This European Standard has been prepared as part of the EU RFID Mandate M\/436. It is based on the Privacy and Data Protection Impact Assessment Framework for RFID Applications, which was developed by industry, in collaboration with the civil society, endorsed by Article 29, Data Protection Working Party, and signed by all key stakeholders, including the European Commission, in 2011.<\/p>\n
It defines aspects of that framework as normative or informative procedures to enable a common European method for undertaking an RFID PIA.<\/p>\n
It provides a standardized set of procedures for developing PIA templates, including tools compatible with the RFID PIA methodology.<\/p>\n
In addition, it identifies the conditions that require an existing PIA to be revised, amended, or replaced by a new assessment process.<\/p>\n
| PDF Pages<\/th>\n | PDF Title<\/th>\n<\/tr>\n | ||||||
|---|---|---|---|---|---|---|---|
| 4<\/td>\n | Contents Page <\/td>\n<\/tr>\n | ||||||
| 7<\/td>\n | Foreword <\/td>\n<\/tr>\n | ||||||
| 8<\/td>\n | Introduction <\/td>\n<\/tr>\n | ||||||
| 9<\/td>\n | 1 Scope 2 Normative references 3 Terms and definitions <\/td>\n<\/tr>\n | ||||||
| 13<\/td>\n | 4 Symbols and abbreviations <\/td>\n<\/tr>\n | ||||||
| 14<\/td>\n | 5 Structure of this European Standard 6 Field of reference for this European Standard 6.1 ‘RFID’ as defined by the EU RFID Recommendation <\/td>\n<\/tr>\n | ||||||
| 15<\/td>\n | Table 1 \u2014 RFID and related technology standards within the scope of this European Standard 6.2 ‘RFID application’ as defined by the EU RFID Recommendation 6.3 ‘RFID operator’ as defined by the EU RFID Recommendation <\/td>\n<\/tr>\n | ||||||
| 16<\/td>\n | 6.4 Relationship between the RFID PIA and data protection and security <\/td>\n<\/tr>\n | ||||||
| 17<\/td>\n | Figure 1 \u2014 Interrelation between RFID privacy, security, and data protection functions <\/td>\n<\/tr>\n | ||||||
| 19<\/td>\n | 6.5 Relevant inputs for the PIA process 6.5.1 General 6.5.2 The privacy capability statement 6.5.3 The Registration Authority 6.5.4 RFID PIA templates 7 RFID operator’s organizational objectives of the RFID PIA 7.1 Overview <\/td>\n<\/tr>\n | ||||||
| 20<\/td>\n | 7.2 Meeting and exceeding legal requirements <\/td>\n<\/tr>\n | ||||||
| 21<\/td>\n | 7.3 When to undertake the RFID PIA 7.3.1 General 7.3.2 Undertaking a PIA at the design stage before the RFID system becomes operational 7.3.3 Undertaking a PIA at a review and update the design-based PIA 7.3.4 Undertaking a PIA to contribute to the development of a template <\/td>\n<\/tr>\n | ||||||
| 22<\/td>\n | 7.3.5 Undertaking a PIA with an established template 7.3.6 Undertaking a PIA at the introduction of a new function within the RFID application 7.3.7 Undertaking a PIA based on changes in RFID technology 7.3.8 Undertaking a PIA when a privacy breach has been reported <\/td>\n<\/tr>\n | ||||||
| 23<\/td>\n | 8 Tools to simplify the process 8.1 RFID operator responsibility 8.2 RFID technology privacy capability tools – overview 8.3 Registration of RFID privacy capability statements by RFID product manufacturers 8.3.1 General 8.3.2 Obligations of the Registration Authority <\/td>\n<\/tr>\n | ||||||
| 24<\/td>\n | 8.3.3 Appointment 8.3.4 Resignation 8.3.5 Responsibilities of the RFID product manufacturers <\/td>\n<\/tr>\n | ||||||
| 25<\/td>\n | 8.4 RFID technology privacy capability tools – details 8.4.1 RFID integrated circuit privacy capabilities 8.4.2 RFID tag privacy capabilities 8.4.3 RFID interrogator privacy capabilities 8.4.4 The default privacy capability statement <\/td>\n<\/tr>\n | ||||||
| 26<\/td>\n | 8.4.5 Using CEN\/TR 16672 to construct privacy capabilities for products using proprietary protocols 8.5 Templates 8.5.1 General 8.5.2 Developing a template <\/td>\n<\/tr>\n | ||||||
| 27<\/td>\n | 8.5.3 Who should prepare the templates? 8.5.4 The role of stakeholders in template development <\/td>\n<\/tr>\n | ||||||
| 28<\/td>\n | 9 RFID PIA – a process approach 9.1 Introduction 9.2 Process Steps <\/td>\n<\/tr>\n | ||||||
| 29<\/td>\n | 9.3 Achieving the correct level of detail 9.3.1 General 9.3.2 Level 0 \u2013 no PIA 9.3.3 Level 1 \u2013 small scale PIA 9.3.4 Level 2 \u2013 PIA focussed on the controlled domain of the application <\/td>\n<\/tr>\n | ||||||
| 30<\/td>\n | 9.3.5 Level 3 \u2013 Full scale (complete) PIA of the application 9.3.6 Reducing the effort for the SME organization Table 2 \u2014 Official ceiling criteria for SME categories <\/td>\n<\/tr>\n | ||||||
| 31<\/td>\n | 9.4 Process methodology <\/td>\n<\/tr>\n | ||||||
| 32<\/td>\n | Table 3 \u2014 Matrix approach to determine a risk value 10 Preparing the RFID functional statement <\/td>\n<\/tr>\n | ||||||
| 33<\/td>\n | 11 Preparing the description of the RFID applications 11.1 Introduction 11.2 Multiple applications <\/td>\n<\/tr>\n | ||||||
| 34<\/td>\n | 11.3 RFID application overview 11.3.1 General 11.3.2 Determine which RFID technology is intended or being used <\/td>\n<\/tr>\n | ||||||
| 35<\/td>\n | 11.3.3 Determine the RFID components used in the application Figure 2 \u2014 RFID privacy in depth model <\/td>\n<\/tr>\n | ||||||
| 36<\/td>\n | 11.3.4 RFID applications on portable devices 11.3.4.1 General <\/td>\n<\/tr>\n | ||||||
| 37<\/td>\n | 11.3.4.2 The mobile device as a reader or as a tag emulator 11.3.4.3 Mobile devices as relay devices supporting other protocols <\/td>\n<\/tr>\n | ||||||
| 38<\/td>\n | 11.4 Data on the RFID tag 11.4.1 General 11.4.2 Determine what inherent identifiable features are possessed by the RFID tag <\/td>\n<\/tr>\n | ||||||
| 39<\/td>\n | 11.4.3 Listing the data elements encoded on the RFID tag 11.4.4 Determine whether encoded data can be considered identifiable <\/td>\n<\/tr>\n | ||||||
| 40<\/td>\n | 11.4.5 Determine whether personal data is encoded on the tag 11.5 Additional data on the application 11.6 RFID data processing <\/td>\n<\/tr>\n | ||||||
| 41<\/td>\n | 11.7 Internal transfer of RFID data 11.8 External transfer of RFID data 11.9 RFID application description sign off <\/td>\n<\/tr>\n | ||||||
| 42<\/td>\n | 12 Risk Assessment 12.1 Procedural requirements derived from the RFID Recommendation 12.1.1 Common procedure requirements for all RFID operators <\/td>\n<\/tr>\n | ||||||
| 43<\/td>\n | 12.1.2 Requirements for retailers that are RFID operators <\/td>\n<\/tr>\n | ||||||
| 44<\/td>\n | 12.1.3 Procedure requirements for manufacturers of products eventually sold to consumers 12.2 Asset identification and valuation 12.2.1 General <\/td>\n<\/tr>\n | ||||||
| 45<\/td>\n | 12.2.2 Identification of assets Figure 3 \u2014 Flowchart for identifying personal privacy assets <\/td>\n<\/tr>\n | ||||||
| 46<\/td>\n | 12.2.3 Valuing assets 12.2.3.1 General Figure 4 \u2014 Flowchart for valuing personal privacy assets 12.2.3.2 Valuing personal privacy assets using a data type value <\/td>\n<\/tr>\n | ||||||
| 47<\/td>\n | Table 4 \u2014 Example of asset valuation <\/td>\n<\/tr>\n | ||||||
| 48<\/td>\n | 12.2.3.3 The process for the SME organization Table 5 \u2014 Guideline on the number of data types to consider 12.2.3.4 Valuing personal privacy assets in terms of potential business impact <\/td>\n<\/tr>\n | ||||||
| 49<\/td>\n | 12.3 Threat identification and evaluation 12.3.1 General <\/td>\n<\/tr>\n | ||||||
| 50<\/td>\n | 12.3.2 Identification and classification of threats Figure 5 \u2014 Flowchart for identifying RFID threats <\/td>\n<\/tr>\n | ||||||
| 51<\/td>\n | 12.3.3 Evaluating threats <\/td>\n<\/tr>\n | ||||||
| 52<\/td>\n | 12.3.4 The process for the SME organization Table 6 \u2014 Guideline on the number of RFID threats to consider 12.4 Identifying vulnerabilities and enumerating the associated risk levels 12.4.1 Basic procedure <\/td>\n<\/tr>\n | ||||||
| 53<\/td>\n | 12.4.2 Procedure to account for exposure time 12.5 Initial risk level <\/td>\n<\/tr>\n | ||||||
| 54<\/td>\n | Table 7 \u2014 Possible initial risks levels for asset value = 2 Table 8 \u2014 Possible initial risks levels for asset value = 2, threat level = medium Table 9 \u2014 Possible initial risks levels for asset value = 2, threat level = medium, vulnerability level = high <\/td>\n<\/tr>\n | ||||||
| 55<\/td>\n | 12.6 Countermeasures 12.6.1 General 12.6.2 Identifying countermeasures 12.6.2.1 General Figure 6 \u2014 Flowchart for identifying countermeasures <\/td>\n<\/tr>\n | ||||||
| 56<\/td>\n | 12.6.2.2 Countermeasures from the privacy capability statements 12.6.2.3 Countermeasures in CEN\/TR 16672 <\/td>\n<\/tr>\n | ||||||
| 57<\/td>\n | 12.6.2.4 Other countermeasures 12.6.3 Reassessing risk levels 12.7 Residual risks <\/td>\n<\/tr>\n | ||||||
| 58<\/td>\n | 12.8 RFID PIA endorsement 13 Worked example of the risk assessment process 14 The PIA summary report 14.1 PIA report date 14.2 RFID application operator 14.3 RFID application overview 14.4 Data on the RFID tag <\/td>\n<\/tr>\n | ||||||
| 59<\/td>\n | 14.5 RFID Privacy Impact Assessment score 14.6 RFID countermeasures 15 Revision control <\/td>\n<\/tr>\n | ||||||
| 60<\/td>\n | 16 Monitoring and incident response <\/td>\n<\/tr>\n | ||||||
| 61<\/td>\n | Annex A (normative) Details of Registration Authority <\/td>\n<\/tr>\n | ||||||
| 62<\/td>\n | Annex B (informative) RFID manufacturer’s product privacy capability statements B.1 RFID integrated circuit (chip) privacy features Table B.1 \u2014 Product details for the RFID integrated circuit (chip) <\/td>\n<\/tr>\n | ||||||
| 63<\/td>\n | Table B.2 \u2014 Privacy capability features supported by the RFID integrated circuit (chip) <\/td>\n<\/tr>\n | ||||||
| 64<\/td>\n | Table B.3 \u2014 Product details for the RFID tag Table B.4 \u2014 Privacy capability features supported by the RFID tag B.2 RFID interrogator privacy features <\/td>\n<\/tr>\n | ||||||
| 65<\/td>\n | Table B.5 \u2014 Product details for the RFID interrogator <\/td>\n<\/tr>\n | ||||||
| 66<\/td>\n | Table B.6 \u2014 Privacy capability features supported by the RFID interrogator <\/td>\n<\/tr>\n | ||||||
| 67<\/td>\n | Annex C (informative) RFID Privacy Impact Assessment flowchart Figure C.1 (continued) <\/td>\n<\/tr>\n | ||||||
| 68<\/td>\n | Figure C.1 (end) <\/td>\n<\/tr>\n | ||||||
| 69<\/td>\n | Annex D (informative) Template development <\/td>\n<\/tr>\n | ||||||
| 70<\/td>\n | Annex E (informative) Flowchart to determine the RFID PIA level Figure E.1 <\/td>\n<\/tr>\n | ||||||
| 71<\/td>\n | Annex F (informative) RFID functional statement <\/td>\n<\/tr>\n | ||||||
| 72<\/td>\n | Annex G (normative) RFID application description <\/td>\n<\/tr>\n | ||||||
| 73<\/td>\n | Annex H (informative) Identification and valuation of personal privacy assets H.1 Individually held personal privacy asset <\/td>\n<\/tr>\n | ||||||
| 74<\/td>\n | Table H.1 \u2014 Assets that can directly identify the individual <\/td>\n<\/tr>\n | ||||||
| 75<\/td>\n | Table H.2 \u2014 Assets that when held can identify the individual <\/td>\n<\/tr>\n | ||||||
| 76<\/td>\n | Table H.3 \u2014 Data types and guideline asset value <\/td>\n<\/tr>\n | ||||||
| 78<\/td>\n | H.2 Assets that apply to the organization Table H.4 \u2014 Organizational assets impacted by the loss of personal data <\/td>\n<\/tr>\n | ||||||
| 79<\/td>\n | Annex I (informative) RFID threats I.1 Threats associated with the data encoded on the RFID tag and the RFID tag (or RF card) itself I.1.1 General Table I.1 \u2014 Threats associated with RFID tags and their data I.1.2 Side Channel Attack <\/td>\n<\/tr>\n | ||||||
| 80<\/td>\n | I.1.3 Physical data modification I.1.4 Cloning I.1.5 Spoofing I.1.6 Physical tag switching I.1.7 RF tag switching I.1.8 Tag reprogramming <\/td>\n<\/tr>\n | ||||||
| 81<\/td>\n | I.1.9 Tag Removal I.1.10 Tag destruction I.1.11 Disabling the tag by command abuse I.1.12 Exhaustion of Protocol Resources I.1.13 De-synchronization Attack <\/td>\n<\/tr>\n | ||||||
| 82<\/td>\n | I.2 Threats associated with the air interface or the device interface communication I.2.1 General <\/td>\n<\/tr>\n | ||||||
| 83<\/td>\n | Table I.2 \u2014 Threats associated with the RFID air interface or the device interface I.2.2 Unauthorized Tag Reading I.2.3 Tracking <\/td>\n<\/tr>\n | ||||||
| 84<\/td>\n | I.2.4 Data linking I.2.5 Behavioural Profiling I.2.6 Hotlisting I.2.7 Eavesdropping or traffic analysis I.2.8 Power analysis I.2.9 Crypto Attacks <\/td>\n<\/tr>\n | ||||||
| 85<\/td>\n | I.2.10 Reverse Engineering I.2.11 Relay, or man-in-the-middle attack I.2.12 Replay Attack I.2.13 Message (Re)construction I.2.14 Data Modification in the air interface transmission <\/td>\n<\/tr>\n | ||||||
| 86<\/td>\n | I.2.15 Data Insertion in the air interface transmission I.2.16 Noise I.2.17 Jamming I.2.18 Malicious Blocker Tags I.2.19 Effects of Radio Degradation I.2.20 Shielding of Tags <\/td>\n<\/tr>\n | ||||||
| 87<\/td>\n | I.3 Threats associated with the interrogator (or reader) I.3.1 General Table I.3 \u2014 Threats associated with the RFID interrogator I.3.2 Side Channel Attack I.3.3 Exhaustion of Protocol Resources I.3.4 De-synchronization Attack I.4 Threats associated with the host application I.4.1 General <\/td>\n<\/tr>\n | ||||||
| 88<\/td>\n | Table I.4 \u2014 Threats associated with the host, application and stored data I.4.2 Privacy and Data Protection Violations I.4.3 Compromising of security keys I.4.4 Buffer overflow attack I.4.5 Injecting Malicious Code <\/td>\n<\/tr>\n | ||||||
| 89<\/td>\n | I.4.6 Partial denial of service I.4.7 Complete denial of service <\/td>\n<\/tr>\n | ||||||
| 90<\/td>\n | Annex J (informative) Countermeasures J.1 List of countermeasures <\/td>\n<\/tr>\n | ||||||
| 91<\/td>\n | Table J.1 \u2014 List of countermeasures <\/td>\n<\/tr>\n | ||||||
| 92<\/td>\n | J.2 Threat and countermeasure mappings <\/td>\n<\/tr>\n | ||||||
| 93<\/td>\n | Table J.2 \u2014 Threats and countermeasures associated with RFID tags and their data <\/td>\n<\/tr>\n | ||||||
| 94<\/td>\n | Table J.3 \u2014 Threats and countermeasures associated with the air interface <\/td>\n<\/tr>\n | ||||||
| 95<\/td>\n | Table J.4 \u2014 Threats and countermeasures associated with the RFID interrogator Table J.5 \u2014 Threats and countermeasures associated with the host, application and stored data <\/td>\n<\/tr>\n | ||||||
| 96<\/td>\n | Annex K (informative) PIA risk assessment example K.1 Introduction K.2 Ranking the assets Table K.1 \u2014 Asset valuation, ranked by asset value <\/td>\n<\/tr>\n | ||||||
| 97<\/td>\n | K.3 Considering threats at the tag layer and air interface layer <\/td>\n<\/tr>\n | ||||||
| 98<\/td>\n | K.4 Considering threats at the interrogator layer <\/td>\n<\/tr>\n | ||||||
| 99<\/td>\n | K.5 Considering threats at the device interface layer K.6 Considering threats at the application layer <\/td>\n<\/tr>\n | ||||||
| 100<\/td>\n | K.7 Considering vulnerabilities Table K.2 \u2014 Impact of threats and vulnerabilities on asset values K.8 Risk scores after considering all the threats and vulnerabilities <\/td>\n<\/tr>\n | ||||||
| 101<\/td>\n | Table K.3 \u2014 Impact of threats and vulnerabilities on the risks of specific data types K.9 Applying countermeasures K.10 Overall risk <\/td>\n<\/tr>\n | ||||||
| 103<\/td>\n | Annex L (informative) RFID Privacy Impact Assessment summary <\/td>\n<\/tr>\n | ||||||
| 104<\/td>\n | Bibliography <\/td>\n<\/tr>\n<\/table>\n","protected":false},"excerpt":{"rendered":" Information technology. RFID privacy impact assessment process<\/b><\/p>\n |