Shops 'must tell consumers how to disable RFID tags'

The UK's information watchdog has warned companies using RFID to make sure they're playing nicely with data protection legislation - even if it means telling consumers how to disable the tags.

The Information Commissioner's Office (ICO) has published a guidance for enterprises setting out how they must deal with individuals' data when it becomes linked to RFID tags - whether they're found attached to goods in a supermarket or on smartcards such as the Oyster card.

Businesses with RFID systems in place or those thinking of deploying them should be complying with best practices, according to the ICO, as well as making sure they abide by the Data Protection Act.

The ICO counsels RFID users to beware of function creep and only collect data where necessary. "It is recommended that RFID users do not collect or store personal data if it is not necessary to do so. Keeping track of the popularity of products, for example, will not necessarily require the recording of data about specific shoppers' buying habits," it says in its guidance.

Businesses are also duty bound to inform customers where, when and how RFID tags are being used and must tell them how to remove or disable them in certain cases, such as when they are still left on clothes after a consumer has bought them.

The ICO said: "In a world of 'ubiquitous computing', security and privacy safeguards should be built into the architecture of RFID systems, rather than added on later."