Getting Under Your Skin -- Literally:

RFID in the Employment Context

Marisa Anne Pagnattaro*

(WORK IN PROGRESS – LAST UPDATED 03/24/08)

I.  Introduction

Consider this: nearly 12.4 million people in Shenzhen, China, will have residency cards fitted with computer chips containing their name, address, work history, educational background, religion, ethnicity, police record, medical insurance status, and reproductive history.[1] The Chinese government also has ordered all large cities to issue such high-tech residency cards to approximately 150 million people who now live in a city but have not yet acquired permanent residency.[2] What are these computer chips? They are radio frequency identification (“RFID”) chips, an automated data-capture technology system that can be used to identify, track and store information.[3]

            These tiny computer chips use electromagnetic energy in the form of radio waves to communicate information.[4] The technology provides identification and tracking capabilities by using wireless communication to transmit data.[5]  A number of federal agencies and a range of business and public sectors (e.g. health care, retail, transport, and pharmaceutical) are already using RFID systems for a variety of purposes, including logistics support, tracking shipments, electronic screening, preventing counterfeit drugs, security, and identification.[6] As RFID helps improve productivity, efficiency, and accuracy, many companies are considering a variety of ways to use this technology.

            RFID chips can also be used to track employees.[7] They can be implanted under an employee’s skin, worn in an employee’s clothing, or attached to an identification badge.[8] The most widespread workplace use of RFID technology is chip-embedded staff ID badges, which are primarily used for controlled access to an employer’s premises.[9] Even this use, however, can be controversial if the data collected is used to discipline employees, as opposed to merely controlling door locks.[10] The potential number of workplace uses—not to mention off-site uses—is limited only by an employer’s lack of imagination. Once the RFID is in an employee’s badge or embedded under her skin, the employer can collect data regarding the employee’s location and movement by using strategically placed readers.[11] This data then can be entered into a database to learn more about the employee’s whereabouts.[12]

            This article explores the legal ramifications of the use of RFID by employers to track employees. Part II presents a brief history of RFID, including novel and interesting uses. This section also discusses security and safety concerns regarding the use of this technology.[13] Part III analyzes current and proposed law in the United States regulating RFID. Part IV details legal regulations in the international context, including Canada, the European Union, and Australia. Lastly, Part V proposes recommendations about the use and legal regulation of RFID in the workplace.

 

II. A Brief History of RFID and Ensuing Concerns

 

RFID technology is based on a fairly simple system. There are three major components of an RFID device: 1) a tiny silicon computer chip or “integrated circuit” containing a unique identification number, 2) an antenna which is hooked to the chip, and 3) a reader, or scanning device.[14] The chip can be encrypted with a “unique product code that identifies the individual” object, product, or person “to which it is attached,” and the “antenna is responsible for transmitting information from the chip to the reader via radio waves.”[15] The reader, or scanning device, has its own antenna, which is used to communicate with the tag. The reader sends the information to a database, or back-end logistics system, which stores information gathered from RFID tags.[16] RFID tags may be either passive or active.[17] A passive tag does not contain its own power source, such as a battery, and it cannot initiate communication with a reader.[18] Active tags, which “contain a power source and a transmitter,” send a continuous signal.[19] This technology has been used since World War II, where it was used in aircraft Identification Friend or Foe (“IFF”) systems.[20] During the 1970s, RFID technology began to be used in a limited way for inventory control.[21]

A. Novel and Interesting Uses

            Tremendous growth in the use of this technology occurred in the 1990s, due to the ability of companies to use RFID systems to efficiently collect, manage, distribute, and store information on inventory.[22] At this time, RFID technology enjoys a wide range of uses, [23] such as tracking gourmet dinners at Marks & Spencer in London, tagging more than fifty million pets worldwide, guarding paintings at a museum in Rotterdam, screening Oscar goers, and tracking supplies in Iraq by the U.S. military.[24] Wal-Mart is making extensive use of RFID inventory tracking, yet it may not be resulting in anticipated cost savings to justify the use.[25] In 2003, Wal-Mart began using RFID technology in its Broken Arrow, Oklahoma store to track Max Factor lipstick.[26] When consumers removed the lipstick from the shelves, this triggered a video monitor, allowing researchers 750 miles away to watch consumers.[27] Researchers in Cincinnati at Proctor & Gamble then could analyze the behavior of consumers.[28]

            There are also many other creative uses of RFID technology. On a very practical level, RFID technology is used in connection with the Homeland Security Container Security Initiative (“CSI”), to develop “smart” containers that can notify authorities of any tampering or theft.[29] RFID chips can be used to create an “e-pedigree” of products through a supply chain to protect the food supply.[30] This can be particularly useful to thwart further injury once a dangerous product is identified, such as when there is an E. coli outbreak from a food source or contamination from a product manufactured with a harmful ingredient. On an even more micro level, the staple manufacturer Swingline has developed staples with RFID tags to facilitate document tracking.[31]

            RFID technology is also useful to track people in a range of contexts. Conference badges fitted with RFID chips allow conference organizers to determine who is attending which sessions, as well as when participants come and go.[32] The Principal and School Board of Brittan Elementary School in Sutter, California, proposed a controversial tracking system for school children with mandatory ID badges with RFID chips.[33] The school withdrew the system following vocal opposition in California.[34] The Minnesota Department of Corrections is using a half-million dollar RFID system to track inmates in a minimum/medium security correctional facility,[35] and Alanco Technologies is using tracking systems in prisons in California, Michigan, and Ohio.[36] In a novel move, the Baja Beach Club in Barcelona began implanting a RFID microchip into a patron’s arm for access into the VIP area of the club.[37] The chip is injected by a nurse using a syringe and a local anesthetic.[38] Lawmakers in the Indonesian province of Papua proposed a more ominous use by considering “selective use of [RFID] chip implants in HIV carriers to monitor their behaviour in a bid to keep them from infecting others.” [39]  There are approximately 3,000 people in Papua with HIV/AIDS out of a population of approximately 2.5 million.[40] In early 2007, Kodak filed an application for a patent on a digestible RFID tag.[41] The tag is ingested and ultimately dissolves in the body.[42] Although Kodak has not identified any specific plans for use of the tags, the patent application states that the devices can be used to “monitor internal bodily events.”[43]

            RFID technology is slowly making its way into the workplace where it can be used to track employees. For less than a thousand dollars, WaspTime, a product of Wasp Barcode Technologies, offers a RFID time and attendance system that includes a RFID time clock and twenty-five employee badges.[44] Control Module, a leading biometric workforce management and data collection technology provider, tracks employee time and attendance, and utilizes access control to keep unauthorized individuals from certain facilities and equipment.[45] Similarly, ActiveWave, Inc. offers RFID employee and passenger tracking systems for airports, railway stations and passenger bus terminals; those systems require individuals to wear a clip-on badge, wrist band, or badge with a necklace.[46] A comprehensive time and attendance system for employees is available from Absolute, located in Dubai, United Arab Emirates, offering the following key features:

·         Track and maintain employee attendance records

·         Identify attendance exceptions such as tardiness and absenteeism

·         Reduce or eliminate unwanted/unauthorized overtime by managing labor resources in real time, and eliminates ‘Buddy-clocking’

·         Ability to track, view and report employee information in true, interactive real-time

·         Generates detailed and summary reports/timesheets for each employee, including calculating daily and weekly overtime

·         Violation tracking measures employee behavior and enforces corporate HR and Health and Safety policies consistently

·         Capability to automate the most complex rules for accumulating vacation, sick time, and other types of benefit leave

·         Provides real-time insight into ongoing labor costs and labor productivity with enhanced reporting capabilities

·         True client-server provides connectivity across wide area networks linking multiple locations to one centralized database

·         Central “browser” application for ease of maintenance and system upgrades.[47]

            Although the use of RFID technology in the workplace is not yet widespread, there are several current applications of RFID that illustrate a range of potential uses. At the Dubai International Airport extension project, RFID technology is being used on a very large scale to track over 9000 workers from laborers to the highest management, who are all wearing green RFID tags.[48] In Sydney, Australia, Star City Casino, which manages a wardrobe inventory of 80,000 uniforms valued at approximately $1.8 million, had a “laundry-tracking problem.” [49] The solution from Accenture: embed RFID tags in the waistband, shirttail or collar of each uniform.[50] From the point when the uniforms are issued to the point when they are turned back to the laundry, each uniform has a discrete identity that is tracked by strategically placed readers.[51] In the United States, at the security firm CityWatcher.com, the CEO/founder of the company and two employees have a microchip embedded in their forearm which allows them entry into the company’s data center housing servers.[52]  The RFID microchips are about the size of a grain of rice.[53] Known as “smart tags,” the devices called VeriChips are apparently the first and only patented, FDA-approved implantable microchip with skin-sensing capabilities.[54] Similarly, workers at the organized-crime division of the Mexican Justice Ministry office in Mexico City use VeriChips to access high-security areas.[55] At the Oak Ridge National Laboratories in Tennessee, RFID is used in an evacuation and monitoring accountability system to track whether employees have evacuated during an emergency and, if not, to let rescuers know where employees remain in the building.[56]

            One of the newest developments in RFID workplace use is technology which provides real time location systems (“RTLS”).[57] RTLS are being hailed as essential safety devices that could be used by emergency personnel to locate individuals in the event of a disaster.[58] In 2005, Cisco Systems Inc. launched a large-scale RFID application using a wireless RFID server that can track people and equipment. [59] The system, Wireless Appliance 2700, is able to track RFID tags down to a few meters and display them on a central map.[60] Tags embedded in employees’ uniforms can sound alarms if the tag moves out of a predefined area.[61] Most recently, in May 2007, Cisco initiated RTLS with the help of AeroScout, a pioneer in this aspect of RFID technology.[62] “The tags broadcast a signal, which is received by three reader antennas.  The time each signal is received is passed on to a software system that uses triangulation to calculate the location of the asset.”[63] In the application for Cisco,  AeroScout tags “communicate with the Cisco Unified Wireless Network, which is also integrated with AeroScout's MobileView,” [64] providing very effective tracking of “key assets and people.”[65] 

B. Security and Safety Issues

            Whenever new technology is introduced, particularly when it can yield information about a person’s whereabouts, concerns are raised.[66] Even if a legitimate reason for the tracking is proffered, there are still concerns about misuse of the data. In the case of RFID, recent information about a link between RFID chips and cancer is also prompting serious inquiry into the safety of using chips in humans.[67] In a speech at Georgetown Law Center, Senator Patrick Leahy encapsulated the main concerns about RFID:

                        With RFID technology as with many other surveillance technologies, we need to consider how it will be used, and will it be effective. [sic] What information will it gather, and how long will that data be kept?  Who will have access to those data banks, and under what checks-and-balances?  Will the public have appropriate notice, opportunity to consent and due process in the case mistakes are made?  How will the data be secured from theft, negligence and abuse, and how will accuracy be ensured?  In what cases should law enforcement agencies be able to use this information, and what safeguards should apply?  There should be a general presumption that Americans can know when their personal information is collected, and to see, check [sic] and correct any errors.[68]

 

The questions raised are being echoed and underscored by many consumer and privacy advocates, such as the American Civil Liberties Union,[69] Privacy Rights Clearinghouse[70] and the Electronic Frontier Foundation.[71]  The major concerns about using RFID to track employees fall into the following three categories: surveillance by any person with access to the reader or database, “profiling” or maintaining a profile on a “target” based on the information gathered, and actions that may be taken based on information collected by using an RFID device.[72]

            Even if employers can use RFID to track employees in the workplace without violating any laws,[73] employees may have concerns about the security of RFID systems from use by unauthorized individuals. In a well-publicized case, a security expert cracked one of the United Kingdom’s new biometric passports and was able to siphon off information, leaving no evidence of tampering.[74] The chips in the passports currently contain the printed details on the passport and the person’s photograph.[75] Eventually the British government wants to incorporate fingerprints and other biometric data on the chips.[76] The fact that someone was able to hack into these ostensibly “secure” chips is the source of great concern, especially in light of additional personal identifying data that may be stored on the chips. Other concerns are that RFID tags will be vulnerable to viruses, just as computers have been under siege.[77] Moreover, at least one expert claims that he can clone RFID-enabled badges,[78] the use of which would distort information gathered using the RFID technology.

            Other security concerns pertain to the lack of reliability of systems. In February 2007, the United States Department of Homeland Security decided to stop “using RFID in its US Visitor and Immigration Status Indicator Technology (US-VISIT) program after the technology read rates proved inadequate.”[79] Moreover, there are concerns that a shortage of RFID professionals can be a hindrance to adoption and effective use of RFID technology.[80]

            In addition to these concerns, a recent report suggested that VeriChip and federal regulators either ignored or overlooked animal studies indicating that RFID chips implanted in dogs and laboratory rodents could cause cancer.[81] This would be a very significant and adverse development for VeriChip as they seek to broaden the use of RFID for human tracking.[82] Verichip reportedly will undertake independent studies to determine if there is a correlation between the implants and cancer.[83] As of September 2007, approximately 2000 humans have an RFID implant and the largest producer of these chips hopes there could be a market as large as 45 million Americans.[84]

III. United States Law

            Despite concerns about the use of RFID technology, there are currently no federal laws and only a few state laws regulating its use in the workplace by private employers.[85] At the core of the concerns is the inevitable legal question of whether there is a reasonable expectation of privacy in the workplace regarding the use of this technology to track employees.[86] At this point, most non-government employees in the United States are exposed to a variety of forms of monitoring, including drug testing, closed circuit video filming, monitoring calls with clients or customers, monitoring e-mail and computer input and transmissions, using GPS systems in company cars and company phones, and personality and psychological testing.[87] There is no comprehensive right to privacy for employees in American workplaces regarding electronic monitoring.[88] As such, in the current legal landscape it would be an uphill battle for employees to argue that tracking movement within the workplace using RFID chips would violate any reasonable expectation of privacy.[89]

            To the extent that RFID is used by any government employers, there are Fourth Amendment search and seizure considerations under the United States Constitution.[90] Even the Fourth Amendment, however, is not sufficient to prevent the use of RFID for public employees. To the extent that a public employer argues that it has a reasonable, work-related need to use RFID, and the scope of the use of the technology does not exceed what is necessary to fulfill the employer’s needs, RFID may arguably be used to track public employees.[91]

            It is worth noting, however, that there has been some federal action regarding the use of RFID in contexts other than employment. The Support Anti-Terrorism by Fostering Effective Technologies Act of 2002 (“SAFETY Act”) encourages the development and deployment of new and innovative anti-terror products and services.[92] This legislation eliminates or minimizes tort liability for companies that sell or provide anti-terror technology approved by the Department of Homeland Security.[93] To the extent that RFID products can be used to track products and minimize the possibility of a terror attack, they qualify as a coverable product under the SAFETY Act.[94] To the extent that RFID is used for medical purposes, the strict requirements of the Health Insurance Portability and Accountability Act (“HIPAA”) are triggered.[95] Privacy and security rules under HIPAA have strict restrictions on the disclosure and use of health information.[96] The Federal Trade Commission (“FTC”) has discretionary authority to prohibit deceptive or unfair acts or practices in or affecting commerce.[97] At this point, the FTC supports industry initiatives to address privacy concerns (e.g. putting consumers on notice) and supports consumer education, but it has not taken any steps to issue specific guidelines about the use of RFID technology.[98]

Given the lack of federal law regulating RFID technology, there has been a good bit of discussion and proposal at the state legislative level.[99]  To date, a number of states have introduced legislation relating to the use of RFID.[100] Most of these proposed laws pertain to uses other than the employment context, although some expressly prohibit requiring an individual to undergo the implantation of a microchip.[101]

A limited number of states have enacted legislation that limits the use of RFID in various contexts. The earliest of those laws were in Wyoming and Utah. In Wyoming, amendments[102] to the Wyoming Pharmacy Act authorized telepharmacies to use automated inventory control, including RFID.[103] Just over a week later, on March 11, 2005, the Utah Computer Crimes Act Amendments (H.B. 185)[104] were signed by the governor.[105]  The Utah law makes it clear that computer crimes apply to wireless networks, and importantly for proponents of RFID, exempts from the Computer Crimes Act certain collections of information through the use of RFID technology by retailers to identify, track or price goods located within the retailer’s location.[106] In a departure from these laws protecting the use of RFID, Wisconsin was the first state to ban required human RFID chipping.[107] Effective May 30, 2006,

(1) No person may require an individual to undergo the implanting of a microchip.

(2) Any person who violates sub. (1) may be required to forfeit not more than $10,000. Each day of continued violation constitutes a separate offense.[108]

 

The passage of this law immediately gave rise to questions.[109] For example, under what circumstances is chipping “required”? If it is a condition of continued employment, and the individual consents to avoid losing her job, would it violate the law?

            State legislative attempts to limit and regulate the use of RFID technology gained more momentum in 2007. In the state of Washington, House Bill 1031, the Electronic Bill of Rights, which would have required parties to obtain consent from consumers “before using RFID to collect, maintain and disclose information” on them was seriously considered in the early spring.[110] Soon thereafter, in April 2007, North Dakota passed a ban on requiring implants in individuals.[111] The law states that “A person may not require that an individual have inserted into that individual’s body a microchip containing a radio frequency identification device.”[112]  Violations of this statute are a misdemeanor crime.[113] Again, the literal language of this statute raises questions about what constitutes “required” chipping, as well as whether a swallowed RFID device is within the scope of the law.[114] Most recently, the Identity Information Protection Act overwhelmingly passed the California Senate on May 24, 2007.[115] The Act requires privacy and security measures for RFID tags.[116] California Senator Joe Simitian introduced the bill in December 2006, focusing on  four measures: (1) prohibiting an employer from implanting chips in workers; (2) blocking RFID technology from being embedded in driver’s licenses; (3) prohibiting schools from issuing ID cards to track student attendance; and (4) making it a misdemeanor to skim identification cards.[117] Senate Bill 362 became law in October 2007.[118] As public concern grows over the use of RFID, more states are likely to pass similar legislation in their upcoming sessions.

IV. International Perspectives

In 1997, the International Labor Organization (“ILO”) of the United Nations published a nonbinding Code of Practice for the protection of workers’ personal data addressing such concerns as: collection, storage, use, and communication of personal data.[119] At the core of its general principles, is the requirement that limits the collection of data to that which is “directly relevant to the employment of the worker.”[120] Addressing concerns about the potential for misuse of workers’ personal information, the guidelines address collection, security, storage, use, and communication of this data.[121] These general principles are reflected in the Resolution on Radio-Frequency Identification which was adopted at the 25th International Conference of Data Protection and Privacy Commissioners in November 2003.[122] The resolution states that basic principles of data protection and privacy law must be observed when designing, implementing and using RFID technology, specifically: 

a) any controller—before introducing RFID tags linked to personal information or leading to customer profiles—should first consider alternatives which achieve the same goal without collecting personal information or profiling customers;

b) if the controller can show that personal data are indispensable, they must be collected in an open and transparent way;
c) personal data may only be used for the specific purpose for which they were first collected and only retained for as long as is necessary to achieve (or carry out) this purpose, and

d) whenever RFID tags are in the possession of individuals, they should have the possibility to delete data and to disable or destroy the tags.[123]

 

Against this backdrop of general principles, nations in addition to the United States are exploring the best practices and legal guidelines that should be implemented to regulate the use of RFID. Countries such as Canada, Australia and countries in the European Union, maintain active discussions on RFID.  These jurisdictions are discussed to provide an international comparison. 

A. Canada

Canada’s private-sector privacy law, the Personal Information Protection and Electronic Documents Act (“PIPEDA”), protects the information of employees working for companies operating in federally regulated sectors, including telecommunications, broadcasting, inter-provincial transportation, aviation, banking, nuclear energy, maritime navigation, and shipping.[124] Similarly, Canada’s Privacy Act imposes obligations on some 150 federal government departments and agencies to respect privacy rights by limiting the collection, use, and disclosure of personal information.[125] Consistent with the requirements of these laws, a 2004 Report by Ann Cavoukian, Ontario, Canada’s Information and Privacy Commissioner emphasizes three major principles that must be respected by any deployment and use of RFID systems to comply with Canada’s Fair Information Practices law:

            [1] Notice and Consent – The right to know whether a product contains a RFID tag and whether a reader is being used in a public place . . . .

            [2] Choice – The right to have the RFID tag in a purchased product deactivated without cost.

            [3] Control – The right to have personal identity information kept separate from information identifying an object.[126]

 

            Additionally, the report identifies eight other principles that are essential to achieve full informational privacy: Collection Limitations, Data Quality, Purpose Specification, Use Limitation, Security Safeguards, Openness, Individual Participation, and Accountability.[127]

            Echoing the importance of these principles, a speech by Canadian Privacy Commissioner Jennifer Stoddard notes that employers need to “start thinking more about workplace privacy and the potential implications of emerging surveillance technologies.”[128] Citing the 2006 Research Report “Under the Radar? The Employer Perspective on Workplace Privacy,” Stoddard expressed her disappointment about some of the employer attitudes about workplace privacy.[129] The report finds that some see workplace privacy as a privilege granted to employees; no one agreed with the idea that workers are entitled to a certain measure of privacy that cannot be taken away.[130] Moreover, Stoddard notes that a survey finding that there is a gap between what “employers and employees think is an acceptable privacy practice.”[131] Emphasizing her concern about the “effects on the dignity of employees” of privacy-invasive measures in the workplace, Stoddard called for a balance between the “rights of the individual to privacy and the needs of organizations to collect, use or disclose personal information.”[132] In 2006, a comprehensive set of guidelines for using RFID systems was released in Canada.[133] Ontario’s Information and Privacy Commissioner released guidelines based on three major principles: (1) focusing on RFID systems rather than technologies (i.e. if the deployment of the systems raises privacy concerns), (2) building in privacy and security measures early in the design of the system, including minimizing the “identifiability, observability, and linkability of RFID tags with personal information,” and (3) maximizing individual participation and consent, enabling individuals to make informed decisions about the use of RFID systems affecting them.[134] Additionally, it should be noted that Canada also has other private sector personal data protection legislation in Quebec,[135] British Columbia,[136] and Alberta,[137] which supplement PIPEDA.[138]

B. European Union

Similar to discussions in the United States and Canada, the European Union (“EU”) is actively considering what restrictions, if any, should be placed on the use of RFID technology.[139] Although one might think that EU Directive 95/46/EC,[140] which restricts the processing and movement of certain forms of data on individuals, might automatically restrict the use of RFID technology, the issue is far from resolved in the EU. In January 2005, an Article 29 Working Party[141] on data protection issued a working document studying privacy concerns related to the use of RFID technology in the EU.[142] The Working Party expressed “concern about the possibility for some applications of RFID technology to violate human dignity, as well as data protection rights.”[143] The report specifically cited concerns “about the possibility of businesses and governments to use RFID technology to pry into the privacy sphere of individuals” through their “ability to surreptitiously collect” data on the same person in multiple venues.[144] Heading off public concern, the European Commission, the executive branch of the European Union, explained that its role is to “help build a cross-society consensus on technical, legal and ethical issues associated with RFID and to intervene, where required, with regulatory instruments.”[145] In so doing, it cited a number of questions associated with the use of the technology such as: “how do we credibly ensure that RFID tags are not abused to invade the privacy of consumers? Do we need to destroy an RFID tag when it could be useful for self-configuring products (built from autonomous components and assemblies), automating warranty checks, etc.?”[146]

            These initial concerns made it appear as if the EU might issue comprehensive, restrictive policies about the use of RFID technology to protect the privacy of its citizens. In a 2006 speech, Viviane Reding, the member of the European Commission responsible for Information Society and Media, advocated for a set of European rules for safe and secure development of RFID technology.[147] Thereafter, in March 2007, the EU Commission issued a report proposing a “European policy strategy” for using smart radio tags.[148] According to the report, the Commission will “[c]reate in 2007 an RFID Stakeholder Group to provide advice and assistance to the Commission in developing a European policy position concerning RFID applications.”[149] The work of this group is to be “carried out in association with, among others, the Article 29 Data Protection Working Party.”[150] By mid 2007, the Commission was to propose amendments to the e-Privacy Directive to take account of RFID applications, as part of the EU Telecom Rules' review.[151]  Also, the Commission planned to publish, by the end of 2007, a Recommendation on how to handle data security and privacy of smart radio tags to Member States and stakeholders, and to assess policy options and need for further legislative steps.[152]

            Industries utilizing identification technologies viewed the RFID report as a welcome development because, at least for the time being, the EU will use self-regulation and existing laws to manage RFID technology.[153] Although the EU opted against formal legislation and will move forward with what is characterized as “soft law”—i.e. the Commission is developing a set of security and privacy guidelines for the RFID industry—this still seems to be a very positive signal for those seeking to use RFID.[154] In fact, U.S. Department of Commerce Under Secretary for Technology Robert Cresanti “characterized the EU decision as a ‘big victory,’ making a nod to free-market economics that advocates less governmental intervention in matters of commerce.”[155]

            It should be noted that, in addition to the action being considered in the EU, some member nations have their own initiatives. For example, in France the data protection authority, la Commission nationale de l’informatique et des libertés (“CNIL”) is monitoring RFID use, as it considers RFIDs to be “personal identifiers” within the meaning of the 6 January 1978 Act and the EU 95/45 Directive.[156]  As such, the CNIL is already advising all employers to ensure that employees are fully informed on any use of RFID in employee badges and it calls for workers to have access to their own data records.[157] In the United Kingdom, the Information Commissioner’s Office is making recommendations in its Employment Practice Code similar to those referenced in France.[158] The British union GMB recently argued that requiring some workers in retail distribution centers to wear RFID tags was dehumanizing, turning workplaces into “battery farms.”[159] Additionally, in Germany, before any technological device is used to monitor workers, permission must be obtained from the company’s works council pursuant to the labor law.[160]

C. Australia

The RFID Association of Australia (“RFIDAA”) is an independent association supported by the government with the goal of creating a “strong, dynamic and informed Australian RFID market.”[161] In Australia, sixty percent of the RFID technology market is in security/access control and animal applications.[162] Encompassed within the security/access category are applications for employee access tracking.[163] The most celebrated use in the employment context is by the Star City Casino in Sydney where RFID tags are sewn in employee uniforms.[164]

            In 2006, the RFIDAA worked with Booz Allen Hamilton, a leading consulting firm, to survey the views and position of the government regarding the adoption of RFID technology.[165] The Booz Allen Hamilton study showed that “less than thirty percent of Australian government departments gave RFID technology any priority in their business plan.”[166] However, the study also revealed that seventy-five percent of the respondents plan to investigate or use RFID within three years.[167] In any event, the Australian Privacy Commissioner issued a report on developing technologies.[168] Although the report acknowledged that “RFID may help businesses improve the way they manage the supply of their products and so save consumers money[,]” it also expressed concern that “they also have equal potential to invade personal privacy if deployed wrongly.”[169]

            Based on these concerns, the Office of the Privacy Commissioner stated that “all the basic principles of privacy law should be adopted when designing, implementing and using RFID technology.”[170] In summary, the following observations and general guidelines were issued:

[1] RFID tags should only be linked to personal information or used to profile customers if there is no other way of achieving the goal sought; [2] individuals should be fully informed if personal information is collected using RFID tags; [3] personal information collected using RFID tags should only be used for the specific purpose for which it is first collected and destroyed after that purpose is achieved; and [4] individuals should be able to delete information, or disable or destroy any RFID tag that they have in their possession.[171]

Thus, Australians share the same concerns about privacy and information that have been raised in the United States, Canada, and the EU.

V. Proposed Recommendations

Inasmuch as there is very little legislation regulating the use of RFID to track employees and a good bit of public concern about the use of this technology, it is important for employers to thoroughly weigh the pros and cons before implementing an employee tracking system. Cavalier or imprudent use of this technology could lead to reactionary laws, which ultimately undermine what could be legitimate and reasonable uses of RFID in the workplace. Prudent use by employers could lead to more efficient and safe workplaces, and also stem employee fears. Ideally, employers using RFID will develop a code of conduct balancing the potential effective use of RFID in the workplace with privacy concerns of employees. Although RFID technology is not “one-size-fits-all” in terms of the applications in the employment context, the following nine recommendations are designed to help employers implement comprehensive and thoughtful procedures in the deployment of RFID systems to track employees.[172]

1. Assess Business Necessity and Legitimate Goals

The first step is for employers to review the proposed use of RFID technology to track employees to ensure that there is a business necessity and that using a less intrusive means would not serve that purpose achieving the desired goal. Employers should reflect on whether the system is proportional to a lawful goal. These specific and limited purposes should be fully explained to the affected employees. Moreover, employers should circumscribe the scope of data collected; it should be limited to what is reasonably necessary for a legitimate business goal.

2. Obtain Informed Consent from Employees 

Prior to collecting data, informed consent should be obtained from all employees subject to tracking. Specifically, they should be informed about: when, where, and why the RFID tag is being read; punitive or disciplinary measures that may be taken based on information gathered by using the RFID tag; and what will happen to the data when the employee leaves the employer, such as whether the tags will be deactivated or removed. Along these lines, at least two states have passed laws aimed at preventing (and criminalizing) forced implanting, employees should not be coerced into RFID tracking through the use of implants; Lastly, there should be full disclosure of any medical uncertainties and safety concerns associated with implanted devices.  

3. Address Security Concerns

Employers using RFID should deploy an appropriate level of security, including: encrypting data collected; establishing read-range limitations to minimize ability of tags to be read by unauthorized readers; authenticating data to prevent unauthorized access to the information collected. The security of the RFID system should be assessed on a regular basis, including its vulnerability to viruses or other corruption of data.    

4. Ensure Openness and Transparency

All policies and practices associated with the use of RFID in the workplace should be readily available to those who are affected by the deployment. This could be accomplished in employee handbooks, including on-line employee resources. It is particularly important for employees to be aware of punitive or disciplinary measures that may be taken based on information gathered by using the RFID tag. It should be clear that collected data will never be used to illegally discriminate against individuals or groups of workers.          

5. Provide Employee Access to Records

            Employees should have reasonable and timely access to the RFID data collected on their whereabouts.  Employee access to records will help obviate concerns about the content of the records, including fears about inaccurate data. Additionally, employee access would reduce employee feelings about lack of control over the monitoring.

6. Mandate Accountability

One individual should be designated to ensure compliance with internal procedures, as well as to answer employee questions and train employees on uses and restrictions of the tracking system. To the extent that any external service providers are used to collect and process data, they should be supervised by a designated individual within the company to ensure that there is accountability.

7. Safeguard Data Collected

Security measures should be implemented to protect the integrity and accuracy of the information, as well as to limit access to the date collected to only those with legitimate reasons to review the data and the affected employee. Additionally, safeguards should be followed to ensure that the data collected is accurate and current.

 8. Grant Employees the Right to Challenge Data Collected

Procedures should be established to allow employees to contest the information collected for completeness and accuracy. Employees should be informed about these procedures and should have the right to file a complaint or register concerns. If appropriate, the disputed information should be amended for accuracy. Such procedures should be designed to correct mistakes in the data, not to block lawful and accurate collection of data. A compliance person should be designated to handle all such employee challenges to data.

9. Establish Clear Data Retention Policies

Lastly, data should not be retained any longer than is reasonably necessary to achieve the business necessity. If there is a judicial or disciplinary procedure initiated based on any data collected, the data should be retained until the full resolution of the matter.

VI.  Conclusion

At this point, the proverbial “genie” is out of the bottle. Assuming that researchers are able to create reasonably secure RFID systems, the usefulness of RFID technology has already been demonstrated in a number of varied contexts. The potential for workplace use is no exception. What is critical, however, is that employers should deploy RFID systems in a responsible way with legitimate business goals. To that end, if employers implement systems consistent with the proposed recommendations herein, a satisfactory balance can be achieved between the employer’s use and the employee’s expectations of privacy.