Privacy of personal information is a primary concern in today’s digital world, but virtually everyone wants the cost, convenience, and security benefits of using digital technology. For many of us, technology based on RFID (radio frequency identification) has become an indispensable part of everyday life.
Contactless smart card technology, which is based on an RFID-enabled chip, is just one application that is making a notable impact on the business world. A growing number of organisations are recognising its potential to make their businesses more efficient and their employees’ lives safer and more convenient. In these increasingly budget-conscious times, the ability of smart card technology to drive operational efficiencies and cost savings is understandably finding favour with many companies.
Companies at the cutting edge of secure corporate ID cards have embraced a two-factor authentication approach to managing and protecting assets. The user has to provide a hardware token in addition to a secret (such as a PIN code), strengthening the overall security of a desktop log-on. Even better, the very same token (contactless smart card) can be used to control physical access to the company’s premises, making this kind of solution one of the most effective ways to provide workplace security. Three-factor authentication goes a step further, using a PIN and an extra security measure such as a biometric scan.
The benefits to business and to employees are hard to dispute. But privacy advocates worry that this highly sophisticated technology also has the potential to jeopardise the security of personal data. They also fear that chips used in access control cards in your pocket could enable the cardholder to be tracked without their knowledge and against their will.
These concerns are largely grounded on misconceptions over just how RFID-based technologies actually operate. In actual fact, the contactless access control technologies used in these cards operate at RFID frequencies which cannot be read from a distance. What’s more, most of these applications do not store or use any personal data. Users’ privacy is protected by utilising a unique identifier instead of personally identifiable information (PII) thus minimizing any risk to personal data. Most importantly, users control when their credentials (transponders) are read by choosing when to present them directly in front of a reader for physical or logical access.
Whether these concerns are legitimate or not, addressing privacy is paramount. Though cultural perceptions of privacy vary widely between regions and even between neighbouring countries, adhering to basic privacy principles offers a good place to start. Principles such as notice, choice, consent and data collection minimization, are at the heart of most privacy frameworks.
In May 2009, the EC introduced a privacy framework specifically for applications that use RFID technology. The EC’s recommendations are designed to establish best-practices for privacy and data protection in RFID implementations. Made after extensive consultation with key stakeholder groups, the recommendations have helped open up a public debate on the issue of data privacy and security – a debate that has been welcomed by all those involved in the industry.
The new guidelines have been well received by consumer groups and manufacturers as an important step on the road to improving transparency and guaranteeing data security and privacy for the individual. But there are wide-reaching implications for all players involved in the industry, and direct implications for all companies that use contactless smart cards in secure access control applications. Given that access control databases often contain personal data that needs to be protected – even though the smart cards themselves do not – solution providers and users need to think about these implications when installing and updating systems.
The privacy impact assessment (PIA) has been highlighted by the EU recommendations as a practical way to understand how personal data is used in an access control system. Industry insiders believe that best practice dictates that a PIA should always be carried out when personal data is implicated. However, there are many RFID applications where no personal data is, or ever will be used. In these cases, conducting a PIA would not serve a useful purpose and would create a flurry of unnecessary paperwork.
The PIA looks at who has access to the data, what data will be collected, how long the data will be held for, and how that data will be used within the organisation. It is also designed to ensure that well-defined measures are in place to prevent unauthorised access, backed up by a clear audit trail and action plan in the event of any breach.
But the PIA is only the first step in protecting privacy. Employers should inform employees of the company’s policy on data security and privacy. Such policies should be written in clear language so that employees understand why their data is collected and what it is being used for. Employees should also be able to raise concerns if they feel their data is at risk within their workplace. Lastly, any use of data captured for employee monitoring should be based on legitimate business justification and consented to in writing by the employee.
At the present time, the EU recommendations are voluntary consensus-based standards. But if companies fail to demonstrate that they are taking them seriously by May 2012, the EC could opt to pass legislation to make these privacy controls law. The issue of data privacy and security is gaining an ever-higher profile as organisations around the world make ever-greater use of technology to streamline their business processes and make their employees’ working lives safer and more convenient. What’s more, companies that fail to address security and privacy issues could be laying themselves open to a whole range of business, legal and reputational risks.
Portable and secure, smart cards are fast becoming a valuable tool for safeguarding physical security and guaranteeing the privacy of sensitive electronic information. As smart card technology continues to evolve and develop, so too must the practices and processes which govern it. By proactively addressing privacy and undertaking pre-emptive risk mitigation, companies can move to allay any concerns and demonstrate to their employees, shareholders and customers that they are tackling data security and privacy issues head on.
Indeed, those companies with the foresight to become early adopters of the EU recommendations will find themselves ahead of the game when it comes to anticipating critical business issues, and first in line to understand the technologies that can resolve them.