PL&B UK E-news, Issue 70

1. Initial privacy guidelines for RFID use

The EU is currently consulting on how to ensure security and privacy when using Radio Frequency Identification (RFID). While the intention of the European Commission is not to legislate in this field, it has drafted a recommendation that it hopes will help organisations to implement RFID technologies in a privacy friendly manner.

The Commission recommends that Privacy Impact Assessments are carried out before any applications are implemented. Trade or professional associations should come up with Codes of Conduct on RFID use, and seek endorsement by the DP authority of their country. Consumers should be informed about the presence of a RFID tag in a retail product, and about the likely reasonable privacy risks relating to the tag. If the RFID tag carries personal data, consumers must be given the right to have the tag deactivated at the point of purchase – an issue that is likely to cause concern for retailers.

The recommendation is likely to be adopted before summer 2008, and will be reviewed in three years time.

The consultation on ‘Draft Recommendation on the implementation of privacy, data protection and information security principles in applications supported by Radio Frequency Identification (RFID): your opinion matters!’ will finish on 25th April 2008.

Read more about this Draft Recommendation and privacy aspects when using RFID in the April issue of the PL&B UK Newsletter.

2. FOI appeal case to shed light on ‘personal data’ concept

A Scottish FOI case, which has been appealed to the House of Lords, may have implications on the ‘personal data’ concept. The case, which is scheduled for 1st and 2nd April 2008, concerns a FOI request for the release of childhood leukaemia statistics.

The Scottish Information Commissioner upheld an appeal in August 2005 against the Common Services Agency for the Scottish Health Service (CSA) over its decision to withhold childhood leukemia statistics for Dumfries and Galloway. The Commissioner found that whilst the CSA was entitled to ensure that personal health information was protected from public disclosure, nevertheless it was wrong not to provide any information.

In December 2006, the Court of Session upheld the Commissioner’s view that whilst raw data should not be released, the information could be provided in a form which would not risk patient identification.

Moreover, the Court supported the Commissioner in his view that the statistics on patients’ age range (0-14), census ward and year of diagnosis related to census wards and not to individuals. The information had minimised the risk of identification of any individual child. It was no longer "biographical in a significant sense", especially as the focus had moved away from the individual children to the incidence of disease in particular wards in particular years. The information was therefore not personal data.

The Commissioner’s decision can be seen here

See the Court of Session Decision.

3. Solicitors prosecuted for failure to notify

The ICO prosecuted, on 20 February, two London solicitors for not notifying under the DP Act. The solicitors, Grier Olubi of Adejobi Solicitors and Robert Bentley of Bentley's Solicitors, were each fined £300 and ordered to pay costs of £500 plus a victims’ surcharge of £15 (added on top of every fine handed out in court for a criminal offence, and paid into a fund to help improve services for victims of crime).

For further details on the Privacy Laws & Business UK Newsletter, please click here.

Copyright Privacy Laws & Business 2008