[ncc-services-wg] personal data in the NCC

Dear Andrew,

In your e-mail, you state:

>
> As a registry, the RIPE NCC has a mandate to ensure the accuracy of our
> registration data. Verifying the identity of LIR representatives is directly
> relevant to this mandate.
>

It is however my understanding that the question of Mr. Myasoedov relates to PI
resources assigned to end users through the LIR in which he is a representative,
where the end user is an organization, and the requested personal identification
documents were required for the representatives of the end user organization,
rather than the LIR itself.

The intention of the RIPE NCC to not only collect personal identification
documents from representatives of organizational end users, but to externalize
this burden to individual LIRs which process PI requests on behalf of end users
was not apparent from proposal 2007-01, nor from subsequent operational
discussions on its implementation.

Instead, it was understood, and has previously been the operational reality,
that organizational users will submit a certificate of incorporation or similar
document attesting the organization's existence under the laws of their country
of origin, and a contract which meets the requirements outlined in policy
proposal 2007-01.

Could you please elaborate on the circumstances which required this deviation
from the standard operational procedure and the situations in which this new
condition will be invoked?

Such unannounced changes can be very disruptive to an established administrative
workflow between a LIR and its end users if imposed suddenly, and while I am
certain that the RIPE NCC is acting with the goal of improving accountability in
resource assignment, a balance must be maintained between the mandate the
community has granted the RIPE NCC with the introduction of policy 2007-01, and
its ability to spontaneously introduce new administrative conditions to resource
assignment.

--
Respectfully yours,

David Monosov


On 10/20/2010 03:11 PM, Andrew de la Haye wrote:
> Dear Sergey,
> 
> Thank you for your email. All personal data obtained by the RIPE NCC is handled
> in accordance with Dutch law and European Union data protection legislation, as
> required for an organisation operating in the Netherlands.
> 
> The RIPE NCC Privacy Statement is publicly available on the RIPE website, and
> describes the situations in which personal data may be requested and the RIPE
> NCC's responsibilities when handling such data:
> http://www.ripe.net/legal/privacy-statement.html
> 
> Please note the following sections:
> - "Except as described herein or when under a statutory duty to do so, the RIPE
> NCC does not share or transfer any personal data." [Section 2.1]
> - "The RIPE NCC maintains a high level of physical security and protection for
> all its computer and network facilities, and, in particular, for those in which
> personal information may be stored." [Section 3]
> 
> As a registry, the RIPE NCC has a mandate to ensure the accuracy of our
> registration data. Verifying the identity of LIR representatives is directly
> relevant to this mandate.
> 
> I hope this clarifies the RIPE NCC's position in relation to this matter.
> 
> Best regards,
> 
> Andrew de la Haye
> Chief Operations Officer, RIPE NCC
> 
> 
> 
> 
> 
> On Oct 20, 2010, at 11:25 AM, Sergey Myasoedov wrote:
> 
>> Hello,
>>
>> I would like to talk about personal data protection. After the audit process,
>> NCC demands
>> that we send them, together with the contract, the ID of person who signs the
>> End User
>> assignment contract (even if the contract is signed by a person on behalf of
>> company).
>>
>> It seems strange: the CEO of company that wants IP resources signs the
>> contract, probably
>> stamps it and suddenly (!) RIPE NCC asks for the ID of CEO. We (LIR) have no
>> choice on such
>> operations - we should request ID or RIPE NCC will not assign resources for
>> our customers.
>>
>> Even more, RIPE NCC requires scans of ID, and this action violates local laws
>> in some
>> countries (for example, CZ or RU). In Russia, personal data can be processed
>> only after a
>> special agreement (except some cases mentioned in the law), but we will send
>> the ID images
>> without any special agreements to the NCC.
>>
>> I tried to find some statements on data protection in the RIPE NCC or on any
>> guarantee of
>> confidentiality, but no such information found in the standard service
>> agreement or any
>> policy documents.
>>
>> On these grounds, I would like to initiate a change. RIPE NCC should have data
>> protection
>> procedures or RIPE NCC should not request personal IDs of third parties.
>>
>>
>> --
>> Sergey
>>
>