[dp-tf] Authorization to publish personal data in the DB (was Re: [dp-tf] Quadlogy of person proposals)
Janos Zsako zsako at 3c-hungary.hu
Thu Jun 14 17:23:29 CEST 2007
Dear Larisa, Let me understand correctly what you say. You are saying that we may not invent new authorization rules, as these are laid down by the law already (and may not be changed). I think this (inventing new rules) is not what Manfredo (or I) suggested. What I said is that by some contract/agreement with the data maintainer (from RIPE DB point of view) we can make sure that personal data is not entered in the RIPE database without proper authorization (i.e. without the authorization required by the law, whatever that may be). Should a problem occur (e.g. the person complains, or the authorities ask for evidence of the authorization) then the RIPE NCC, based on the abovementioned contract can ask the maintainer to provide such evidence. If this is not available, based on the contract terms, the RIPE NCC may delete the illegal data (and may take further steps, like withdrawing the right of that particular maintainer to put data in the database, if such a clause exists in the contract). This is why it is important to have this contract/agreement in place with the data maintainer. I hope this clarifies the situation. Best regards, Janos >>>So we've to return back in the task. Until we can get the appropriate >>>authorization, we cannot publish any personal data. We need not to stop >>>people to write into the database, even if this is not safe, but we >>>do_need to stop people to read from the database what (any data) not >>>properly authorized. >> > > I wonder what authorization is from the point of view of the law. > > In Russian DP act it is said, any personal data cannot be published without written > consent of the data subject. The 'written consent' consists of 6 points > including (besides name-address-tel etc) passport No with date of issue, aim of > processing data, list of data which can be processed, list of operations the data > should undergo, terms of the consent given. > > Had it been said that written consent could be replaced by authorization scheme, > it would be OK. But it had not. > > > >>Correct. This is what may eventually happen in the worst case, if DP >>people (authorities) ask us to do that. >> >>However, I do not think we should target to have this kind of behaviour, >>as this would render the RIPE DB useless, like a Write Only memory. :) >> >>Best regards, >>Janos >> >> > > > > With respect, > Larisa Yurkina > --- > RIPN Registry center > ----- > > > > > > >
[ dp-tf Archives ]