This archive is retained to ensure existing URLs remain functional. It will not contain any emails sent to this mailing list after July 1, 2024. For all messages, including those sent before and after this date, please visit the new location of the archive at https://mailman.ripe.net/archives/list/ncc-services-wg@ripe.net/
[ncc-services-wg] personal data in the NCC
- Previous message (by thread): [ncc-services-wg] personal data in the NCC
- Next message (by thread): [ncc-services-wg] personal data in the NCC
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
David Monosov
davidm at futureinquestion.net
Wed Oct 20 17:03:49 CEST 2010
Dear Andrew, In your e-mail, you state: > > As a registry, the RIPE NCC has a mandate to ensure the accuracy of our > registration data. Verifying the identity of LIR representatives is directly > relevant to this mandate. > It is however my understanding that the question of Mr. Myasoedov relates to PI resources assigned to end users through the LIR in which he is a representative, where the end user is an organization, and the requested personal identification documents were required for the representatives of the end user organization, rather than the LIR itself. The intention of the RIPE NCC to not only collect personal identification documents from representatives of organizational end users, but to externalize this burden to individual LIRs which process PI requests on behalf of end users was not apparent from proposal 2007-01, nor from subsequent operational discussions on its implementation. Instead, it was understood, and has previously been the operational reality, that organizational users will submit a certificate of incorporation or similar document attesting the organization's existence under the laws of their country of origin, and a contract which meets the requirements outlined in policy proposal 2007-01. Could you please elaborate on the circumstances which required this deviation from the standard operational procedure and the situations in which this new condition will be invoked? Such unannounced changes can be very disruptive to an established administrative workflow between a LIR and its end users if imposed suddenly, and while I am certain that the RIPE NCC is acting with the goal of improving accountability in resource assignment, a balance must be maintained between the mandate the community has granted the RIPE NCC with the introduction of policy 2007-01, and its ability to spontaneously introduce new administrative conditions to resource assignment. -- Respectfully yours, David Monosov On 10/20/2010 03:11 PM, Andrew de la Haye wrote: > Dear Sergey, > > Thank you for your email. All personal data obtained by the RIPE NCC is handled > in accordance with Dutch law and European Union data protection legislation, as > required for an organisation operating in the Netherlands. > > The RIPE NCC Privacy Statement is publicly available on the RIPE website, and > describes the situations in which personal data may be requested and the RIPE > NCC's responsibilities when handling such data: > http://www.ripe.net/legal/privacy-statement.html > > Please note the following sections: > - "Except as described herein or when under a statutory duty to do so, the RIPE > NCC does not share or transfer any personal data." [Section 2.1] > - "The RIPE NCC maintains a high level of physical security and protection for > all its computer and network facilities, and, in particular, for those in which > personal information may be stored." [Section 3] > > As a registry, the RIPE NCC has a mandate to ensure the accuracy of our > registration data. Verifying the identity of LIR representatives is directly > relevant to this mandate. > > I hope this clarifies the RIPE NCC's position in relation to this matter. > > Best regards, > > Andrew de la Haye > Chief Operations Officer, RIPE NCC > > > > > > On Oct 20, 2010, at 11:25 AM, Sergey Myasoedov wrote: > >> Hello, >> >> I would like to talk about personal data protection. After the audit process, >> NCC demands >> that we send them, together with the contract, the ID of person who signs the >> End User >> assignment contract (even if the contract is signed by a person on behalf of >> company). >> >> It seems strange: the CEO of company that wants IP resources signs the >> contract, probably >> stamps it and suddenly (!) RIPE NCC asks for the ID of CEO. We (LIR) have no >> choice on such >> operations - we should request ID or RIPE NCC will not assign resources for >> our customers. >> >> Even more, RIPE NCC requires scans of ID, and this action violates local laws >> in some >> countries (for example, CZ or RU). In Russia, personal data can be processed >> only after a >> special agreement (except some cases mentioned in the law), but we will send >> the ID images >> without any special agreements to the NCC. >> >> I tried to find some statements on data protection in the RIPE NCC or on any >> guarantee of >> confidentiality, but no such information found in the standard service >> agreement or any >> policy documents. >> >> On these grounds, I would like to initiate a change. RIPE NCC should have data >> protection >> procedures or RIPE NCC should not request personal IDs of third parties. >> >> >> -- >> Sergey >> >
- Previous message (by thread): [ncc-services-wg] personal data in the NCC
- Next message (by thread): [ncc-services-wg] personal data in the NCC
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]