The benefits of smart card technology to business and to employees are hard to dispute. But privacy advocates worry that this highly sophisticated technology could jeopardize the security of personal data.
They also fear that chips used in the access control cards in your pocket could enable the cardholder to be tracked without their knowledge and against their will.
These concerns are grounded in misconceptions over just how technologies based on RFID (radio frequency identification) actually operate. In fact, contactless access control technologies operate at RFID frequencies which cannot be read from a distance. And most of these applications do not store or use any personal data, with the cardholder’s privacy protected by using a unique identifier instead of personally identifiable information (PII). From a privacy perspective, user control is of paramount importance. Contactless access control technologies support user control by allowing users to allow their credentials to be read only when the user presents the credential to a reader for physical or logical access.
In May 2009, the EC introduced a framework to establish best practices for privacy and data protection in RFID implementations. The new guidelines have been well received by consumer groups and manufacturers as an important step towards improving transparency and guaranteeing data security and privacy for the individual. But they have direct implications for all companies that use contactless smart cards in secure access control applications.
Access control databases often contain personal data - even though the smart cards themselves do not - so solution providers and users need to bear this in mind when installing and updating systems. The privacy impact assessment (PIA) has been highlighted by the EU recommendations as a practical way to understand how personal data is used in an access control system. The PIA looks at who has access to the data, what data will be collected, how long the data will be held for, and how that data will be used within the organisation. It also incorporates measures to prevent unauthorized access and it is backed up by a clear audit trail and action plan in the event of a breach.
At the present time, the EU recommendations are voluntary standards. But if companies fail to show they are taking them seriously by May 2012, the EC could make these privacy controls law. By addressing privacy and undertaking pre-emptive risk mitigation now, companies can move to allay any concerns and demonstrate to their employees, shareholders and customers that they are tackling data security and privacy issues head on. Indeed, those companies with the foresight to become early adopters of the EU recommendations will find themselves first in line to understand the technologies that can resolve them and ahead of the game when it comes to anticipating critical business issues.