Personal Data in the RIPE Database
You're looking at an older version: 2
The current (published) version is 3- State:
- Withdrawn
- Publication date
- Draft document
- Draft
- Author
- Proposal Version
- 3.0 - 06 Oct 2022
- All Versions
-
- Withdrawn
- 17 Nov 2022
- Working Group
- Database Working Group
- Mailing List
- Database Working Group
- Proposal type
-
- New
- Policy term
- Indefinite
Summary of Proposal:
Since the beginning of the RIPE Database, personal data has been entered extensively in PERSON objects as well as in other objects’ attributes in the database, such as email addresses for notifications and postal addresses for resource holders. In those early days little consideration was given to privacy and personal data processing. In almost all cases, personal data is not needed. Now the EU General Data Protection Regulation (GDPR) adds legal constraints on personal data and the justification for its use. The RIPE NCC is the data controller and facilitator of the RIPE Database. The servers providing access to the RIPE Database are operated by the RIPE NCC. The RIPE NCC is a Dutch registered organisation based within the EU. Therefore, the GDPR applies to all the personal data contained within the RIPE Database, regardless of where the data subject is located.
In almost all situations, there is no justification for publishing any personal data in the RIPE Database. This policy proposal outlines data that should be used in areas where personal data has been used in the past. All contacts must be documented as roles. There is no need for documenting personal information about any contacts in the database.
Policy Text:
Abstract
This policy arises from the need for the RIPE Database to avoid the publishing of unnecessary personal data. Personal data must not be entered into the RIPE Database unless this can be justified according to the acknowledged purposes of the RIPE Database. The three most significant purposes, defined in the Terms & Conditions, that could be considered as requiring personal data are:
- Ensuring the uniqueness of Internet number resource usage through registration of information related to the resources and Registrants.
- Facilitating coordination between network operators (network problem resolution, outage notification, etc.).
- Providing information about the Registrant and Maintainer of Internet number resources when the resources are suspected of being used for unlawful activities to parties who are authorised under the law to receive such information.
For the first purpose, this information can mostly be business details rather than personal information. Only in the case of a resource holder being a natural person, who may be operating from their home address, is personal data involved.
For contact with network operators, no personal information is necessary.
To investigate unlawful activities, the identity of holders of resources and address blocks is needed by the investigating authorities. A valid address of some form could be helpful.
Although it is generally considered justified to enter personal information if the data subject has given their consent, it should be noted what the RIPE Database is. This is a public database. It is available globally to anyone who has an Internet connection. Once you publish any information in this database, it is public data. The full details of that data may be downloaded and copied by many people. Anyone who is concerned about privacy should not consent to their personal data being published in this database. Once it is published, it is too late to worry about privacy. It is already out there: it is public, and it may have been copied and therefore impossible to take back. This is the reality of the Internet, and even if there is a right to be forgotten, there is no means of being forgotten once you have broadcast your personal data in public.
An open, public database has no privacy protection for personal data once it has been published. A PUBLIC database is accessible by everyone. This is one of the many reasons why the RIPE Database should not publish any personal data unless it is essential to fulfil the purposes of the database.
This policy sets out the principles governing the publishing of personal data in the RIPE Database. These principles must be applied to all personal data published in the database by all data maintainers.
1.0 Organisations
The RIPE Database is a global, publicly available registry of the legal entities and natural persons holding and using Internet resources in the RIPE region.
The information held in the database about these organisations may include:
- name
- postal address
- phone number
- fax number
- several email addresses
- several contact references
The name of the organisation (which may be the personal data of a natural person) holding an Internet resource or managing part of an Internet resource, for example a sub-allocation, or using a block of addresses, is an essential part of the public registry. This identification is one of the principal purposes of the database. Any valid address could be helpful. Different types of addresses can be considered including postal addresses. The name and address of a natural person holding or using a resource and operating from a home address are the only personal data that can be justified to be published in the RIPE Database, provided there is documentary evidence held by the RIPE NCC, or a sponsoring LIR, or any resource holder that registered the subject’s details in the RIPE Database, that the natural person has consented to their name and address being published in this public registry. This consensual identification is a requirement of the public registry for holding an Internet resource or managing or using part of an Internet resource.
A postal address may optionally be added by the resource holder or manager. Where the resource holder, manager or user is a natural person, the parts of any type of address more specific than country and region must not be entered in any object attribute.
The phone numbers, fax numbers and email addresses must not include any personal data for any form of organisation.
Any email and phone details entered into the database must be verified as held by the referencing organisation.
2.0 Contacts
There are several types of contacts listed in the RIPE Database. These include:
- technical
- administrative
- abuse
- zone
- route ping
The information historically held in the database about these contacts includes:
- name
- postal address
- phone number
- fax number
- several email addresses
Phone numbers, fax numbers and email addresses must not include any personal data for any form of contact and must be verified when entered. The name of a contact should reflect the role(s) this contact has within the organisation. It must not be the name of a person. There is no need to publish any form of address for a contact. Contact details must be documented in the database as roles, not as persons. Contacts must only be entered into the database if they can fulfil a role for one of the acknowledged types of contacts according to the purposes of the RIPE Database.
Contacts must be contactable. There must be at least one verified method of contact included for each role.
3.0 Notifications
All mandatory and optional notifications currently defined in the RIPE Database use email as the notification mechanism. Other mechanisms may be introduced in the future. Personal data must not be included in any notification details documented in the RIPE Database.
4.0 Verification
Email addresses added as contact details and all phone and fax numbers entered into the RIPE Database must be verified. Updates to database objects will fail if the verification fails. If existing contact emails and phone numbers fail to be verified, the RIPE NCC will follow up in compliance with relevant RIPE Policies and RIPE NCC procedures. No one should be able to enter the email address or phone number of another organisation without its permission.
5.0 Compliance
It is not sufficient to have this policy in place and assume all resource holders and users have read, understood and are in compliance with the policy. All organisations holding resources allocated or assigned by the RIPE NCC, or documented in the RIPE Database, must sign a declaration that they have read and understood this policy and that either all the data for their organisation and resources contained in the RIPE Database is fully compliant with this policy or that they are working towards full compliance. If they are working towards compliance, the RIPE NCC will follow up in accordance with relevant RIPE Policies and RIPE NCC procedures. For any new organisation that becomes a member of the RIPE NCC and either requests resources from the RIPE NCC or receives them in a transfer, this declaration must be included in their membership contract with the RIPE NCC, and they must be fully compliant.
6.0 Legacy
This policy applies to all organisations and Internet resources documented in the RIPE Database, including legacy resources under a direct or indirect contractual relationship with the RIPE NCC.
Rationale:
GDPR has been in force for several years, and there were other privacy protections before that. We are still living with the mindset that personal data is, for some reason, needed in the RIPE Database. In most situations, it is simply not necessary to fulfil the defined purposes of the database. Contacts are intended to address specific types of issues, such as administrative, technical or abuse issues. These contacts do not need to be natural persons. Rather, they must be business roles. The natural persons behind those roles do not need to be identified for the purposes of the database. We need to move away from the mindset of personally identifying people.
There are still around two million personal data sets contained in the RIPE Database in PERSON objects and potentially large amounts of personal data referenced in ORGANISATION and resource objects and as notifications. Some ROLE objects also contain personal data. The amount of personal data contained in the database is still growing over time. This policy addresses the issue directly. The main purposes of the RIPE Database, a public registry of holders and users of Internet resources, facilitating contact between operators and administrators of networks using these resources and identifying bad actors, can be achieved without the need for personal data in almost all situations. The purposes of the RIPE Database have evolved over time and will continue to do so. Any new purpose attached to the database should keep the amount of personal data required to be publicly available to a minimum and justify any collection, storage and use of personal data in the RIPE Database.
When you also factor in that publishing personal data in a PUBLIC database is an irreversible step, maintainers of this data should seriously avoid entering it unless it is necessary.
This policy proposal outlines the principles for processing personal data in the RIPE Database. How these principles are turned into objectives to apply to the database and all the data maintainers is outside the scope of the proposal. A migration plan and any detailed technical changes necessary should be discussed in a follow-up to this proposal if approved.
a. Arguments Supporting the Proposal
- It is a legal requirement under GDPR that all personal data in the RIPE Database complies with the evolving purposes of the database.
- These changes do not affect the references in address policies to registration and contact data.
- The proposal acknowledges the consequences of entering personal data into a public database.
b. Arguments Opposing the Proposal
- Achieving full compliance for all existing data contained within the RIPE Database may require follow-up contact by the RIPE NCC with many organisations holding resources to adjust data and verify compliance. This could result in a project running over a number of years.