Personal information privacy has been a constant topic of discussion in 2018. Individuals are rightly concerned about the inappropriate use, or misuse, of personal information collected by organizations, over which the individuals appear to have little control.
In this article, I will discuss how APNIC handles the information and data it collects from its Members, and the steps that APNIC takes to protect such information.
As an organization that is incorporated in Australia, APNIC fully complies (and has done so for many years) with Australia’s Privacy Act 1988 and with the Australian Privacy Principles (APPs). I will talk more about the APPs later in this article, but for now, it is important to note that the APPs were not created in isolation. Nor are they a set of principles that are unique to Australia.
The APPs can trace their origins to Australia’s original implementation, in 1988, of the Organisation for Economic Cooperation and Development (OECD) Guidelines on the Protection of Privacy and Transborder Flows of Personal Data, as well as the International Covenant on Civil and Political Rights.
These guidelines and covenants form the basis of privacy principles and laws around many parts of the world, including the EU General Data Protection Regulation (GDPR), which will come into effect shortly. While APNIC does not consider that it is subject to the jurisdiction and laws of the EU, APNIC will continue to handle personal information according to the APPs, which are widely regarded as best-practice privacy principles that should be universally acceptable.
APNIC’s handling of information
APNIC is the regional Internet registry for the Asia Pacific region. As the full name of APNIC (Asia Pacific Network Information Centre) suggests, it also serves as the authoritative information source for the allocation and registration of Internet number resources (including IP addresses and Autonomous System Numbers) in the Asia Pacific region.
Almost all Internet number resources allocated or registered by APNIC are to corporations or other incorporated organizations. Allocations to individuals (or natural persons) are rare.
When an organization or a person requests to join APNIC as a Member, or an organization requests to be allocated Internet number resources, APNIC collects information from the organization and the person to identify and verify their legal existence, for billing and accounting purposes, and to substantiate their requests to be allocated Internet number resources according to community-made allocation policies.
APNIC collects this information as part of the process of entering into a legally binding contract with the prospective Member. APNIC handles the information it collects in the manner set out in its published privacy policy and statement.
A subset of the information collected by APNIC is published by APNIC through its publicly-accessible whois database. The published information is, in the main and in almost all cases, corporate information rather than information that relates to, or identifies, an individual. In this regard, individuals are encouraged to use role-based email addresses (for example, <sys.admin@example.net>) rather than an email address that identifies or leads to the identification of an individual.
This whois database contains registration information about Internet number resources. Specifically, it contains information about the legal entity that holds such resources, comprising the name, physical address, email address, telephone and other contact information for the organization.
It is critically important for the efficient and uninterrupted operation of the Internet, that parties responsible for specific Internet number resources can be contacted quickly and without delay, to promptly resolve technical and other network-related issues. It also ensures accountability over the use of this important public resource. In providing this public registry function, APNIC does so in the public interest for the benefit of the global Internet and broader community.
APNIC does not otherwise share the personal information collected by it through this process with other people, unless it has the consent of the person concerned, or where it is specifically permitted by law to do so. Again, APNIC’s privacy policy and statement explains this in detail.
Privacy Principles
APNIC respects an individual’s privacy. Its processes and systems are designed around carefully protecting all the information it holds, including personal information, from misuse, interference or loss, and from unauthorised access, modification or disclosure.
As an Australian registered body, APNIC is subject to the jurisdiction of Australia and has been required to comply with the APPs (and their predecessors, the National Privacy Principles), since 2001. Over the years, these principles have been expanded and modified to keep pace with new technological developments (and with the times).
In 2014, some major reforms of the privacy principles came into force, and again, APNIC updated its processes and procedures for handling personal information to comply with the then new APPs.
For example, you may have noticed that at all touch-points where APNIC collects personal information, such as when you start the process of applying for membership with APNIC, there is a “Privacy Collection Statement” that clearly discloses the reason for APNIC’s collection of personal information, and describes how APNIC will handle such information.
This is part of APNIC’s adherence to the APPs, and modern privacy principles which are founded on these universal beliefs:
- Openness and transparency about managing personal information
- Collecting personal information only where it is reasonably necessary for its functions or activities, and in a lawful and fair manner, directly from the individual concerned
- Notifying the individual about the purpose of collecting and handling personal information at the earliest opportunity, and where possible, before the collection
- Not using or disclosing personal information for a different purpose than those originally disclosed to the individual, without the individual’s consent, unless laws specifically permit those uses or disclosures
- Not using or disclosing personal information for the purposes of direct marketing without permission
- Not disclosing personal information to an overseas recipient where the overseas recipient does not have a similar framework for protecting personal information
- Taking reasonable steps to ensure that the personal information collected remains accurate, up-to-date and complete
- Taking reasonable steps to protect personal information from misuse, interference and loss; and from unauthorised access, modification or disclosure
- Giving the individual opportunity to correct any inaccurate, out of date, incomplete, irrelevant or misleading information as requested by the individual
Of course, the concept of privacy is not a static one. As privacy principles continue to evolve, so will APNIC to adapting its processes and procedures to make sure that it continues to observe best practices in this area.
The views expressed by the authors of this blog are their own and do not necessarily reflect the views of APNIC. Please note a Code of Conduct applies to this blog.
I think there is an incorrect perception of the GDPR. If you allow EU citizens to register their data (for example while attending your meetings), or use your DNS servers, web servers, and so on, and log the IP address, then you need to fulfill the GDPR requirements. Those are just a few examples.
Jordi – there is no question that GDPR seeks to extend extra-territorial reach to legislate organisations outside of the EU. But the question is whether such extra-territorial laws are legally effective to be enforceable against them under the doctrine of comity and international laws. Notwithstanding the potential lack of enforceability of the GDPR (specifically, against APNIC which is incorporated outside, and has no physical presence in, the EU), the point to my blog is that APNIC continues to uphold privacy principles which are substantially similar to those enunciated in the GDPR, and has done so for many years even before GDPR is being discussed.
Well, governments and courts have many ways to enforce “extra-territoriality”, such as enforcing ISPs to block access to sites from companies not obeying the law, or even detainying officials of those companies when they enter their territory.
I’ve also have seen other countries to sign with the EU regarding GDPR, who knows if the number of countries will increase, including Australia.
Mauritius and Uruguay have already done that, so AfriNIC and LACNIC are already onboard.