Personal Data in the RIPE Database
You're looking at an older version: 1
The current (published) version is 3- State:
- Withdrawn
- Publication date
- Draft document
- Draft
- Author
- Proposal Version
- 3.0 - 06 Oct 2022
- All Versions
-
- Withdrawn
- 17 Nov 2022
- Working Group
- Database Working Group
- Mailing List
- Database Working Group
- Proposal type
-
- New
- Policy term
- Indefinite
Summary of Proposal:
Since the beginning of the RIPE Database, personal data has been entered extensively in PERSON objects as well as in other object’s attributes in the database, such as email addresses for notifications and postal addresses for resource holders. In those early days little consideration was given to privacy and personal data processing. In almost all cases, personal data is not needed. Now the EU General Data Protection Regulation (GDPR) adds legal constraints on personal data and the justification for its use. The RIPE NCC is the data controller and facilitator of the RIPE Database. The servers providing access to the RIPE Database are operated by the RIPE NCC. The RIPE NCC is a Dutch registered organisation based within the EU. Therefore, the GDPR applies to all the personal data contained within the RIPE Database, regardless of where the data subject is located.
In almost all situations there is no justification for publishing any personal data in the RIPE Database. This policy proposal outlines data that should be used in areas where personal data has been used in the past. All contacts must be documented as roles. There is no need for documenting information about any contact persons in the database.
Policy Text:
Abstract
This policy arises from the need for the RIPE Database to avoid the publishing of unnecessary personal data. Personal data must not be entered into the RIPE Database unless this can be justified according to the acknowledged purposes of the RIPE Database. The two most significant purposes that could be considered as requiring personal data are:
- Ensuring the uniqueness of Internet number resource usage through registration of information related to the resources and Registrants.
- Facilitating coordination between network operators (network problem resolution, outage notification etc.).
For the first purpose, this information can mostly be business details rather than personal information. Only in the case of a resource holder being a natural person, or a resource holder operating from the home address of a natural person, is personal data involved.
For contacts relating to either of these purposes, no personal information is necessary.
Although it is generally considered justified to enter personal information if the data subject has given their consent, it should be noted what the RIPE Database is. This is a public database. It is available globally to anyone who has an Internet connection. Once you publish any information in this database it is public data. The full details of that data may be downloaded and copied by many people. Anyone who is concerned about privacy should not consent to their personal data being published in this database. Once it is published it is too late to worry about privacy. It is already out there, it is public and it may have been copied and therefore impossible to take back. This is the reality of the Internet, and even if there is a right to be forgotten, there is no means of being forgotten once you have broadcast your personal data in public.
An open, public database has no privacy protection for personal data once it has been published. A PUBLIC database is accessible by everyone. This is one of the many reasons why the RIPE Database should not contain any personal data unless it is essential to fulfil the purposes of the database.
1.0 Organisations
The RIPE Database is a global, publicly available registry of the legal entities and natural persons holding Internet resources in the RIPE region.
The information held in the database about these organisations includes:
- name
- address
- phone number
- fax number
- several email addresses
- several contact references
The name of the organisation (which may be personal data of a natural person) holding an Internet resource or managing part of an Internet resource, for example a sub-allocation, is an essential part of the public registry. This is one of the principal purposes of the database. The name of a natural person, holding a resource, is the only personal data that can be justified to be published in the RIPE Database, provided there is documentary evidence held by the RIPE NCC, or a sponsoring LIR, or any resource holder that registered the subject’s details in the RIPE Database, that the natural person has consented to their name being published in this public registry. This consent is a requirement of the public registry for holding an Internet resource or managing part of an Internet resource.
A business address for the organisation can be published in the RIPE Database or a personal address for the organisation which is already in the public domain in a national, public, business registry. A personal address that is not already in the public domain must not be published in the RIPE Database. It should be replaced with a remark stating that the address for the organisation is held by whoever entered the organisation details into the RIPE Database and is available only for legitimate purposes. For any organisation where the RIPE NCC has directly allocated or assigned resources to them, the RIPE NCC should hold these address details, for example in their internal, non-public registry database. For organisation's details entered by resource holders into the RIPE Database, for example for sub-allocations, the resource holder should hold these address details. It should be clear in the remark who holds the details.
The phone numbers, fax numbers and email addresses must not include any personal data for any form of organisation.
Any email and phone details entered into the database must be verified as held by the referencing organisation.
2.0 Contacts
There are several types of contacts listed in the RIPE Database. These include:
- technical
- administrative
- abuse
- zone
- route ping
The information historically held in the database about these contacts includes:
- name
- address
- phone number
- fax number
- several email addresses
Phone numbers, fax numbers and email addresses must not include any personal data for any form of contact and must be verified when entered. The name of a contact should reflect the role this contact has within the organisation. It must not be the name of a person. There is no need to hold an address for a contact. Contact details must be documented into the database as roles, not as persons. Contacts must only be entered into the database if they can fulfil a role for one of the acknowledged types of contacts according to the purposes of the RIPE Database.
3.0 Notifications
All mandatory and optional notifications currently defined in the RIPE Database, use email as the notification mechanism. Other mechanisms may be introduced in the future. Personal data must not be included in any notification details documented in the RIPE Database.
4.0 Verification
Email addresses added as contact details and all phone and fax numbers entered into the RIPE Database must be verified. Updates to database objects will fail if the verification fails. If existing contact emails and phone numbers fail to be verified, the RIPE NCC will follow up in compliance with relevant RIPE Policies and RIPE NCC procedures. No one should be able to enter the email address or phone number of another organisation without its permission.
5.0 Compliance
It is not sufficient to have this policy in place and assume all resource holders and users have read, understood and are in compliance with the policy. All organisations holding resources allocated or assigned by the RIPE NCC, or documented in the RIPE Database, must sign a declaration that they have read and understood this policy and that either all the data for their organisation and resources contained in the RIPE Database is fully compliant with this policy or that they are working towards full compliance. If they are working towards compliance, the RIPE NCC will follow up in compliance with relevant RIPE Policies and RIPE NCC procedures. For any new organisation that becomes a member of the RIPE NCC and either requests resources from the RIPE NCC or receives them in a transfer, this declaration must be included in their membership contract with the RIPE NCC and they must be fully compliant.
6.0 Legacy
This policy applies to all organisations and Internet resources documented in the RIPE Database, including legacy resources under direct or indirect contractual relationship with the RIPE NCC.
Rationale:
GDPR has been in force for several years, and there were other privacy protections before that. We are still living with a mindset that personal data is, for some reason, needed in the RIPE Database. In most situations it is simply not necessary to fulfil the defined purposes of the database. Contacts are defined by the purposes to be able to address specific types of issues. For example, administrative, technical or abuse issues. These contacts do not need to be natural people. They must be business roles. The natural people behind those roles do not need to be identified to fulfil the purposes of the database. We need to change this mindset away from personally identified people.
There are still around two million personal data sets contained in the RIPE Database in PERSON objects and potentially large amounts of personal data referenced in ORGANISATION objects and as notifications. Some ROLE objects also contain personal data. The amount of personal data contained in the database is still growing over time. This policy addresses the issue directly. The main purposes of the RIPE Database, a public registry of holders and users of Internet resources and facilitating contact between operators and administrators of networks using these resources, can be achieved without the need for personal data in almost all situations. The purposes of the RIPE Database have evolved over time and will continue to do so. Any new purpose attached to the database should keep the amount of personal data required to be publicly available to a minimum and justify any collection, storage and use of personal data in the RIPE Database.
When you also factor in that publishing personal data in a PUBLIC database is an irreversible step, maintainers of this data should seriously avoid entering it unless it is necessary.
a. Arguments Supporting the Proposal
- It is a legal requirement with GDPR, that all personal data in the RIPE Database complies with the evolving purposes of the database.
- These changes don't affect the references in address policies to registration and contact data.
- The proposal acknowledges the consequences of entering personal data into a public database.
b. Arguments Opposing the Proposal
- Achieving full compliance for all existing data contained within the RIPE Database may require follow up contact by the RIPE NCC with many organisations holding resources to adjust data and verify compliance. This could result in a project running over a number of years.