"Wilfried Woeber, UniVie/ACOnet" <woeber@cc.univie.ac.at> writes: Is it acceptable to have the files stored in a plain office?
Do I have to lock the doors of my office when I leave? [ I'm doing that anyway, for various other reasons...]
OK. So you are not looking for a legalese answer. In that case I advise using common sense. My approach to this alwyas is: "Suppose something leaks out and you are taken to court, how would you defend yourself?". What we do: - we guard other people's sensitive stuff as well as our own - we take reasonable precautions like having offices with lockable doors which are locked when we are out. - we have enhanced security and auditing on machines with sensitive data - we destroy (shred) sensitive hardcopy which is no longer needed
Who is "the Local-IR"? My group? Just a couple of individuals? What's the position of my boss in this? [ I *certainly* don't have a problem with this in our shop ]
Anyone who has a job related need-to-know.
If I ask the folks in another ACOnet PoP, whether they intend to physically and administratively connect the nets of the applicant, is it a problem telling them who applied for addresses?
This is where it gets hairy. I try to work with reasonably assumed consent of the person concerned: If they told you they have requested a connection at the PoP, you may ask. If they told you they were considering ... tough!
On another aspect, when I receive an application (for a network number or a domain) giving person objects (admin-c's in particular!) for people that I did not talk to personally, should we be double-checking before accepting the application and putting things into the database? [ Right now it is our policy to cc them on the allocation and other correspondence...]
Common sense again. Your policy is a good one.
You see, I'm not trying to find something that can stand a lawyer, I'm trying to find out what the "common sense" and "state of the art" and the "reasonable effort" and "strict confidence" is.
Strict confidence is that noone outside the registry may see the information without the consent of the requester. The registry is those who have a (registry) job related need-to-know. If in doubt ceck with the requester. Daniel