[LINK] Airport to tag passengers

Jan Whitaker jwhit at melbpc.org.au
Tue Oct 17 09:08:25 AEST 2006 

At 12:01 AM 17/10/2006, Geoffrey Ramadan wrote:
>Apologies, I should have quoted the first rule verbatim:
>"RFID tags should only be linked to personal 
>information or used to profile customers if 
>there is no other way of achieving the goal sought;"
>http://www.privacy.gov.au/news/media/03_17.html

whose goal? And does the person (not customer, 
this is about More than customers now) have the 
opportunity to define or influence that goal in 
any way, particularly when the imposer of the 
goal, the final decider, is a monopoly - either a govt or a business ?

I think it's important to read this full media 
release for context. It was issued in 2003 under 
a different Privacy Commissioner. In fact, as of 
now, the three hosting commissioners at the time are no longer in those roles.


Media Release: World's Privacy Regulators call for privacy friendly RFID tags

9/12/03

"Radio-frequency identification (RFID) tags have 
great potential. They can help companies greatly 
improve the way they manage the supply of their 
products and so save consumers a lot of money. 
But they also have equal potential to invade 
personal privacy if deployed wrongly." The 
Australian Privacy Commissioner, Malcolm 
Crompton, made these remarks when he released the 
last of five resolutions adopted by the world's 
data protection and privacy commissioners after their 2003 conference.

The resolution calls for all the basic principles 
of privacy law to be adopted when designing, 
implementing and using RFID technology.
[note the word ALL, not just the four below as 
Geoff presented - that means all aspects of the 
NPPs - and fyi, the retail code is doing that in 
its draft code which should be out for public 
review very soon now and I'll send the info to Link for comment]

In summary, the resolution says that:
    * RFID tags should only be linked to personal 
information or used to profile customers if there 
is no other way of achieving the goal sought;  [repeating: whose goal?]
    * individuals should be fully informed if 
personal information is collected using RFID 
tags; [informed is good, but refusal to 
participate is more important - choice, remember? John Howard's mantra.]
    * personal information collected using RFID 
tags should only be used for the specific purpose 
for which it is first collected and destroyed 
after that purpose is achieved, and; [again, the 
person who is subject to this collection must be 
provided input to determining the purpose or a 
choice to not participate based on personal 
circumstances that the data collector may not 
have any knowledge about for the safety and 
well-being of the individual or their family as 
determined by that individual, NOT the data collector]
    * individuals should be able to delete 
information, or disable or destroy any RFID tag 
that they have in their possession. [deletion is 
not being afforded as far as I've heard, and 
Geoff's comment about destruction or removal may 
not be possible if the chip is integrated in the 
internal design of the object. Cartons are OK and 
easy, but removing something that is inherent to 
the device - say some medical device inside the 
body - may not be possible and yet the person 
should have the right to turn these off - in the 
future as well as at time of acquisition.
[Here is the official language as the above is a 
restatement in the media release:

The Conference highlights the need to consider 
data protection principles if RFID tags linked to 
personal information are to be introduced.  All 
the basic principles of data protection and 
privacy law have to be observed when designing, 
implementing and using RFID technology.  In particular
a) any controller – before introducing RFID tags 
linked to personal information or leading to 
customer profiles – should first consider 
alternatives which achieve the same goal without 
collecting personal information or profiling customers;
b) if the controller can show that personal data 
are indispensable, they must be collected in an open and transparent way ;
c) personal data may only be used for the 
specific purpose for which they were first 
collected and only retained for as long as is 
necessary to achieve (or carry out) this purpose, and
d) whenever RFID tags are in the possession of 
individuals, they should have the possibility to 
delete data and to disable or destroy the tags.
]

[key phrases:
consider alternatives to achieve the same goal 
WITHOUT collecting personal info or profiling
collect personal info in open and transparent way 
- has nothing to do with the rfid part of the method]

[return to press release]
"Designers and users of RFID tags risk alienating 
customers if they do not take these privacy 
principles seriously. If they ignore them, 
implementation of RFID tags could be stopped in 
its tracks. Both business and consumers would be the losers," said Mr Crompton.
[see even Malcolm pointed out that the public may 
not stand for this if it's not done right and 
will turn the whole exercise into a commercial fiasco]

The first four resolutions were adopted in Sydney 
during the 2003 International Conference of Data 
Protection and Privacy Commissioners which was 
hosted by the Federal, NSW and Victorian Privacy 
Commissioners. The fifth resolution was recently 
adopted as a result of follow up work by 
Commissioners. [The fifth resolutions is about 
RFID and includes these principles. The points 
above are NOT resolutions, they are summary statements within the ]

The other resolutions [not RFID specific] adopted by the Conference include:
    * 
<http://www.privacyconference2003.org/resolutions/RESOLUTION_ON_PRIVACY_INFOR.DOC>a 
call for improved communication of data 
protection and privacy information practices;
    * 
<http://www.privacyconference2003.org/resolutions/RESOLUTION_CONCERNING_THE_T.DOC>a 
call for the transfer of passenger's data 
internationally to be undertaken within a 
recognised data protection framework;
    * 
<http://www.privacyconference2003.org/resolutions/RESOLUTION_NEW_ZEALAND.DOC>a 
call to international organisations to observe 
and recognise privacy principles ; and
    * 
<http://www.privacyconference2003.org/resolutions/RESOLUTION_GERMANY__AMENDED.DOC>a 
call to software companies to ensure processes 
for automatic software updates are transparent 
and that alternative update options are available.
All resolutions are published on the conference 
website, 
<http://www.privacyconference2003.org/commissioners.asp>www.privacyconference2003.org/commissioners.asp. 


<http://www.privacy.gov.au/news/media/03_17_print.html>Return


Apologies if the mix up above is too stream of 
consciousness. But I thought the original info 
and dating was important to point out.

Jan

Jan Whitaker
JLWhitaker Associates, Melbourne Victoria
jwhit at janwhitaker.com
business: http://www.janwhitaker.com
personal: http://www.janwhitaker.com/personal/
commentary: http://janwhitaker.com/jansblog/

'Seed planting is often the most important step. 
Without the seed, there is no plant.' - JW, April 2005
_ __________________ _

More information about the Link mailing list