Commissioner Frank Work is urging Alberta businesses to consider their privacy obligations prior to implementing radio frequency identification (RFID) devices.
RFID tags are commonly used in the retail industry to track inventory and purchasing information. Similar to bar codes, the tags contain data that can be transmitted and collected by the organization utilizing the technology.
RFID chips can be embedded into products and clothing and covertly read without the knowledge of the individual. A small tag embedded into an article of clothing could be activated every time the customer entered or left the store where the item was bought. That tag could also be read by any other business or government department that has installed a compatible reader.
While RFID tags are currently used primarily to identify and manage products, the technology has the potential for a much wider application. As a result, organizations need to be aware that there may be privacy implications when RFID product identification data is linked to a specific individual, for example through credit card or loyalty card information.
“Organizations that are considering the use of RFID devices need to ensure that privacy is not an afterthought, and should build fair information practices into the design and implementation of the technology,” says Commissioner Work. Among the key points to consider are:
- Whether the same purpose may be achieved using less invasive means.
- If the decision is made to use RFID technology, ensure that it is done in an open and transparent way; this means informing individuals that products contain RFID tags, and obtaining their consent when necessary.
- Similarly, individuals must be made aware of the specific purpose for which their personal information is being collected, and organizations must use the information only for that purpose.
- Strict controls regarding security and the integrity of the technology must be implemented.
- Individuals should have the ability to deactivate or disable RFID tags, as appropriate.
- Any personal information collected should be retained only as long as necessary to carry out the original purpose.
- Individuals should have the ability to ask questions about the technology and receive accurate, timely responses from the organization.