[ncc-services-wg] Personal Data and Database Proxy services

Jim Reid wrote:
> On 2 Jan 2013, at 18:43, Andrey Semenchuk <andrey at trifle.net> wrote:
>   
>> the phone number is not the personal information    
> Sorry Andrey, it is.
>
> In the context of EU Data Protection legislation, ANY data identifying a Living Person is Personal Data. 
"Person" object intended to identify employer of the organisation that 
holds objects in the RIPE database (aut-num, domain, inet-num, etc). In 
this case the phone int person object is not the personal phone but the 
phone provided by employer. It's the service phone that should not 
indentify the person. If someone puts there his/her private phone - it's 
not the RIPE database problem - maybe this person consider it's private 
life (or part ot it) as an public information. In any case this phone 
publication - is the decision of the person and RIPE (even if this 
information is public and has none limitations of access) provides 
access to the data in compliance with the person's intentions,

If we wants to make data protection safer - ok, let's strip phone 
information from the database output of the person object. In this case 
only organisation objects will contains phones.


>> What kind of goal we're trying to reach? To protect personal data from being processed not in that way or purpose they were collected by the RIPE? - but RIPE can't guaranty that the third parties will process data for the legal way or purpose.
>>     
>
> This is precisely the problem. RIPE NCC is the Data Controller. It *has* to have a contractual relationship with any Data Processors (like a proxy service provider). The same Data Protection regime used by the Data Controller has to apply to any downstream Data Processors. The NCC can't just hand over the Personal Data in its databases and let anyone do whatever they want with that data.
>   
Is there any chance to identify Data Processor systems? Not the person 
who queries RIPE database search but any type of Data Processor system? 
It's not. Any data processor system can make a single request from IP 
address in a day (in IPv6 address space it's not a problem) and none 
system will tell this data processor system from the user who queries 
the database

The current question with data protection exists because the database 
provide personal data. And all we should do - is to cut personal data 
from the output. Personal information from the RIPE database (even if it 
is there) does not required to solve any situation between the Internet 
user (or organisation) and any resource holder - all communication will 
be done on "user (who initiate communication) -- organisation (resource 
holder)" or "organisation (that initiate communication) -- organisation 
(resource holder)". That's all


 > The matter at hand is the nature of the contractual relationship with 
these third parties. There's some confusion about that and how best to 
proceed. Clearly we need to arrive at a consensus. This will presumably 
involve production of a policy about third party access to the NCC 
database(s) or fixing whatever's broken in the current policy.

As soon we provide access to personal data that are stored (or may be 
stored) in RIPE database on any basis - the first question should be not 
about relations between RIPE and third parties that may collect and 
process that data. The first question should be: is every person who 
stores personal data in the RIPE database agrees with this situation and 
allow to collect/process his/her data by any organisation except RIPE?

If the person wished to provide free access to his/her personal data - 
RIPE should provide this access without any limitation. All data 
protection RIPE should provide - is a storage protection. If the person 
wishes to provide this information to RIPE only - no personal data 
should be displayed to any other third party. It's so simple! We're 
trying to answer to question that is not the main question by itself. 
The main question is: provide or do not provide personal information to 
third parties?



-- 
Best wishes,
Andrey Semenchuk

Trifle Internet Service Provider
(056) 731-99-11
www.trifle.net