomatic identification and data capturetechniques.A list of organizations represented on this committee can beobtained on request to its secretary.This publication does not purport to include all the necessaryprovisions of a contract. Users are responsible for its correctapplication. The British Sta
3、ndards Institution 2014. Published by BSI StandardsLimited 2014ISBN 978 0 580 81786 1ICS 35.240.60Compliance with a British Standard cannot confer immunity fromlegal obligations.This British Standard was published under the authority of theStandards Policy and Strategy Committee on 30 June 2014.Amen
4、dments issued since publicationDate Text affectedBS EN 16571:2014EUROPEAN STANDARD NORME EUROPENNE EUROPISCHE NORM EN 16571 June 2014 ICS 35.240.60 English Version Information technology - RFID privacy impact assessment process Technologies de linformation - Processus dvaluation dimpact sur la vie p
5、rive des applications RFID Verfahren zur Datenschutzfolgenabschtzung (PIA) von RFID This European Standard was approved by CEN on 14 May 2014. CEN members are bound to comply with the CEN/CENELEC Internal Regulations which stipulate the conditions for giving this European Standard the status of a na
6、tional standard without any alteration. Up-to-date lists and bibliographical references concerning such national standards may be obtained on application to the CEN-CENELEC Management Centre or to any CEN member. This European Standard exists in three official versions (English, French, German). A v
7、ersion in any other language made by translation under the responsibility of a CEN member into its own language and notified to the CEN-CENELEC Management Centre has the same status as the official versions. CEN members are the national standards bodies of Austria, Belgium, Bulgaria, Croatia, Cyprus
8、, Czech Republic, Denmark, Estonia, Finland, Former Yugoslav Republic of Macedonia, France, Germany, Greece, Hungary, Iceland, Ireland, Italy, Latvia, Lithuania, Luxembourg, Malta, Netherlands, Norway, Poland, Portugal, Romania, Slovakia, Slovenia, Spain, Sweden, Switzerland, Turkey and United Kingd
9、om. EUROPEAN COMMITTEE FOR STANDARDIZATION COMIT EUROPEN DE NORMALISATION EUROPISCHES KOMITEE FR NORMUNG CEN-CENELEC Management Centre: Avenue Marnix 17, B-1000 Brussels 2014 CEN All rights of exploitation in any form and by any means reserved worldwide for CEN national Members. Ref. No. EN 16571:20
10、14 EBS EN 16571:2014EN 16571:2014 (E) 2 Contents Page Foreword 5 Introduction .6 1 Scope 7 2 Normative references 7 3 Terms and definitions .7 4 Symbols and abbreviations . 11 5 Structure of this European Standard 12 6 Field of reference for this European Standard 12 6.1 RFID as defined by the EU RF
11、ID Recommendation 12 6.2 RFID application as defined by the EU RFID Recommendation 13 6.3 RFID operator as defined by the EU RFID Recommendation . 13 6.4 Relationship between the RFID PIA and data protection and security . 14 6.5 Relevant inputs for the PIA process . 17 6.5.1 General . 17 6.5.2 The
12、privacy capability statement 17 6.5.3 The Registration Authority 17 6.5.4 RFID PIA templates . 17 7 RFID operators organizational objectives of the RFID PIA . 17 7.1 Overview 17 7.2 Meeting and exceeding legal requirements . 18 7.3 When to undertake the RFID PIA . 19 7.3.1 General . 19 7.3.2 Underta
13、king a PIA at the design stage before the RFID system becomes operational 19 7.3.3 Undertaking a PIA at a review and update the design-based PIA . 19 7.3.4 Undertaking a PIA to contribute to the development of a template 19 7.3.5 Undertaking a PIA with an established template . 20 7.3.6 Undertaking
14、a PIA at the introduction of a new function within the RFID application 20 7.3.7 Undertaking a PIA based on changes in RFID technology 20 7.3.8 Undertaking a PIA when a privacy breach has been reported . 20 8 Tools to simplify the process 21 8.1 RFID operator responsibility . 21 8.2 RFID technology
15、privacy capability tools - overview 21 8.3 Registration of RFID privacy capability statements by RFID product manufacturers 21 8.3.1 General . 21 8.3.2 Obligations of the Registration Authority 21 8.3.3 Appointment 22 8.3.4 Resignation . 22 8.3.5 Responsibilities of the RFID product manufacturers .
16、22 8.4 RFID technology privacy capability tools - details 23 8.4.1 RFID integrated circuit privacy capabilities . 23 8.4.2 RFID tag privacy capabilities . 23 8.4.3 RFID interrogator privacy capabilities 23 8.4.4 The default privacy capability statement . 23 8.4.5 Using CEN/TR 16672 to construct priv
17、acy capabilities for products using proprietary protocols 24 8.5 Templates 24 8.5.1 General . 24 BS EN 16571:2014EN 16571:2014 (E) 3 8.5.2 Developing a template 24 8.5.3 Who should prepare the templates? . 25 8.5.4 The role of stakeholders in template development . 25 9 RFID PIA - a process approach
18、 26 9.1 Introduction 26 9.2 Process Steps 26 9.3 Achieving the correct level of detail 27 9.3.1 General . 27 9.3.2 Level 0 no PIA . 27 9.3.3 Level 1 small scale PIA 27 9.3.4 Level 2 PIA focussed on the controlled domain of the application 27 9.3.5 Level 3 Full scale (complete) PIA of the application
19、 . 28 9.3.6 Reducing the effort for the SME organization 28 9.4 Process methodology . 29 10 Preparing the RFID functional statement 30 11 Preparing the description of the RFID applications 31 11.1 Introduction 31 11.2 Multiple applications . 31 11.3 RFID application overview 32 11.3.1 General . 32 1
20、1.3.2 Determine which RFID technology is intended or being used . 32 11.3.3 Determine the RFID components used in the application 33 11.3.4 RFID applications on portable devices . 34 11.4 Data on the RFID tag . 36 11.4.1 General . 36 11.4.2 Determine what inherent identifiable features are possessed
21、 by the RFID tag 36 11.4.3 Listing the data elements encoded on the RFID tag 37 11.4.4 Determine whether encoded data can be considered identifiable . 37 11.4.5 Determine whether personal data is encoded on the tag . 38 11.5 Additional data on the application . 38 11.6 RFID data processing 38 11.7 I
22、nternal transfer of RFID data . 39 11.8 External transfer of RFID data 39 11.9 RFID application description sign off 39 12 Risk Assessment . 40 12.1 Procedural requirements derived from the RFID Recommendation 40 12.1.1 Common procedure requirements for all RFID operators 40 12.1.2 Requirements for
23、retailers that are RFID operators 41 12.1.3 Procedure requirements for manufacturers of products eventually sold to consumers 42 12.2 Asset identification and valuation . 42 12.2.1 General . 42 12.2.2 Identification of assets 43 12.2.3 Valuing assets . 44 12.3 Threat identification and evaluation 47
24、 12.3.1 General . 47 12.3.2 Identification and classification of threats . 48 12.3.3 Evaluating threats . 49 12.3.4 The process for the SME organization 50 12.4 Identifying vulnerabilities and enumerating the associated risk levels 50 12.4.1 Basic procedure 50 12.4.2 Procedure to account for exposur
25、e time 51 12.5 Initial risk level . 51 12.6 Countermeasures 53 12.6.1 General . 53 12.6.2 Identifying countermeasures . 53 BS EN 16571:2014EN 16571:2014 (E) 4 12.6.3 Reassessing risk levels . 55 12.7 Residual risks 55 12.8 RFID PIA endorsement . 56 13 Worked example of the risk assessment process 56
26、 14 The PIA summary report 56 14.1 PIA report date 56 14.2 RFID application operator 56 14.3 RFID application overview . 56 14.4 Data on the RFID tag 56 14.5 RFID Privacy Impact Assessment score 57 14.6 RFID countermeasures 57 15 Revision control 57 16 Monitoring and incident response 58 Annex A (no
27、rmative) Details of Registration Authority 59 Annex B (informative) RFID manufacturers product privacy capability statements 60 B.1 RFID integrated circuit (chip) privacy features 60 B.2 RFID interrogator privacy features . 62 Annex C (informative) RFID Privacy Impact Assessment flowchart . 65 Annex
28、 D (informative) Template development 67 Annex E (informative) Flowchart to determine the RFID PIA level 68 Annex F (informative) RFID functional statement . 69 Annex G (normative) RFID application description 70 Annex H (informative) Identification and valuation of personal privacy assets 71 H.1 In
29、dividually held personal privacy asset 71 H.2 Assets that apply to the organization . 76 Annex I (informative) RFID threats . 77 I.1 Threats associated with the data encoded on the RFID tag and the RFID tag (or RF card) itself 77 I.2 Threats associated with the air interface or the device interface
30、communication 80 I.3 Threats associated with the interrogator (or reader) 85 I.4 Threats associated with the host application 85 Annex J (informative) Countermeasures . 88 J.1 List of countermeasures 88 J.2 Threat and countermeasure mappings 90 Annex K (informative) PIA risk assessment example . 94
31、K.1 Introduction . 94 K.2 Ranking the assets . 94 K.3 Considering threats at the tag layer and air interface layer . 95 K.4 Considering threats at the interrogator layer 96 K.5 Considering threats at the device interface layer . 97 K.6 Considering threats at the application layer 97 K.7 Considering
32、vulnerabilities 98 K.8 Risk scores after considering all the threats and vulnerabilities 98 K.9 Applying countermeasures . 99 K.10 Overall risk 99 Annex L (informative) RFID Privacy Impact Assessment summary . 101 Bibliography . 102 BS EN 16571:2014EN 16571:2014 (E) 5 Foreword This document (EN 1657
33、1:2014) has been prepared by Technical Committee CEN/TC 225 “AIDC technologies”, the secretariat of which is held by NEN. This European Standard shall be given the status of a national standard, either by publication of an identical text or by endorsement, at the latest by December 2014, and conflic
34、ting national standards shall be withdrawn at the latest by December 2014. Attention is drawn to the possibility that some of the elements of this document may be the subject of patent rights. CEN and/or CENELEC shall not be held responsible for identifying any or all such patent rights. This docume
35、nt has been prepared under a mandate given to CEN by the European Commission and the European Free Trade Association. This European Standard is one of a series of related deliverables, which together comprise M/436 Phase 2. The other deliverables are: EN 16570, Information technology Notification of
36、 RFID The information sign and additional information to be provided by operators of RFID application systems; EN 16656, Information technology Radio frequency identification for item management RFID Emblem (ISO/IEC 29160:2012, modified); CEN/TR 16669, Information technology Device interface to supp
37、ort ISO/IEC 18000-3; CEN/TR 16670, Information technology RFID threat and vulnerability analysis; CEN/TR 16671, Information technology Authorisation of mobile phones when used as RFID interrogators; CEN/TR 16672, Information technology Privacy capability features of current RFID technologies; CEN/TR
38、 166731), Information technology RFID privacy impact assessment analysis for specific sectors; CEN/TR 16674, Information technology Analysis of privacy impact assessment methodologies relevant to RFID; CEN/TR 166842), Information technology Notification of RFID Additional information to be provided
39、by operators; CEN/TS 16685, Information technology Notification of RFID The information sign to be displayed in areas where RFID interrogators are deployed. According to the CEN/CENELEC Internal Regulations, the national standards organizations of the following countries are bound to implement this
40、European Standard: Austria, Belgium, Bulgaria, Croatia, Cyprus, Czech Republic, Denmark, Estonia, Finland, Former Yugoslav Republic of Macedonia, France, Germany, Greece, Hungary, Iceland, Ireland, Italy, Latvia, Lithuania, Luxembourg, Malta, Netherlands, Norway, Poland, Portugal, Romania, Slovakia,
41、 Slovenia, Spain, Sweden, Switzerland, Turkey and the United Kingdom. 1) CEN/TR 16673 contains practical examples of PIA systems. 2) CEN/TR 16684 contains practical examples of notification signage systems. BS EN 16571:2014EN 16571:2014 (E) 6 Introduction In response to the growing deployment of RFI
42、D systems in Europe, the European Commission published in 2007 the Communication COM (2007) 96 RFID in Europe: steps towards a policy framework. This Communication proposed steps which needed to be taken to reduce barriers to adoption of RFID whilst respecting the basic legal framework safeguarding
43、fundamental values such as health, environment, data protection, privacy and security. In December 2008, the European Commission addressed Mandate M/436 to CEN, CENELEC and ETSI in the field of ICT as applied to RFID systems. The Mandate M/436 was accepted by the ESOs in the first months of 2009. Th
44、e Mandate addresses the data protection, privacy and information aspects of RFID, and is being executed in two phases. Phase 1, completed in May 2011, and identified the work needed to produce a complete framework of future RFID standards. The Phase 1 results are contained in the ETSI Technical Repo
45、rt TR 187 020, which was published in May 2011. Phase 2 is concerned with the execution of the standardization work programme identified in the first phase. This European Standard is one of 11 deliverables for M/436 Phase 2. It builds on the research undertaken in the two related Technical Reports:
46、CEN/TR 16673 provides an insight into how RFID privacy issues have been addressed in four sectors: libraries; retail; e-ticketing, toll roads, fee collection, events management; and banking and financial services. CEN/TR 16674 considers formal PIAs that are already in place, but not necessarily pres
47、ented as formal national standards. The procedures defined in this European Standard are intended to be used by individual RFID operators or entire sectors for conducting a PIA for RFID. As such, it will cite as references other deliverables included in M/436 Phase 2. A sector-based PIA can act as a
48、 template to assist in the development of a specific PIA. BS EN 16571:2014EN 16571:2014 (E) 7 1 Scope This European Standard has been prepared as part of the EU RFID Mandate M/436. It is based on the Privacy and Data Protection Impact Assessment Framework for RFID Applications, which was developed b
49、y industry, in collaboration with the civil society, endorsed by Article 29, Data Protection Working Party, and signed by all key stakeholders, including the European Commission, in 2011. It defines aspects of that framework as normative or informative procedures to enable a common European method for undertaking an RFID PIA. It provides a standardized set of procedures for developing PIA templates, including tools compatible with the RFID PIA methodology. In addition, it identifies the conditions that req