[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: ENUM Privacy (was RE: [Enum] User ENUM vs Operator ENUM)

To: james.f.baskin at verizon.com
Subject: Re: ENUM Privacy (was RE: [Enum] User ENUM vs Operator ENUM)
From: Jim Reid <jim at rfc1035.com>
Date: Fri, 25 Jun 2004 21:37:47 +0100
Cc: enum at ietf.org
In-reply-to: Message from james.f.baskin@verizon.com of "Fri, 25 Jun 2004 15:34:52 EDT." <OF07850C87.24DBCE3E-ON85256EBE.006852C4-85256EBE.006BB9CA@CORE.VERIZON.COM>
List-help: <mailto:enum-request@ietf.org?subject=help>
List-id: Enum Discussion List <enum.ietf.org>
List-post: <mailto:enum@ietf.org>
List-subscribe: <https://www1.ietf.org/mailman/listinfo/enum>, <mailto:enum-request@ietf.org?subject=subscribe>
List-unsubscribe: <https://www1.ietf.org/mailman/listinfo/enum>, <mailto:enum-request@ietf.org?subject=unsubscribe>
Sender: enum-bounces at ietf.org

>>>>> "james" == james f baskin <james.f.baskin at verizon.com> writes:

Hmm. It seems our American and Austrian readers need a primer on the
principles of EU Data Protection. Here goes....

    james> Assuming that a string of digits equal to a telephone
    james> number assigned to an person "identifies a living person"
    james> and is subject to EU Data Protection legislation, what
    james> exactly does the legislation allow or disallow regarding
    james> publishing that string of digits in a publicly accessible
    james> database?

It doesn't really say anything about that. It does however say a
number of other things. The entity that stores and manipulates the
data (the data controller) is supposed to register the fact that they
are storing personal data and the purposes that it gets used for. ie
"I'm a telco and I store the names and addresses of my customers so
they can be sent bills." A data subject -- ie end user -- is entitled
to ask the data controller for a record of any data that's stored
about them and what it gets used for. If that data is incorrect, the
data subject can get it fixed. They can also get compensation when
personal data is improperly used. The data controller is not allowed
to use the personal data for unregistered purposes. And they can't
have that data processed or stored somewhere that doesn't follow EU
data protection legislation.

Things get easier with individuals who are storing personal data for
private or hobby purposes. The Information Commissioner's office
doesn't care that I have a couple of mailing lists on my server and my
laptop has the names and addresses of friends and colleagues on it.
They would care if I was providing a UK directory enquiries service
and hadn't registered that usage with them.

So provided the telco or ISP tells the Information Commissioner's
office that they'll be publishing the data, that should be enough. But
some safeguards will have to be in place. Which could mean opt-in will
be mandatory because the personal data gets published on the internet
where it could be processed by entities who don't comply with EU data
protection legislation and are beyond EU jurisdiction. At this point,
professional advice is needed.

    james> Does the data protection legislation require opt-in by that
    james> person?

No. Though this is usually implicit whenever someone signs up for
anything that creates an electronic record. Lots of things like forms
for opening bank accounts and so on will have small print about the
data subject's rights and safeguards under the Data Protection laws.

    james> What happens if that string of digits also happens to
    james> identify some other living person because it happens to
    james> match that person's public library card number or some
    james> other identifier?

Nothing. It's not the string of digits that matter. It's the fact
they're stored on a computer and the uses it then gets put to that
matters. If I've got a beef with the local library's use of any
personal data they have about me, I'll take that up with their data
protection officer. That's another provision of the legislation.

    james> Is British Telecom required to get everyone in its on-line
    james> telephone directory to explicitly opt-in before listing
    james> them?

No. But BT is required to register that they maintain that data on a
computer and to allow data subjects to access their personal data and
get it corrected if necessary. Which you'd expect a phone company
would want to do for a telephone directory anyway. This time I'll
resist the temptation to take a cheap shot at BT.

    james> If you are saying that before publishing any data element
    james> that identifies a living person one should review the data
    james> protection rules to be sure the publication complies with
    james> the rules, that is a reasonable suggestion. 

I am. Even so, putting personal data into the DNS could be a data
protection nightmare.

    james> However, if you are suggesting that publication of
    james> "sip:123456789 at serviceprovider.com" is prohibited by the
    james> data protection legislation without prior approval
    james> (opt-in), that is something else entirely. Are you making
    james> the latter suggestion?

No.

Though it might be if I'm populating the DNS with personal data about
zillions of people and haven't told the Information Commissioner that
I'm doing that. Or whacking that data on to servers outside the EU. Or
maybe allowing that data to be mined by third parties (spammers
perhaps) so it can be used for purposes that haven't been registered
or are outside EU jurisdiction.

Visit www.informationcommissioner.gov.uk if you want more info about
EU Data Protection and how it's applied in the UK. The same principles
apply throughout the EU, though the details may be different in EU
member states.

_______________________________________________
enum mailing list
enum at ietf.org
https://www1.ietf.org/mailman/listinfo/enum

References:
- Re: ENUM Privacy (was RE: [Enum] User ENUM vs Operator ENUM)
  - From: james . f . baskin

Prev by Date: [Enum] So far it looks like Wed afternoon.
Next by Date: Re: ENUM Privacy (was RE: [Enum] User ENUM vs Operator ENUM)
Previous by thread: Re: ENUM Privacy (was RE: [Enum] User ENUM vs Operator ENUM)
Next by thread: Re: ENUM Privacy (was RE: [Enum] User ENUM vs Operator ENUM)
Index(es):
- Date
- Thread