Policy Archive

Last Modified on -
Unique identifier: AFPUB-2012-GEN-002-DRAFT-01
Draft Policy Name: Regional Internet Registry Privacy
Author: S. Moonesamy | sm+afrinic@elandsys.com
Submission Date: Nov 16 2012
Related Policies: None

Obsoletes:

 None
Amends: None

 

Summary

Privacy is the ability of an individual to be left alone, out of public view, and in control of information about oneself. This document specifies the privacy policy for the Regional Internet Registry handling Internet number resources in the AfriNIC service region.

 

1. Introduction

Privacy is the ability of an individual to be left alone, out of public view, and in control of information about oneself.  AfriNIC, as a Regional Internet Registry, manages and administers Internet number resources for the AfriNIC service region. It publishes information about Internet number resources on the Internet. This document specifies the privacy policy for the Internet Registry. Any restriction mentioned in this document is not applicable to data which is publicly available, e.g. data provided through a service accessible anonymously over the Internet.

 

2. Personal Data

Personal Data shall mean any information relating to an identified or identifiable natural person ("data subject"); an identifiable person is one who can be identified directly or indirectly, in particular by reference to an identification number or one or more factors specific to his physical, physiological, mental, economic, cultural or social identity.

 

3. Data Minimization

The principle of data minimization has been adopted to limit the collection and/or transfer of Personal Data to what is directly relevant and necessary for specified, explicit and legitimate purposes.  Information about whether any data is adequate, relevant and not excessive in relation to the purposes for which it is collected and/or transferred shall be made available to any person who is part of the Policy Development Working Group for the AfriNIC service region. The Regional Internet Registry shall not collect under any circumstances personal Data from an applicant of Internet number resources which can be used to identify more than a quarter of the users to which an applicant has allocated IP address space.  This is a maximum amount and not guidance about the amount of data considered as excessive.

 

3.1. Data Retention

The retention period for Personal Data is six months.  Personal Data necessary for financial purposes; e.g. billing, can be retained for up to twelve months after the end of a Registration Service Agreement. Personal Data published for Internet number resources allocations or assignments can be retained for the historical record if the data was publicly available for at least a month.

 

3.2. Transfer of Personal Data

Personal Data cannot be transferred to another country unless there is a publicly available assessment of:

(a) the nature of the Personal Data

(b) the purpose and duration of the proposed processing of the Personal Data  

(c) the country of origin and country of final destination

(d) the rules of law in force in the country in question

(e) any relevant rules and security measures which are complied within that country

 

4. Personal Data Transfer Register

A Personal Data Transfer Register will be maintained with the following information:

(a) date of transfer of the Personal Data

(b) nature of the Personal Data

(c) purpose of the proposed processing of the Personal Data

(d) country of origin and country of final destination

The Personal Data Transfer Register shall be published through a service accessible anonymously over the Internet.  Personal Data required for financial purposes is exempted from publication.

 

5. Personal Data Leakage

In the event of Personal Data leakage, a notification shall be sent to the Resource Policy Discussion mailing list within a day of the detection of the leakage together with an explanation about the nature and extent of the leakage.

 

History

  • 29 Nov 2012 - Withdrawn by Author
  • Nov 2012 - Draft 2 Posted on the Mailing List by Author, with minor revisions.
  • May 2012 - Draft 1 Posted on the Mailing List by Author

Previous Versions

 

Last Modified on -

Ref. Name: AFPUB-2013-V6-001-DRAFT01
Amends: AFPUB-2004-v6-001
Status: Implemented
Date: 16 May 2013
Author(s):
- Steven Wiesman
- Steven Tapper
- Charles Hendrickson
Organisation: Accenture

 

1) Summary of the Problem Being Addressed by this Policy Proposal
 

The current AFRINIC allocation policy provides for and assigns IPv6 space to companies residing within the region's countries. This assignment policy aligns with the IPv6 hierarchy but does not allow for multinational companies' efficient distribution of IPv6 address space. Under the existing policy, a multinational company has to apply for membership and IPv6 resources from every location in which it operates. This is both costly and time consuming to the Registry and the Multinational Company applying for membership.


The RIR has to maintain and organize multiple prefixes assigned to one company and provide services appropriate to the membership process. The company applying for membership has to perform the same function of managing multiple IPv6 assigned ranges and technically operate and manage the disparate IPv6 ranges assigned to the locations.

For example under the existing policy,

  • Multinational company A operates in 15 countries within the AFRINIC region.
  • The Multinational Company needs to apply for membership from each of the 15 locations.
  • The Multinational Company needs to apply for IPv6 resources from each of the 15 locations.
  • The Multinational Company has 15 potentially different prefixes to manage and operate.
  • The Multinational Company has 15 potentially different prefix lengths to manage and operate.
  • The multinational company needs to pay yearly the renewal fees to lease the IPv6 address space awarded for each location.
  • AFRINIC needs to review and award location based appropriate prefixes to each of the 15 locations.
  • AFRINIC needs to assign IPv6 resources to 15 separate locations which may come from separate areas of the RIR managed IPv6 ranges.
  • AFRINIC needs to process the paperwork for 1 company 15 times for membership.
  • AFRINIC needs to process billing on a yearly basis for 1 multinational company 15 different times.
  • IPv6 address assignments are location based and must only be advertised as an aggregated prefix to the Internet in which the prefix was awarded. Additional subnetting and advertisement of the awarded IPv6 address range is not permitted. For example:
    • One /32 aggregated from one location
    • Smaller subnets, ie /48 from the same prefix, cannot be advertised out of another location

 
2) Summary of How this Proposal Addresses the Problem



This proposal allows for the Multinational Company to apply for and obtain a larger aggregated IPv6 block of addresses and allows the company to allocate, assign and advertise the IPv6 address range awarded according to its own internal IPv6 hierarchical policies. Additionally, AFRINIC will now only need to review and maintain membership records for one instance of the multinational company, and by prefix, immediately identifies the company. For example under the proposed policy,

  • Multinational Company A operates in 15 countries within the AFRINIC region.
  • The Multinational Company needs to apply for membership one time.
  • The Multinational Company needs to apply for IPv6 resources one time providing sufficient evidence of hierarchical design.
  • The Multinational Company is awarded a prefix sufficent to cover the 15 offices and future growth and or expansion within the region.
  • The Multinational Company has one prefix to manage, operate and break down according to its internal policy.
  • The multinational company needs to pay yearly the renewal fees to lease the IPv6 address space awarded one time.
  • AFRINIC needs to process the paperwork for 1 company.
  • AFRINIC needs to review and award a prefix to the multinational company one time.
  • AFRINIC needs to process billing on a yearly basis for 1 multinational company one time.
  • The IPv6 address assignment is company identifiable.
  • Policy allows for multiple aggregated prefixes to the Internet.
  • Additional subnetting and advertisement of the aggregated IPv6 address range is permitted. For example:
    • One /32 aggregated from one location
    • Smaller subnets, ie /48 from the same prefix, advertised out of another location.


3) Proposal


We propose to delete the following sentence in section 6.1.1 (d) from the IPv6 Address Allocation and Assignment Policy

"The LIR should also plan to announce the allocation as a single aggregated block in the inter-domain routing system within twelve months."


Revision History:

None

 

Page 54 of 63