Draft of Personal Data in the RIPE Database
How to read this draft document:
This document relates to RIPE policy proposal 2022-01 Personal Data in the RIPE Database If approved, it will be published as a new RIPE Document.
Summary of Proposal:
This policy sets out the principles governing the publication of personal data in the RIPE Database.
Policy Text:
Abstract
This policy arises from the need for the RIPE Database to avoid the publication of unnecessary personal data. Personal data must not be entered into the RIPE Database unless it can be justified according to the acknowledged purposes of the RIPE Database. The three most significant purposes, defined in the Terms & Conditions, that could be considered as requiring personal data are:
- Ensuring the uniqueness of Internet number resource usage through registration of information related to the resources and Registrants
- Facilitating coordination between network operators (network problem resolution, outage notification, etc)
- Providing information about the Registrant and Maintainer of Internet number resources when the resources are suspected of being used for unlawful activities to parties who are authorised under the law to receive such information
For the first purpose, this information can mostly be business details rather than personal information. Only in the case of a resource holder being a natural person, who may be operating from their home address, is personal data involved.
For contact with network operators, no personal information is necessary.
To investigate unlawful activities, the identity of holders of resources and address blocks is needed by the investigating authorities. A valid address of some form could be helpful.
Although it is generally considered justified to enter personal information if the data subject has given their consent, it should be noted what the RIPE Database is. This is a public database. It is available globally to anyone who has an Internet connection. Once you publish any information in this database, it is public data. The full details of that data may be downloaded and copied by many people. Anyone who is concerned about privacy should not consent to their personal data being published in this database. Once it is published, it is too late to worry about privacy. It is already out there: it is public, and it may have been copied and therefore impossible to take back. This is the reality of the Internet, and even if there is a right to be forgotten, there is no means of being forgotten once you have broadcast your personal data in public.
An open, public database has no privacy protection for personal data once it has been published. A PUBLIC database is accessible by everyone. This is one of the many reasons why the RIPE Database should not publish any personal data unless it is essential to fulfil the purposes of the database.
This policy sets out the principles governing the publication of personal data in the RIPE Database. These principles must be applied to all personal data published in the database by all data maintainers.
Content
1.0 Organisations
2.0 Contacts
3.0 Notifications
4.0 Verification
5.0 Compliance
6.0 Legacy
1.0 Organisations
The RIPE Database is a global, publicly available registry of the legal entities and natural persons holding and using Internet resources in the RIPE region.
The information held in the database about these organisations may include:
- Name
- Postal address
- Phone number
- Fax number
- Several email addresses
- Several contact references
The name of the organisation (which may be the personal data of a natural person) holding an Internet resource or managing part of an Internet resource, for example a sub-allocation, or using a block of addresses, is an essential part of the public registry. This identification is one of the principal purposes of the database. Any valid address could be helpful. Different types of addresses can be considered including postal addresses. The name and address of a natural person holding or using a resource and operating from a home address are the only personal data that can be justified to be published in the RIPE Database, provided there is documentary evidence held by the RIPE NCC, or a sponsoring LIR, or resource holder that registered the subject’s details in the RIPE Database, that the natural person has consented to their name and address being published in this public registry. This consensual identification is a requirement of the public registry for holding an Internet resource or managing or using part of an Internet resource.
A postal address may optionally be added by the resource holder or manager. Where the resource holder, manager or user is a natural person, the parts of any type of address more specific than country and region must not be entered in any object attribute.
The phone numbers, fax numbers and email addresses must not include any personal data for any form of organisation.
The holder of any contact email address and phone number must be aware of the registration and publication of these contact details in the RIPE Database and will be required to verify that they are the holder of these contact details.
2.0 Contacts
There are several types of contacts listed in the RIPE Database. These include:
- Technical
- Administrative
- Abuse
- Zone
- Route ping
The information historically held in the database about these contacts includes:
- Name
- Postal address
- Phone number
- Fax number
- Several email addresses
Phone numbers, fax numbers and email addresses must not include any personal data for any form of contact. Phone numbers and contact email addresses must be verified when entered. The name of a contact should reflect the role(s) this contact has within the organisation. There is no need to publish any form of address for a contact. Contact details must be documented in the database as roles, not as people. Contacts must only be entered into the database if they can fulfil a role for one of the acknowledged types of contacts according to the purposes of the RIPE Database. There must be at least one verified method of contact included for each role.
3.0 Notifications
All mandatory and optional notifications currently defined in the RIPE Database use email as the notification mechanism. Other mechanisms may be introduced in the future. Personal data must not be included in any notification details documented in the RIPE Database.
4.0 Verification
Email addresses added as contact details and all phone numbers entered into the RIPE Database must be verified. Updates to database objects will fail if the verification fails. If existing contact emails and phone numbers fail to be verified, the RIPE NCC will follow up in compliance with relevant RIPE Policies and RIPE NCC procedures. No one should be able to enter the email address or phone number of another organisation without its permission. Fax numbers will not be verified.
5.0 Compliance
It is not sufficient to have this policy in place and assume all resource holders and users have read, understood and are in compliance with the policy. All organisations holding resources allocated or assigned by the RIPE NCC, or documented in the RIPE Database, must sign a declaration that they have read and understood this policy and that either all the data for their organisation and resources contained in the RIPE Database is fully compliant with this policy or they are working towards full compliance. If they are working towards compliance, the RIPE NCC will follow up in accordance with relevant RIPE Policies and RIPE NCC procedures. For any new organisation that becomes a member of the RIPE NCC and either requests resources from the RIPE NCC or receives them in a transfer, this declaration must be included in their membership contract with the RIPE NCC, and they must be fully compliant.
6.0 Legacy
This policy applies to all organisations and Internet resources documented in the RIPE Database, including legacy resources under a direct or indirect contractual relationship with the RIPE NCC.