[gnso-dow123] NCUC Procedural Proposal - recirculated

[KathrynKL@xxxxxxx]

Friends:
Now that we have a purpose for our database, it is a legal and logical step 
to determine whether the data we are collecting is appropriate.  Does the data 
match the purpose?  

Below is the procedural proposal submitted by NCUC some months back.  It is 
designed to run with both pending proposals â the Tiered Access and oPOC 
proposals. 

Looking forward to discussing it with you tomorrow,
Kathy

************************************************************

NCUC Procedural Proposal

After great thought, NCUC submits this procedural proposal.  We submit that 
the following procedural steps take place with regard to each pending 
substantive proposal (e.g., oPOC and .NAME) upon decision by the Council of the 
Purpose 
of Whois.

1) Upon determination by Council of the âPurpose of Whois,â the TF will 
review each substantive proposal closely and list the personal data collected 
in 
it for Whois.  The TF will then closely examine the data fields, particularly 
data fields holding personal data, and determine whether the data collected is 
necessary or unnecessary for Whois under the newly-established Purpose. 

2) If the TF finds that the data being collected under a Proposal exceeds the 
data needed, then the TF will list the data fields and set them aside for 
further evaluation. The Task Force will then further review the data fields to 
determine whether they serve a necessary business function aside from Whois.

3) The TF will make a recommendation regarding each data field it no longer 
considers necessary for the Whois database.  The TF may recommend that the data 
field(s) continue to be collected from registrants for business purposes, but 
not included in Whois.  The TF may recommend that the data no longer be 
required by ICANN for collection at all.  

4) Based on its recommendations to Council, the TF will take the additional 
steps of reviewing the language of the Registrar and Registry Accreditation 
Agreements on these topics and recommending language changes consistent with 
the 
recommendations in #3. 

5) The TF will document its findings in a report to Council to accompany 
whatever substantive proposal the TF agrees upon.


Legal Rationale:
In the many countries with comprehensive data protection laws, it is a 
requirement that the âpurpose of a databaseâ be clearly defined, and in 
turn, 
operate as a guide and a limitation on the data collected for that database.  
The 
procedural steps above are consistent with the legal requirements of the 
European data protection laws.  They also follow the direction to ICANN set out 
in 
the Opinion 2/2003 on the Application of the Data Protection Principles to the 
Whois Directories of the Article 29 Working Party of the EU Data Protection 
Commissioners:

    âArticle 6c of the Directive imposes clear limitations concerning the 
collection and processing of personal data meaning that data should be relevant 
and not excessive for the specific purpose. In that light it is essential to 
limit the amount of personal data to be collected and processed.â  
http://europa.eu.int/comm/justice_home/fsj/privacy/docs/wpdocs/2003/wp76_en.pdf.
http://europa.eu.int/comm/justice_home/fsj/privacy/docs/wpdocs/2003/wp76_en.pd
f.