[AFRINIC-rpd] Regional Internet Registry Privacy - AFPUB-2012-GEN-002-draft-02

[sm+afrinic at elandsys.com]

Name: S. Moonesamy
Email: sm+afrinic at elandsys.com
Date: 16 November, 2012
Reference: AFPUB-2012-GEN-002-draft-02

Title: Regional Internet Registry Privacy

Summary

Privacy is the ability of an individual to be left alone, out of public view,
and in control of information about oneself.  This document specifies the
privacy policy for the Regional Internet Registry handling Internet number
resources in the AfriNIC service region.

1. Introduction

Privacy is the ability of an individual to be left alone, out of public view,
and in control of information about oneself.  AfriNIC, as a Regional Internet
Registry, manages and administers Internet number resources for the AfriNIC
service region.  It publishes information about Internet number resources on
the Internet.  This document specifies the privacy policy for the Internet
Registry.

Any restriction mentioned in this document is not applicable to data which
is publicly available, e.g. data provided through a service accessible
anonymously over the Internet.

2. Personal Data

Personal Data shall mean any information relating to an identified or
identifiable natural person ("data subject"); an identifiable person is one
who can be identified directly or indirectly, in particular by reference to
an identification number or one or more factors specific to his physical,
physiological, mental, economic, cultural or social identity.

3. Data Minimization

The principle of data minimization has been adopted to limit the collection
and/or transfer of Personal Data to what is directly relevant and necessary
for specified, explicit and legitimate purposes.  Information about whether
any data is adequate, relevant and not excessive in relation to the purposes
for which it is collected and/or transferred shall be made available to any
person who is part of the Policy Development Working Group for the AfriNIC
service region.

The Regional Internet Registry shall not collect under any circumstances
Personal Data from an applicant of Internet number resources which can be
used to identify more than a quarter of the users to which an applicant has
allocated IP address space.  This is a maximum amount and not guidance about
the amount of data considered as excessive.

3.1. Data Retention

The retention period for Personal Data is six months.  Personal Data
necessary for financial purposes; e.g. billing, can be retained for up to
twelve months after the end of a Registration Service Agreement.

Personal Data published for Internet number resources allocations or
assignments can be retained for the historical record if the data was
publicly available for at least a month.

3.2. Transfer of Personal Data

Personal Data cannot be transferred to another country unless there is a
publicly available assessment of:

  (a) the nature of the Personal Data

  (b) the purpose and duration of the proposed processing of the
      Personal Data

  (c) the country of origin and country of final destination

  (d) the rules of law in force in the country in question

  (e) any relevant rules and security measures which are complied with
      in that country

4. Personal Data Transfer Register

A Personal Data Transfer Register will be maintained with the following
information:

   (a) date of transfer of the Personal Data

   (b) nature of the Personal Data

   (c) purpose of the proposed processing of the Personal Data

   (d) country of origin and country of final destination

The Personal Data Transfer Register shall be published through a service
accessible anonymously over the Internet.  Personal Data required for
financial purposes is exempted from publication.

5. Personal Data Leakage

In the event of Personal Data leakage, a notification shall be sent to the
Resource Policy Discussion mailing list within a day of the detection of the
leakage together with an explanation about the nature and extent of the
leakage.