RE: Privacy of info in IP requests

Sorry, I seem to have sent a couple of people the wrong way. I didn't want to point fingers to legalese...
Just to remind everyone, ripe-104 says:
4. IRs will keep records of correspondence and information exchanges in conjunction with the registry function for later review and the resolution of disputes. IRs will hold this information in strict confidence and use it only to review requests and in audit procedures or to resolve disputes.
I'm aware of that.
The RIPE NCC makes every reasonable effort to keep the information we store confidential. On the other hand we have to store it electronically on machines connected -albeit restrictively- to the Internet.
*That's* the things that triggered me! Is it acceptable to have the files stored in a plain office? Do I have to lock the doors of my office when I leave? [ I'm doing that anyway, for various other reasons...] Who is "the Local-IR"? My group? Just a couple of individuals? What's the position of my boss in this? [ I *certainly* don't have a problem with this in our shop ] If I ask the folks in another ACOnet PoP, whether they intend to physically and administratively connect the nets of the applicant, is it a problem telling them who applied for addresses? [ Sure I *do* remove the more specific parts of the application, and when the application is granted, the person and network data is stored in the RIPE-DB, thus becoming public knowledge anyway...] On another aspect, when I receive an application (for a network number or a domain) giving person objects (admin-c's in particular!) for people that I did not talk to personally, should we be double-checking before accepting the application and putting things into the database? [ Right now it is our policy to cc them on the allocation and other correspondence...] You see, I'm not trying to find something that can stand a lawyer, I'm trying to find out what the "common sense" and "state of the art" and the "reasonable effort" and "strict confidence" is. Because we no longer deal exclusively with univiersities and research centres, but also with regional hospitals, security departments of regional government, and the like. But I might, again, be barking at the wrong tree... Thanks for reading that far, Wilfried. PS: Btw, this is just another thing where I think the Local-IR stuff overlaps the (administrative aspects of the) DNS stuff... -------------------------------------------------------------------------- Wilfried Woeber : e-mail: Woeber@CC.UniVie.ac.at Computer Center - ACOnet : Vienna University : Tel: +43 1 4065822 355 Universitaetsstrasse 7 : Fax: +43 1 4065822 170 A-1010 Vienna, Austria, Europe : NIC: WW144 --------------------------------------------------------------------------

"Wilfried Woeber, UniVie/ACOnet" <woeber@cc.univie.ac.at> writes: Is it acceptable to have the files stored in a plain office?
Do I have to lock the doors of my office when I leave? [ I'm doing that anyway, for various other reasons...]
OK. So you are not looking for a legalese answer. In that case I advise using common sense. My approach to this alwyas is: "Suppose something leaks out and you are taken to court, how would you defend yourself?". What we do: - we guard other people's sensitive stuff as well as our own - we take reasonable precautions like having offices with lockable doors which are locked when we are out. - we have enhanced security and auditing on machines with sensitive data - we destroy (shred) sensitive hardcopy which is no longer needed
Who is "the Local-IR"? My group? Just a couple of individuals? What's the position of my boss in this? [ I *certainly* don't have a problem with this in our shop ]
Anyone who has a job related need-to-know.
If I ask the folks in another ACOnet PoP, whether they intend to physically and administratively connect the nets of the applicant, is it a problem telling them who applied for addresses?
This is where it gets hairy. I try to work with reasonably assumed consent of the person concerned: If they told you they have requested a connection at the PoP, you may ask. If they told you they were considering ... tough!
On another aspect, when I receive an application (for a network number or a domain) giving person objects (admin-c's in particular!) for people that I did not talk to personally, should we be double-checking before accepting the application and putting things into the database? [ Right now it is our policy to cc them on the allocation and other correspondence...]
Common sense again. Your policy is a good one.
You see, I'm not trying to find something that can stand a lawyer, I'm trying to find out what the "common sense" and "state of the art" and the "reasonable effort" and "strict confidence" is.
Strict confidence is that noone outside the registry may see the information without the consent of the requester. The registry is those who have a (registry) job related need-to-know. If in doubt ceck with the requester. Daniel
participants (2)
-
Daniel Karrenberg
-
Wilfried Woeber, UniVie/ACOnet