By Sam Tyfield, Vedder Price.
Back in 2009, the EU issued a Recommendation (which has no binding legal effect) on the use and application of RFIDs (which, for our purposes, means ID/swipe/access cards). The EU has just issued a review of the implementation of the Recommendation EU-wide and has found take-up by EU member States to be very low.
What it says:
Those recommendations include Member States ensuring that RFID operators: Engage in a Privacy Impact Assessment (PIA) on the privacy implications of the RFID application; Develop and publish a specific information policy for each application; Inform individuals of the presence of readers on the basis of a common European RFID sign; Ensure the default deactivation or removal of tags used in the retail trade and together with Member States, engage in awareness rising of the potential benefits and risks associated with the use of RFID technology
Member States should ensure that operators, notwithstanding their other obligations pursuant to Directive 95/46/EC [the Data Protection Directive]:
(a) conduct an assessment of the implications of the application implementation for the protection of personal data and privacy, including whether the application could be used to monitor an individual. The level of detail of the assessment should be appropriate to the privacy risks possibly associated with the application;
(b) take appropriate technical and organisational measures to ensure the protection of personal data and privacy;
(c) designate a person or group of persons responsible for reviewing the assessments and the continued appropriateness of the technical and organisational measures to ensure the protection of personal data and privacy;
(d) make available the assessment to the competent authority at least six weeks before the deployment of the application;
(e) once the framework for privacy and data protection impact assessments as set out in point (d) is available, implement the above provisions in accordance with it.
Why you should care:
- Because any firm with ID/swipe/access cards is a RFID ‘operator’
- Because implementation of the Recommendation has been nil/close to nil, the EU will consider taking steps to ensure that the Recommendation gets more teeth in 2016
- Because physical security and limiting access to areas are important in this industry and operate hand-in-glove with password and other systems access restrictions
- Because knowing where a systemically important person is at a point in time (e.g., your risk manager) is helpful
- MiFID2/R contains significant provisions relating to systems security, resilience and access …
- … so the higher the level of detail stored on the card about the user, the more protection a firm has …
- … and the more likely that information is to contain “sensitive personal data”…
- … which means the more likely it is that the EU will want those details to be secure
- Because of the political attention on this industry, if we take steps now to play nicely and show what good EU citizens we are, who knows; the EU may just stick to beating up retail loyalty card operators in 2016.
Frankly, it’s all we need at this stage but, if you look at it another way, what we’re really talking about is a notice on the bulletin board (to inform staff that Big Brother is watching them, but it’s ok because Big Brother really cares about them) and another lugubrious HR process.