In 2004, the Book Industry Study Group convened an RFID task force of organizations related to the creation, publishing, distribution, and retail sales of books and their use in libraries. The goal of the task force was to “develop guidelines that would reduce the potential for misuse of personal information and to avoid the loss of trust of consumers and library users”² as it pertains to the use of RFID technology. The task force released a policy statement in which it set out five RFID Privacy Principles:

• Implement and enforce an up-to-date organizational privacy policy that gives notice and full disclosure as to the use, terms of use, and any change in the terms of use for data collected via new technologies and processes, including RFID.
• Ensure that no personal information is recorded on RFID tags which, however, may contain a variety of transactional data.
• Protect data by reasonable security safeguards against interpretation by any unauthorized third party.
• Comply with relevant federal, state, and local laws as well as industry best practices and policies.
• Ensure that the four principles outlined above must be verifiable by an independent audit.³

In 2005, the ALA’s Intellectual Freedom Committee and the Office for Information Technology Policy developed “RFID in Libraries: Privacy and Confidentiality Guidelines” which were based on the work of a task force convened by the Book Industry Study Group but went further. The guidelines were adopted by ALA Council at ALA’s 2005 Midwinter Meeting. The guidelines and best practices included:

1. Notify users about the library’s use of RFID technology.
2. Label all RFID tag readers clearly so users know they are in use.
3. Protect the data on RFID tags by using encryption if available.
4. Limit the information stored on the RFID tag to a unique identifier or barcode.
5. Block the public from searching the catalog by the unique identifier.
6. Store no personally identifiable information on any RFID tag.⁴

In 2006, the NISO RFID Working Group on RFID in U.S. Libraries was formed to focus on the use and implementation of RFID technology in libraries. In 2008, the group formally published RFID in U.S. Libraries, a Recommended Practice of the National Information Standards Organization (NISO RP-6-2008).⁵ The working group was composed of RFID vendors, software application providers, two librarians, and two BISG consultants. The document included recommended practices as well as a data model to facilitate interoperability between RFID vendors’ solutions and also to facilitate use of the RFID tag across the entire life cycle of a book. Therefore, the proposed data model included fields for circulation, security, and ILL as well as fields that could be used by book publishers and others in the supply chain.

The first recommendation listed in this document was that tags should comply with the guidelines developed by the BISG working group, stating “in particular, ensuring that data relating to individual persons should never be recorded on item tags.”⁶ However, the document did not mention the best practices guidelines that had been adopted by ALA in 2005. In addition, the data model included options for including the owner library, shelf location, title, and “local data” fields and provided no mandates for how the local fields could be used. This caused some concern for privacy advocates.

The November–December 2010 issue of Library Technology Reports focused on privacy and freedom of information. Deborah Caldwell-Stone authored chapter 6 focusing on RFID and privacy. In it, she states that the NISO recommendations and data model reflected the “needs of the commercial entities that make up the supply chain and not the needs and concerns of libraries and librarians.”⁷ She stated that librarians “should assume a leadership role in developing best practices and standards … for RFID as part of their ethical obligation to protect library users’ privacy.”⁸

Also in 2010, a new NISO working group, the NISO RFID Revision Working Group, was formed to revise the 2008 NISO recommendations. The goals of the Revision Working Group were as follows:

• To review existing RFID standards, assess the applicability of this technology in U.S. libraries and across the book publishing supply chain, and promote the use of RFID where appropriate.
• To examine and assess privacy concerns associated with the adoption of RFID technologies in libraries.
• To investigate the way RFID may be used for the circulation or sale of books and other media in the United States and make recommendations.
• To focus on security and data models for RFID tags, along with issues of interoperability and privacy.
• To create a set of recommendations for libraries with regard to a tag data model and other issues, with the specific goals for this revision of:
  • Reviewing and updating information in the original document.
  • Ensuring conformance between the approved ISO standard and the NISO recommended practice.
  • Creating a set of recommendations for a U.S. data model standard.
  • Providing specific examples to make implementation easier for manufacturers and libraries.⁹

In April 2011, the group issued its revision for public comment. In this document, NISO recommended that the United States adopt ISO 28560-2 as the US Data Profile (application standard).

In the 2011 revision of the NISO recommendations, the Revision Working Group recommended that the US adopt ISO 28560-2 and provided guidelines for how to use each of the fields recommended for inclusion in the US Data Profile. The Working Group received “input from RFID hardware manufacturers, solution providers (software and integration), library RFID users, distributors, processors, and related organizations.”¹⁰ All participants in the supply chain (manufacturers, suppliers, distributors, libraries) had been taken into account, but the proposed standard applied primarily to libraries.

The revision refers to a checklist (for libraries and vendors) that can be used to evaluate the degree of conformance with the ISO 28560 standards,¹¹ a set of recommended practices and procedures to ensure interoperability among US RFID implementations, and a list of suggestions to reduce the impact of migrating from nonconforming systems to conforming systems.

In March 2012, the RFID revision was adopted, thus establishing ISO 28560-2 as the US Data Profile. The final document was largely unchanged from the version released for comment. Both the revision and the final document included a description of all the data elements included in the data profile and made recommendations about how to use them.

The recommended practices were provided in order to promote procedures that would lead to installing the RFID early in the life cycle of the book. This way the tag could be used by publishers, distributors, and libraries (including for shelving, circulating, sorting, inventory, and security), as well as in interlibrary loan transactions. They also envisioned the tag being used in secondary markets such as secondhand books, returned books, and discarded or recycled books.

The hope is that the US Data Profile and associated recommendations will promote true interoperability between libraries. The Revision Working Group envisioned every library being able to use every other library’s RFID tag regardless of the supplier, hardware, software, or ILS. They were attentive to the importance of protecting patron privacy while leveraging the technology. And they hoped the recommendations would lead to global interoperability and remain relevant and functional as the technology evolved.

The Revision Working Group supports most of the policy guidelines and best practices adopted by the ALA Intellectual Freedom Committee (IFC) in 2006; however, it does take issue with one recommendation. The IFC asserts that best practices dictate that only the barcode number should be stored on the tag. The Revision Working Group does not agree that only the barcode number should be stored on the tag. It does agree that no personally identifiable information should be stored on the tag, nor any transactional data regarding patron use.¹² The Group also suggests libraries blank out the Title and GS1-13 field if either has been used by upstream users (e.g., distributors).

While the Revision Working Group doesn’t explicitly disagree with other IFC best practices, it would have been useful had it done so. For example, the IFC document encourages libraries to provide an RFID system from which a patron could “opt out.” It isn’t clear how this would protect patron privacy, because even if some patrons opted out (e.g., chose to use the barcode-only self check-out machines), the materials would still have RFID tags on them. The worry for privacy advocates is that someone will read the tag on a patron’s in-circulation item, and using barcode-only equipment doesn’t alleviate this concern.

Since 2006, the public’s relationship to privacy has changed. Also, RFID technology has been widely adopted in many industries. And finally, with the latest standard, the AFI attribute is recommended. The AFI attribute adds an additional level of protection against unauthorized reading of the tag by readers outside of the library industry.

It is time for the IFC to update the best practices document so that it provides implementable recommendations that do not simply restate the library’s traditional approach to protecting patron privacy but that take into account the privacy protections patrons expect and desire today. And it is important that those who develop the best practices have a strong understanding of the benefits and limits of RFID technology in libraries.

The US Data Profile includes two mandatory data elements: Primary Object ID (i.e., barcode) and Tag Content Key. The field Owner Library is also recommended. The reason Owner Library is recommended is that the combination of the Primary Object ID with the Owner Library provides for a nationally (and possibly globally) unique item identifier. This has ramifications for how the tags could be used to support ILL and resource-sharing workflows. The UK Data Profile, also based on ISO 28560-2, makes Owner Library mandatory (this is the only difference between the US and UK Data Profiles).

By limiting the mandatory fields to just the barcode number and tag content key, the Revision Working Group provided a way for libraries to continue to use the tags much like they do today. This minimalist approach provides an acceptable way forward for libraries for whom patron privacy concerns are paramount.

There are 22 optional elements included in the US Profile (see table 3.2 for complete list). Two of the fields included in ISO 28560-2 have been excluded from the US Data Profile. These are MARC Media Format (in favor of the ONIX Media Format field) and Supplier Invoice Number (although Supplier Identifier and Order Number were included).

Owner Library and ILL Borrowing Institution refer to ISIL codes. The ISIL Registration Authority will issue US libraries an ISIL code for the purposes of using the code on RFID tags. Alternatively, an OCLC code could be used, as these are ISIL-compatible. If the Owning Library or ILL Borrowing Institutions do not have an ISIL or ISIL-compatible code, the standard states that the Alternative Owner Library and Alternative ILL Borrowing Institution fields should be used instead.

Set Info allows the library to encode information about multipart sets onto the tag. The field contains the total number of items in the set and the part number of the item to which the tag is affixed. Some libraries are already taking advantage of this data element.

Type of Usage is a field that provides additional information about the intended use of the item. For example, an item can be tagged as a circulating item or as reference material or as adult material (e.g., R-rated movie). Using the tag this way would allow the circulation and security system to prevent a patron from checking out a reference book while the ILS was down or a teen from checking out an R-rated movie.

It is unfortunate that the proposed data profile doesn’t specify that Title should remain unlocked. If locked, information about the content of the tagged item is stored on the tag Title. None of the other fields contain any personally identifying information or even specific information about the content of the item, so even if they were locked, it wouldn’t pose a particular privacy concern. Title, however, is a field that many libraries would choose to leave blank once an item goes into circulation.

Another field, GS1-13, raises the same concerns as Title. GS1-13, or the UCC Code, as it is known in the United States, can be used for the ISBN or ISSN by pre-pending “978” or “979” (ISBN) or “977” (ISSN) to the number. ISBNs are easy enough to associate with a particular title. While some libraries might want to use this field to provide additional services for patrons, many others will insist that this field be left blank on circulating material. Specifying that this field remain unlocked would have provided support for this latter group.

The ISBN could be used in interesting ways for library patrons. For example, electronic reader’s advisory services can be provided based on the ISBN. Recommendations could be provided to patrons based on items they are checking out or returning or perhaps at a special Get Recommendations kiosk that could be used to find another book like the one they’d just enjoyed reading.

Each library will need to find the right balance between patron privacy concerns and providing convenient and expansive library services. The trend has been toward more convenience with much less concern about privacy, but this varies quite a bit from community to community.¹³

The Shelf Location field can be used to specify where an item should be shelved. In addition to encoding the actual LC or Dewey number in this field, the library could also specify Adult Fiction or Entrance Display in this field. This field could be useful when sorting material based on information on the RFID tag. For example, the sorter could be programmed to sort all Adult Fiction to one bin and Entrance Display to another. While this is possible already, it requires the sorter to communicate with the ILS. With the information on the RFID tag, the additional sorting granularity could be accomplished independent of an ILS connection.

Supplier Identifier and Order Number could contain data useful in the receiving functions of a library. If these fields are used, new items arriving at the library could be received without needing to individually scan each item. This would dramatically improve the receiving workflows in the library’s technical services department.

Many libraries are already using EDI (electronic data interchange) in their workflows. EDI allows items to be ordered and invoiced electronically. Theoretically, receiving can also be performed electronically, but it is usually implemented last (if at all). This is partly because libraries often receive partial orders and also because they feel more confident verifying that the packing slip actually matches what is in the shipment. Libraries are more comfortable unpacking the box, scanning in each item as received, and putting it on a book cart.

Using Supplier Identifier and Order Number, the library could receive all items in a box and verify the contents without actually having to handle each item or even opening the box. An RFID tunnel is a piece of equipment designed for this purpose and it is common outside of the United States. Only recently has one RFID vendor included an RFID tunnel in its product line for sale to US libraries.

Using ILL Borrowing Institution and ILL Borrowing Transaction ID could eliminate much of the paperwork and labor associated with performing ILL transactions. The ILL Borrowing Institution (perhaps in combination with other fields) can be used in sorting systems to route outbound ILL items to the appropriate delivery route and location (if part of a closed delivery system) or to the shipping department if the item needs to be sent out via a shipping service.

The ILL Borrowing Transaction ID represents the key to the entire ILL transaction in terms of both the borrowing and lending libraries’ workflow. Whatever ILL software is used to initiate the transaction, the data is associated with a transaction ID. By writing that transaction ID to the tag, each library is freed from filling out paperwork that needs to travel with the item. Referencing the transaction ID in the shared ILL software would simply pull up all the pertinent information.

The proposed profile also includes three Local Data fields. These fields are there to provide even more flexibility for the library. The data model does not specify the size of these fields, so the library can really use them in whatever way it likes.

Many people involved in library RFID (this author included) hope to see tags placed in new items at the manufacturer stage so that they can be used for multiple purposes along the way. The Supply Chain Stage field exists to support this vision. Once an item becomes a library item, this field would be encoded with “64.” The data model defines other numbers that are associated with other stages including manufacturer (16), publisher (24), distributor (32), and jobber (48). This field is used so that fields can be interpreted correctly depending on where they are in the supply chain. For example, the Primary Item Identifier in a library is the library’s barcode number. However, a book distributor may encode the EPC code as the Primary Identifier.

This field is to be used in addition to the Owner Institution field (or Alternative Owner Institution field). It does not use ISIL or ISIL-compatible codes. It can be a short alphanumeric string to identify individual outlets associated with a library. The expectation is that this field will be used to identify home branches for material owned by the Owner Institution. This field could also be used to support floating or rotating collections management.