Ignore EC data privacy and security guidelines at your peril

Kathleen Carroll: Any use of data captured for employee monitoring should be based on legitimate business justification

In 2009, the EC introduced a privacy framework aimed specifically at applications that use RFID (radio frequency identification) technology.

With privacy of personal information a primary concern in today’s digital world, RFID technology has emerged as an indispensable tool as organisations recognise its potential to make their businesses more efficient and their employees’ lives safer with measures such as contactless smartcards.

The EC’s recommendations have been designed to establish best practices for privacy and data protection in RFID implementations.

Made after extensive consultation with key stakeholder groups, the recommendations have helped open up a public debate on the issue of data privacy and security – a debate that has been welcomed by those involved in the industry.

The new guidelines have been well received by consumer groups and manufacturers as an important step on the road to improving transparency and guaranteeing data security and privacy for the individual.

The privacy impact assessment (PIA) has been highlighted by the EC recommendations as a practical way to understand how personal data is used in an access control system.

The PIA looks at who has access to the data, what data will be collected, how long the data will be held for, and how that data will be used within the organisation. It is also designed to ensure that well-defined measures are in place to prevent unauthorised access, backed up by a clear audit trail and action plan in the event of any breach.

But the PIA is only the first step in protecting privacy. Employers should inform employees of the company’s policy on data security and privacy. Such policies should be written in clear language so that employees understand why their data is collected and what it is being used for. Employees should also be able to raise concerns if they feel their data is at risk within their workplace.

Lastly, any use of data captured for employee monitoring should be based on legitimate business justification and consented to in writing by the employee.

At the present time, the EC recommendations are voluntary consensus-based standards. But if companies fail to demonstrate that they are taking them seriously by May 2012, the EC could opt to pass legislation to make these privacy controls law.

This alternative, driven by privacy considerations, will severely hamper the technology’s growth by imposing onerous regulations and increase the cost of deploying RFID solutions.

The issue of data privacy and security is gaining an ever-higher profile as organisations around the world make ever-greater use of technology to streamline their business processes and make their employees’ working lives safer and more convenient.

Companies that fail to address security and privacy issues could be laying themselves open to a whole range of business, legal and reputational risks.

By proactively addressing privacy and undertaking pre-emptive risk mitigation, companies can move to allay any concerns and demonstrate to their employees, shareholders and customers that they are tackling data security and privacy issues head on.

Indeed, those companies with the foresight to become early adopters of the EC recommendations will find themselves ahead of the game when it comes to anticipating critical business issues, and first in line to understand the technologies that can resolve them.

Kathleen Carroll, is director of government relations at HID Global, which provides identity solutions to OEMs, system integrators, and application developers.