[dp-tf] Authorization to publish personal data in the DB (was Re: [dp-tf] Quadlogy of person proposals)

On Thu, 14 Jun 2007, Janos Zsako wrote:

> Dear Larisa,

Dear Janos,

thanks for your detailed explanation.

>
> Let me understand correctly what you say.
>
> You are saying that we may not invent new authorization rules,
> as these are laid down by the law already (and may not be changed).
>
Perhaps I was inexact in expression, i'm sorry.
I didn't mean anything like that. On the contrary, protecting personal data
you care about is exactly what is needed for the RIPE db to comply with the relevant
Directive (art. 17, 'Security of processing'). Of course person object should be
maintained properly, no doubt. But not only that.
What I do care about is another aspect, see article, 6 (1):
1. Member States shall provide that personal data must be:
(a) processed fairly and lawfully;

To be 'fairly' pd should be protected, data subject should have access to his
data for update etc. But to be 'lawfully' it should be processes and used
exactly as the law says. Otherwise 'data controller's right to process data
might appear disputable.
To avoid that, i try to find if the 'written permission' could be equal
to authorization, mntner etc., maybe some other law could be applied here,
for ex, 'electronic signature' act. Maybe somebody could advise smth here?


> I think this (inventing new rules) is not what Manfredo (or I) suggested.
>
> What I said is that by some contract/agreement with the data maintainer
> (from RIPE DB point of view) we can make sure that personal data is not
> entered in the RIPE database without proper authorization (i.e. without
> the authorization required by the law, whatever that may be).
>
> Should a problem occur (e.g. the person complains, or the authorities
> ask for evidence of the authorization) then the RIPE NCC, based on the
> abovementioned contract can ask the maintainer to provide such evidence.
> If this is not available, based on the contract terms, the RIPE NCC
> may delete the illegal data (and may take further steps, like withdrawing
> the right of that particular maintainer to put data in the database, if
> such a clause exists in the contract).
>
> This is why it is important to have this contract/agreement in place
> with the data maintainer.
>
> I hope this clarifies the situation.
>
> Best regards,
> Janos
>

With respect,
Larisa Yurkina
---
RIPN Registry center
-----

>
> >>>So we've to return back in the task. Until we can get the appropriate
> >>>authorization, we cannot publish any personal data. We need not to stop
> >>>people to write into the database, even if this is not safe, but we
> >>>do_need to stop people to read from the database what (any data) not
> >>>properly authorized.
> >>
> >
> > I wonder what authorization is from the point of view of the law.
> >
> > In Russian DP act it is said, any personal data cannot be published without written
> > consent of the data subject. The 'written consent' consists of 6 points
> > including (besides name-address-tel etc) passport No with date of issue,  aim of
> > processing data, list of data which can be processed, list of operations the data
> > should undergo, terms of the consent given.
> >
> > Had it been said that written consent could be replaced by authorization scheme,
> > it would be OK. But it had not.
> >
> >
> >
> >>Correct. This is what may eventually happen in the worst case, if DP
> >>people (authorities) ask us to do that.
> >>
> >>However, I do not think we should target to have this kind of behaviour,
> >>as this would render the RIPE DB useless, like a Write Only memory. :)
> >>
> >>Best regards,
> >>Janos
> >>
> >>
> >
> >
> >
> > With respect,
> > Larisa Yurkina
> > ---
> > RIPN Registry center
> > -----
> >
> >
> >
> >
> >
> >
> >
>
>
>