Regional Internet Registry Privacy | AFPUB-2012-GEN-002-DRAFT-02
|Draft Policy Name:||Regional Internet Registry Privacy|
|Submission Date:||Nov 16 2012|
2. Personal Data
Personal Data shall mean any information relating to an identified or identifiable natural person ("data subject"); an identifiable person is one who can be identified directly or indirectly, in particular by reference to an identification number or one or more factors specific to his physical, physiological, mental, economic, cultural or social identity.
3. Data Minimization
The principle of data minimization has been adopted to limit the collection and/or transfer of Personal Data to what is directly relevant and necessary for specified, explicit and legitimate purposes. Information about whether any data is adequate, relevant and not excessive in relation to the purposes for which it is collected and/or transferred shall be made available to any person who is part of the Policy Development Working Group for the AfriNIC service region. The Regional Internet Registry shall not collect under any circumstances personal Data from an applicant of Internet number resources which can be used to identify more than a quarter of the users to which an applicant has allocated IP address space. This is a maximum amount and not guidance about the amount of data considered as excessive.
3.1. Data Retention
The retention period for Personal Data is six months. Personal Data necessary for financial purposes; e.g. billing, can be retained for up to twelve months after the end of a Registration Service Agreement. Personal Data published for Internet number resources allocations or assignments can be retained for the historical record if the data was publicly available for at least a month.
3.2. Transfer of Personal Data
Personal Data cannot be transferred to another country unless there is a publicly available assessment of:
(a) the nature of the Personal Data
(b) the purpose and duration of the proposed processing of the Personal Data
(c) the country of origin and country of final destination
(d) the rules of law in force in the country in question
(e) any relevant rules and security measures which are complied within that country
4. Personal Data Transfer Register
A Personal Data Transfer Register will be maintained with the following information:
(a) date of transfer of the Personal Data
(b) nature of the Personal Data
(c) purpose of the proposed processing of the Personal Data
(d) country of origin and country of final destination
The Personal Data Transfer Register shall be published through a service accessible anonymously over the Internet. Personal Data required for financial purposes is exempted from publication.
5. Personal Data Leakage
In the event of Personal Data leakage, a notification shall be sent to the Resource Policy Discussion mailing list within a day of the detection of the leakage together with an explanation about the nature and extent of the leakage.
- 29 Nov 2012 - Withdrawn by Author
- Nov 2012 - Draft 2 Posted on the Mailing List by Author, with minor revisions.
- May 2012 - Draft 1 Posted on the Mailing List by Author
- 05 May 2012 - AFPUB-2012-GEN-002-DRAFT-01