Search RPD Archives
Limit search to: Subject & Body Subject Author
Sort by:

[rpd] Internet Number Resources review

serge ilunga sergekbk at gmail.com
Sun Dec 11 16:52:22 UTC 2016 

Hello SM / Kris,



1.         Est-ce légal qu’AfriNIC procède à l’audit et à la récupération
des ressources? Oui.

2.         L’exigence de faire l’audit en toute transparence
constitue-t-elle un risque de violation du NDA ?

Nous ne pensons pas que ça soit le cas car les informations échangées ne
sont pas mises sur la place publique et sont manipulées exclusivement  par
AfriNIC.

3.         La publication du rapport : celle-ci ne constitue pas un risque
de violation du NDA les données personnelles ne sont pas publiées et la
version actuelle de la proposition n’impose pas de les publier. Pour éviter
toute équivoque, nous nous proposons de spécifier clairement dans la
section 3.6  de ne pas publier les données personnelles pour ne pas violer
le NDA.

En rapport avec la DPA, est-ce le modèle de rapport proposé sur la liste  et
présenté sous [1] expose t’il a une violation quelconque ?

Si oui quel type de données y contribue ?





Bien cordialement.





[1]

Description of "members” in AFRINIC context may at some points looks like:

A- How many members have been reviewed :

 - By type:  LIR, End-users, etc…

 - By Category:  Extralarge, Large, Medium, small, etc…

B- Type of ressources involved:  ASN, IPv4 ,IPv6

C- Level of compliance

On Sun, Dec 11, 2016 at 3:55 PM, Kris Seeburn <seeburn.k at gmail.com> wrote:

> People,
>
> You may want to note that afrinic staff review already stated these:
>
>
>    - *The requirement that the review be conducted with "full
>    transparency" may be in conflict with privacy provisions in NDAs, in the
>    RSA, or in law.*
>    - *The requirement to publish a "compliance report" may be in conflict
>    with privacy provisions in NDAs, in the RSA, or in law.*
>
> I’ve already voiced that there be a revisit to this policy differently but
> i think pointing this in the DPA should be noted. Unless the NDA and RSA
> are modified to state that there is no confidentiality…. If that is the
> case.
>
> These may help guide all. The data controller is an appointed staff of
> afrinic. Whether we state Mauritian law or else the NDA. In essence we need
> to note what is Public information and what is Private and confidential
> information.
>
>
>
> *29.            Unlawful disclosure of personal data*
>
> (1) Any *data* controller who, without lawful excuse, discloses personal
> *data* in any manner that is incompatible with the purposes for which
> such *data* has been collected shall commit an offence.
>
> (2) Any *data* processor who, without lawful excuse, discloses personal
> *data* processed by him without the prior authority of the *data*
> controller on whose behalf such *data* is or has been processed shall
> commit an offence.
>
> (3) Subject to subsection (4), any person who -
>
> (a) obtains access to personal *data*, or obtains any information
> constituting such *data*, without prior authority of the *data*
> controller or *data* processor by whom such *data* is kept; and
>
> (b) discloses the *data* or information to another person,
>
>                    shall commit an offence.
>
> (4) Subsection (3) shall not apply to a person who is an employee or agent
> of a *data* controller or processor and is *act*ing within his mandate.
>
> (5) Any person who offers to sell personal *data* where such personal
> *data* has been obtained in breach of subsection (1) shall commit an
> offence.
>
> (6) For the purposes of subsection (5), an advertisement indicating that
> personal *data* is or may be for sale, constitutes an offer to sell the
> personal *data*.
>
>
> further reading:
>
> *31.            Transfer of personal data*
>
> (1)               Subject to subsection (2), no *data* controller shall,
> except with the written authorisation of the Commissioner, transfer
> personal *data* to another country.
>
> (2)               The Eighth *data* *protection* principle specified in
> the First Schedule shall not apply where –
>
> (a)               the *data* subject has given his consent to the
> transfer;
>
> (b)               the transfer is necessary –
>
> (i)                  for the performance of a contr*act* between the
> *data* subject and the *data* controller, or for the taking of steps at
> the request of the *data* subject with a view to his entering into a contr
> *act* with the *data* controller;
>
> (ii)                for the conclusion of a contr*act* between the *data*
> controller and a person, other than the *data* subject, which is entered
> at the request of the *data* subject, or is in the interest of the *data*
> subject, or for the performance of such a contr*act*;
>
> (iii)               in the public interest, to safeguard public security
> or national security.
>
> (c)               the transfer is made on such terms as may be approved
> by the Commissioner as ensuring the adequate safeguards for the
> *protection* of the rights of the *data* subject.
>
> (3)               For the purpose of subsection (2)(c), the adequacy of
> the level of *protection* of a country shall be assessed in the light of
> all the circumstances surrounding the *data* transfer, having regard in
> particular to -
>
> (a)               the nature of the *data*;
>
> (b)               the purpose and duration of the proposed processing;
>
> (c)               the country of origin and country of final destination;
>
> (d)               the rules of law, both general and sectoral, in force
> in the country in question; and
>
> (e)               any relevant codes of conduct or other rules and
> security measures which are complied with in that country.
>
> *Amended by [Act No. 14 of 2009
> <http://supremecourt.intnet.mu/Main/GetDoc.asp?Doc_Title=Act+No.+14+of+2009&Mode=Html&Search=No>]*
>
>
> We need to see a balance and decide properly. I would like to say that i
> am not taking sides but we need to understand to what extent things can and
> cannot be reported. The mauritius DPA takes precedence from the EU Act. But
> still an NDA binds the resource member and afrinic within the binds of a
> legal clause of confidentiality that any member can recall and use against
> afrinic.
>
> However, i am sure if we keep to a brief as i said X number of applicants
> received and Y numbers not accepted  may be still fine but category etc.,
> may already lead to guesswork and this may again lead to legal hassle. A
> compliance report as per the current state of proposal releases too much
> information already.
>
>
> Further the RIPE NCC policy:
>
> If you are referring to RiPE NCC policy:
>
> RIPE NCC Audit Activity
> ...
>
> [Message clipped]
> _______________________________________________
> RPD mailing list
> RPD at afrinic.net
> https://lists.afrinic.net/mailman/listinfo/rpd
>
>


-- 
*Serge ILUNGA KABWIKA*
*Skype: sergekbk*
*Cell: +243814443160*
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.afrinic.net/pipermail/rpd/attachments/20161211/b2379e07/attachment-0001.html>

More information about the RPD mailing list