WorldLII Home | Databases | WorldLII | Search | Feedback

Privacy Law Resources

You are here:  WorldLII >> Databases >> Privacy Law Resources >> 2005 >> [2005] PrivLRes 3

Database Search | Name Search | Recent Documents | Noteup | LawCite | Help

RFID Privacy Protection Guideline (Republic of Korea) [2005] PrivLRes 3 (7 July 2005)

WorldLII [Home] [Databases] [Search] [Feedback] [Help]

Note: This is an unofficial translation by Prof Whon-Il Park, Asst. Prof. of Law at Kyung Hee University, South Korea

Chapter 1 General provisions

Article 1 (Purpose)

The purpose of this Guideline is to protect the privacy of individuals potentially affected by an RFID system and promote a safe environment for RFID use.

Article 2 (Definition)

The terms used herein shall be defined as follows:

1. "Personal information" shall mean the information pertaining to any living person, which makes it possible to identify such individual (including the information capable of identifying a person when combined with other information even if the information does not clearly identify the person);

2. "RFID system" shall mean any system which attaches an RFID tag to an article, etc. and, by using radio frequencies, perceives its identification information and the information about the surrounding environment so as to collect, store, process and utilize the said information;

3. "RFID (Radio Frequency Identification) tag" shall mean any tag, built in or attached to an article, etc., which can record its information or other information, and use radio frequencies to read or store this information;

4. "RFID service provider" shall mean any person who manufactures and sells RFID chips or tags, who manufactures (including processing or packaging) or sells article with RFID tags attached or built in, who links article information recorded in the RFID tag to personal information, or who records personal information in the RFID tag or collects personal information recorded in the RFID tag; and

5. "User" shall mean any person who purchases an article with RFID tags built in or attached, or makes use of the services based on the article with RFID tags built in or attached.

Article 3 (Scope of Application)

This Guideline applies to the cases where the RFID system might be used to infringe on individual privacy in such a way that personal information is recorded in an RFID tag and then collected, or the article information collected by means of the RFID is linked to a personal information; provided, however, that it does not apply to such cases as the article information is collected and used without any risk of invasion of personal information and privacy.

Chapter 2 Recording, Collection and Linkage of Personal Information

Article 4 (Prohibition from Recording Personal information, etc.)

(1) RFID service providers shall not record personal information in the RFID tag; provided, however, that the same shall not apply where recording of personal information is stipulated by law, or by an explicit written consent from the user.

(2) If RFID service providers want to obtain the consent pursuant to Paragraph (1), they shall notify its user, in advance, of the purpose for recording and potential use of the personal information.

Article 5 (Using RFID Tag to Collect Personal Information)

In case RFID service providers collect personal information recorded in the RFID tag pursuant to Paragraph (1) Article 4, they shall notify the relevant user of the fact or indicate it in an easy-to-notice manner.

Article 6 (Linking Article Information in RFID Tag to Personal Information)

If RFID service providers want to link article information recorded in the RFID tag to personal information, they shall notify the relevant user in advance, or indicate it in an easy-to-notice manner.

Chapter 3 Indication of the RFID Tag Attached

Article 7 (Indication of the RFID Tag Attached, etc.)

(1) If an RFID tag is built in or attached, even after the user purchased the article or was otherwise provided with the article, RFID service providers shall explain the following to the user in advance or indicate the information on the article or its package;

1. The fact that an RFID tag is attached and its location;

2. The nature and function of the RFID tag;

3. The type of information recorded in the REID tag; and

4. Contact information for the person in charge of personal information in accordance with Article 12.

(2) If RFID service providers find it hard to explain or indicate as provided for in Paragraph (1), they shall post the information described in each Subparagraph of Paragraph (1) in such a way that the user can easily notice it at the place where the article is sold or the service is provided.

Article 8 (Indication of Deactivating the RFID Tag, etc.)

(1) If an RFID tag is built in or attached, even after the user purchased the article or was provided with the article, RFID service providers shall explain to the user how to deactivate the RFID tag, or indicate it on the article or its package.

(2) If RFID service providers find it hard to explain or indicate as provided for in Paragraph (1), they shall post the information described in each Subparagraph of Paragraph (1) in such a way that the user can easily notice it at the place where the article is sold or the service is provided.

(3) RFID service providers shall provide a means to easily deactivate the RFID tag to any user who purchased an article, etc. with an RFID tag built in or attached.

(4) RFID service providers shall not treat the user to improper disadvantage, or discriminate the user on account of the user's removal of the RFID tag.

(5) If deactivating an RFID tag as provided for in Paragraph (1) impairs the user's interest or public interest, RFID service providers shall explain the reason to the user or indicate it on the article or its package.

Chapter 4 Miscellaneous

Article 9 (Prohibition from RFID Tag Implantation in Human Body)

(1) Anybody is prohibited from implanting an RFID tag in a human body, or letting the user wear it continuously on its body; provided, however, that the same shall not apply to the cases specifically provided for by law.

(2) Except as specifically provided for by law, no one shall attach any RFID tag to an article, etc. in such a way that the user cannot be aware of it.

Article 10 (Indication of the Installation of RFID Reader)

If anybody installed a reader capable of reading the information about an article which was delivered to the user with an RFID tag built in or attached, or personal information recorded in the RFID tag, he or she shall indicate the fact that a reader is installed in such a way that the user can easily notice it; provided, however, that the same shall not apply where the reader is installed for the purpose of logistics, distribution, internal security and inventory management, or it is difficult to easily indicate where the reader is installed as it is not installed in a fixed place.

Article 11 (Managerial and Technical Measures for the Data Protection of RFID System)

When RFID service providers use the RFID system to record and collect personal information, or link the article information of the RFID tag to personal information, they shall take measures complying with the "Standard Managerial and Technical Measures to Protect Personal Information" (Ministry of Information and Communication Notification No. 2005-18) lest the relevant personal information should be lost, stolen, leaked, altered or impaired.

Article 12 (Assessment of the Privacy Impact of RFID System)

When RFID service providers use the RFID system to record and collect personal information, or link the article information of the RFID tag to personal information, they shall make efforts to ensure that privacy is not infringed upon by analyzing and assessing the risk of invasion of privacy accompanying the use of the RFID system at the time the RFID system is introduced.

Article 13 (Appointment of Person in Charge of Personal Information)

When RFID service providers use the RFID system to record and collect personal information, or link the article information of the RFID tag to personal information, they shall appoint a person in charge of personal information who will be responsible for protecting users' privacy in relation to the RFID tag and promptly processing users' complaints.

Article 14 (Enhancement of User Awareness of the RFID Tag)

RFID service providers or business associations and organizations related with RFID shall make efforts to enhance user awareness by providing users with information about the usefulness, benefits and dangers of the RFID tag.

Article 15 (Use, Provision and Destruction of Personal Information, etc.)

Any other matter relating to the use, provision, and destruction of personal information, and protection of personal information including protection of users' rights than as provided for herein shall be subject to the information protection principles stipulated in the Act on the Promotion of Information and Communications Network Utilization and Data Protection, etc., regulations and guidelines.

Article 16 (Revision of the Guideline)

This Guideline may be revised based upon the survey of opinions of users, RFID service providers and related organizations reflecting the developments in RFID-related technologies, and the subsequent changes of incidents of privacy invasion.

Addendum

Entry into Force

This Guideline shall come into force on July 7, 2005.


WorldLII: Copyright Policy | Disclaimers | Privacy Policy | Feedback
URL: http://www.worldlii.org/int/other/PrivLRes/2005/3.html