Search RPD Archives
[AfriNIC-rpd] Regional Internet Registry Privacy
Walubengo J
jwalu at yahoo.com
Sun May 6 00:54:04 UTC 2012
SM,
two quick questions.
a) which example of data at AfriNIC is currently "private"? i.e. give example since am not getting what data you wish to protect here, having rightly excluded "whois" data. If its administrative data e.g financial membership data, I believe that is covered under Financial and Data Privacy laws of the host country?
b) Any RIR with a simlar Policy? Not always a must but sometimes comforting to know.
walu.
--- On Sat, 5/5/12, sm+afrinic at elandsys.com <sm+afrinic at elandsys.com> wrote:
From: sm+afrinic at elandsys.com <sm+afrinic at elandsys.com>
Subject: [AfriNIC-rpd] Regional Internet Registry Privacy
To: rpd at afrinic.net
Cc: policy-submission at afrinic.net
Date: Saturday, May 5, 2012, 10:02 PM
Name: S. Moonesamy
Email: sm+afrinic at elandsys.com
Date: 5 May, 2012
Version: 1
Title: Regional Internet Registry Privacy
Summary
Privacy is the ability of an individual to be left alone, out of public view,
and in control of information about oneself. This document specifies the
privacy policy for the Regional Internet Registry handling Internet number
resources in the AfriNIC service region.
1. Introduction
Privacy is the ability of an individual to be left alone, out of public view,
and in control of information about oneself. AfriNIC, as a Regional Internet
Registry, manages and administers Internet number resources for the AfriNIC
service region. It publishes information about Internet number resources on the
Internet. This document specifies the privacy policy for the Internet
Registry.
Any restriction mentioned in this document is not applicable to data which
is publicly available, e.g. data provided through a service accessible
anonymously over the Internet.
2. Data Minimization
The principle of data minimization has been adopted to limit the collection
and/or transfer of Personal Identifiable Information (PII) to what is
directly relevant and necessary for specified, explicit and legitimate
purposes. Information about whether any data is adequate, relevant and
not excessive in relation to the purposes for which it is collected and/or
transferred shall be made available to any person who is part of the Policy
Development Working Group for the AfriNIC service region.
The Regional Internet Registry shall not collect under any circumstances
Personal Identifiable Information from an applicant of Internet number
resources which can be used to identify more than a quarter of the users
to which an applicant has allocated IP address space. This is a maximum
amount and not guidance about the amount of data considered as excessive.
2.1. Data Retention
The retention period for Personal Identifiable Information is three months.
Personal Identifiable Information necessary for financial purposes; e.g.
billing, can be retained for up to twelve months after the end of a
Registration Service Agreement.
Personal Identifiable Information published for Internet number resources
allocations or assignments can be retained for the historical record if
the data was publicly available for at least a month.
2.2. Transfer of Personal Identifiable Information
Personal Identifiable Information cannot be transferred to another country
unless there is a publicly available assessment of:
(a) the nature of the Personal Identifiable Information
(b) the purpose and duration of the proposed processing of the
Personal Identifiable Information
(c) the country of origin and country of final destination
(d) the rules of law in force in the country in question
(e) any relevant rules and security measures which are complied with
in that country
3. Personal Identifiable Information Transfer Register
A Personal Identifiable Information Transfer Register will be maintained
with the following information:
(a) date of transfer of the Personal Identifiable Information
(b) nature of the Personal Identifiable Information
(c) purpose of the proposed processing of the Personal Identifiable
Information
(d) country of origin and country of final destination
The Personal Identifiable Information Transfer Register shall be published
through a service accessible anonymously over the Internet. Personal
Identifiable Information required for financial purposes is exempted from
publication.
4. Personal Identifiable Information Leakage
In the event of Personal Identifiable Information leakage, a notification
shall be sent to the Resource Policy Discussion mailing list within a day
of the detection of the leakage together with an explanation about the
nature and extent of the leakage.
Regards,
S. Moonesamy
_______________________________________________
rpd mailing list
rpd at afrinic.net
https://lists.afrinic.net/mailman/listinfo.cgi/rpd
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.afrinic.net/pipermail/rpd/attachments/20120505/5206f710/attachment.html>
More information about the RPD
mailing list