On Fri, 15 Jun 2007, Leo Vegoda wrote:
Denis,
On 15 Jun 2007, at 12:44pm, Denis Walker wrote:
[...]
So before we go too far down the road on issues of authentication, authorisation, permissions and contracts, maybe we need to answer these basic questions:
* what personal data do we need * who needs access to it and by what means * what do we need it for
Surely this last question should be considered before the other two. Depending on the answer to it the other two many not apply at all. For instance, if the main purpose is to provide contact information to third parties who many need it for network troubleshooting purposes, role information may be sufficient and personal data is not needed at all. That would eliminate the need for the first question.
Right, the Directive states the same thing: ... personal data must be: (b) collected for specified, explicit and legitimate purposes and not further processed in a way incompatible with those purposes. there also is a next point: (c) adequate, relevant and not excessive in relation to the purposes for which they are collected and/or further processed; Please note, "not excessive". Don't you think that person object exactly falls under "excessive" category?
Regards,
-- Leo Vegoda IANA Numbers Liaison
With respect, Larisa Yurkina --- RIPN Registry center -----