Convergent Software works closely with RFID-related standards and develops data encoding and privacy compliance software to support and encourage the correct use of RFID.

EN 16571 Privacy Capability Statements

EN 16571: 2014 Information technology - RFID privacy impact assessment process defines the need for RFID vendors to provide privacy capability statements of their products. These are quite simply RFID product features described from a privacy perspective. They enable RFID operators to undertake their privacy impact assessments with accurate information.

Why is this important? For many years the European Commission (EC) has been concerned about RFID privacy while at the same time promoting the take-up of the technology. At the major technology show, CeBIT 2006, European Commissioner Viviane Reding announced the launch of a Europe-wide public consultation on RFID. The following year the EC established an RFID Expert Group with members from end-user communities, privacy organisations, users from different application sectors, RFID system providers and standardisation bodies. This resulted in an EC mandate to the European Standards Organisations to carry out research and develop appropriate standards. EN 16571 was one of the standards.

In parallel to all of this work, steps were being taken to revise the Data Protection Directive of 1995 and replace it with a more robust 21st century approach to the privacy and data protection for EU citizens. This resulted in the publication of the General Data Protection Regulation, which has to be implemented in all EU Member States by 25 May 2018. While the GDPR officially only applies in total to the European Union, lawyers and privacy experts claim that 90% is relevant on a universal basis.

As RFID technology is common globally, the privacy impact assessment specified in EN 16571 and the requirement for privacy capability statements is relevant beyond Europe.

Each RFID product should have its specific privacy capability statement (PCS) form to address the privacy capabilities of the RFID integrated circuit (the chip), or the tag, or the interrogator (tag reader). The RFID operator needs this to better assess what countermeasures are present in the product to reduce the privacy risks of the application. This can be done by using the information in the PCS forms for the RFID products that constitute the hardware components of an RFID system. Some of the privacy capabilities are fixed in a product, others comply with a particular edition of a protocol standard but need to be invoked as part of the application, while others have been added by the product manufacturer as propriety enhancements for use in applications.

Many of the privacy capability features on the form are linked to the command codes specified in the RFID standards. The table below show details for two of the most common protocols:

Feature Protocol Command Code Product
ISO/IEC 18000-3 Mode 1 (also known as ISO/IEC 15693)
Write Lock Block 0x22 RFID chip & RFID reader
Verification using the unique chip ID (UID)
Using the inventory command
0x01 RFID chip & RFID reader
Verification using a password proprietary RFID chip & RFID reader
Read protect proprietary RFID chip & RFID reader
Privacy / silent mode proprietary RFID chip & RFID reader
ISO/IEC 18000-63 (also known as GS1 EPC Class1 Gen2)
Kill 0x0C RFID chip & RFID reader
Verification using a password 0xC6 RFID chip & RFID reader
Verification using the unique Tag ID 0xC2 RFID chip & RFID reader
Read protect proprietary RFID chip & some RFID readers
Destruction mechanism of the antenna using some product feature reasonably common RFID tag

Not only is the PCS vital to the RFID operator in undertaking the privacy impact assessment, it can also be useful to the systems integrator in designing an RFID application. A systems integrator that really wants to improve the privacy of RFID applications can also create the PCS forms from data sheets and submit them for general use.

To address the potential hundreds of PCS forms EN 16571 required a Registration Authority to be established. This is CNRFID, the French National RFID Center, whose experts were deeply involved with the development of the standard. To make it as easy as possible for a vendor to complete a PCS form for a product, blank forms can be downloaded and many features just completed with a simple . It could not be easier for someone with product knowledge.

The EN 16571 Registration Authority publishes the PCS forms for any RFID operator or systems integrator to freely download.

This is why the GDPR is relevant for RFID applications.

We offer software to assist with completion of RFID privacy impact assessment, in line with EN 16571. If you just want to learn more, we provide a free support service.

Share this page on:

Multi Domain SSL
Multi Domain SSL