Agency Position on the Industry Proposal re: a Privacy and Data Protection Impact Assessment Framework for RFID Applications
A framework for privacy and data protection impact assessments (PIA)
In the European Commission recommendation “on the implementation of privacy and data protection principles in applications supported by radio‐frequency identification” (12 May 2009), it is considered that member stated should ensure that Industry develops a framework for privacy and data protection impact assessments (PIA). On 31st of March, the industry published a draft proposal on Privacy and Data Protection Impact Assessment Framework, sending it also to the Article 29 Working Party for endorsement.
Role of the Agency
According to Recital 17 of the RFID Recommendation, the development of the PIA Framework should build on existing practices also in the work conducted by ENISA. Given also ENISA’s expertise and experience in the field of risk management and developing a risk assessment framework on identifying emerging and future risks, the Agency has been asked by the European Commission to provide comments and recommendations on the draft of the PIA framework.
“Privacy by design”
ENISA considers this as a very important initiative, especially since such a framework would enhance and further promote solutions of “privacy‐by‐design”. The importance of “privacy-by-design” has already been highlighted in many ENISA reports and studies. In view of the above and considering the great effort already invested in the draft, ENISA reviewed and submitted its position to the Article 29 Working Party.
Agency Position
In its position, ENISA identified certain issues and areas for improvement. Based on these, the Agency makes some recommendations, which could substantially improve the current PIA draft. It is noted that given our experience and expertise, our comments are mainly related to the methodological part used (particularly regarding risk management and impact assessment) and not on legal issues.
For full Agency position.