EU issues Directive on RFID Privacy
On July 31st the European Union finally published directive M436 on Radio Frequency Identification (RFID). M436 has been in process for so long that many RFID users may have forgotten all about it some time ago. A few may never even have heard of it.
M436 attempts to deal with concerns over the privacy issues that have surrounded this technology since it first appeared – in libraries over 20 years ago. The directive is “application agnostic” – meaning that the rules apply to RFID users regardless of how they are using the technology. Libraries are one of the key areas of activity already identified by the EU and they will certainly feel the effects of mandate M436 over the next few months/years.There are two main elements to the directive as I outlined in my “quick guide” for librarians back in 2013. The first, and simplest, is signage. Locations where RFID is being used will be required to display a sign advising users of this fact.
The second, and slightly more demanding requirement is to carry out a Privacy Impact Assessment in order to produce a Privacy Impact Statement that should also be made available to anyone wishing to understand the implications of the use of RFID in an establishment. In a library this might be displayed alongside the sign – or advice be displayed indicating where the statement can be found – on a website for example.
The mandate is issued to European standards bodies to create standards for ensuring the privacy of individuals using RFID solutions. As such it has no legal force as such, but may grow teeth if either the UK Information Commissioner’s Office (ICO) or the European Union itself decides this issue requires formal legislation. Certainly the display of signs and the creation of a Privacy Impact Statement should now be regarded as “best practice” for librarians.
Book Industry Communication (BIC) established a Privacy Group (which I chaired) in 2013 to maintain a watching brief on the progress of M436 and to liaise with the ICO in order to ascertain that body’s attitude to possible legislation. This group will now be reconvened in the near future to initiate its education programme for librarians wishing to know more – or to comply with the directive. Invitations have been issued to both the Society of College, National and University Libraries (SCONUL) and the Society of Chief Librarians (SCL) to participate in this process.