[ncc-services-wg] Personal Data and Database Proxy services

On 2 Jan 2013, at 18:43, Andrey Semenchuk <andrey at trifle.net> wrote:

> the phone number is not the personal information


Sorry Andrey, it is.

In the context of EU Data Protection legislation, ANY data identifying a Living Person is Personal Data. So things like (throwaway) email addresses, phone numbers, IM handles, URLs for someone's Facebook pages and so on are covered by the same Data Protection principles that would apply to a social security number, passport details or postal address.

BTW, Europe's Data Protection Authorities can have different perspectives on what is and isn't acceptable even though the national Data Protection legislation in each EU country is underpinned by the same EU directives. Whatever works in one jurisdiction might not be allowed in another. Or vice versa. So unless you're based in the Netherlands please don't assume that whatever your DPA tells you (if you have one) is the same as the Dutch one tells the NCC.

> What kind of goal we're trying to reach? To protect personal data from being processed not in that way or purpose they were collected by the RIPE? - but RIPE can't guaranty that the third parties will process data for the legal way or purpose.

This is precisely the problem. RIPE NCC is the Data Controller. It *has* to have a contractual relationship with any Data Processors (like a proxy service provider). The same Data Protection regime used by the Data Controller has to apply to any downstream Data Processors. The NCC can't just hand over the Personal Data in its databases and let anyone do whatever they want with that data.

The matter at hand is the nature of the contractual relationship with these third parties. There's some confusion about that and how best to proceed. Clearly we need to arrive at a consensus. This will presumably involve production of a policy about third party access to the NCC database(s) or fixing whatever's broken in the current policy.

To my mind there are essentially three options to choose from. All three will mean the third parties sign something that conforms with the NCC's EU/NL Data Protection obligations.

1) Provide third party access at no charge as a general public benefit.

2) Provide third party access for a fee which might (or might not) cover the NCC's costs for providing that service.

3) Restrict third party access to NCC members only.

FWIW I can see advantages and disadvantages to all of these.

I favour a fourth option: terminate all third party access and provide no bulk export from the database at all. That one's unlikely to be popular so I didn't suggest it.