[IRT.RegDataPolicy] Data Retention requirements
Sarah Wyld
swyld at tucows.com
Thu Feb 17 13:57:09 UTC 2022
Hello IRT team,
Looking forward to finalizing this question related to data retention requirements. Specifically, I am looking at Implementation Note F(c) which I will copy here for reference:
For purposes of clarity, unless specifically addressed and modified by this Policy, all other data retention requirements and obligations within Registrar’s Registrar Accreditation Agreement remain applicable and in force. For example, this Policy does not supersede or replace additional existing data retention requirements not applying to RDDS data elements that Registrars are subject to under the Registrar Accreditation Agreement. For clarity, this does not prevent Requestors, including ICANN Compliance, from requesting disclosure of these retained data elements for purposes other than TDRP. [P2P2R21]
This implementation note will raise a question in the reader’s mind: “What other data retention requirements and obligations exist within the RAA?”. If the answer to this question is unclear, then the note will cause more confusion than clarity.
The Recommendation we’re implementing says:
The EPDP Team confirms its recommendation from phase 1 that registrars MUST retain only those data elements deemed necessary for the purposes of the TDRP, for a period of fifteen months following the life of the registration plus three months to implement the deletion, i.e., 18 months. This retention is grounded on the stated policy stipulation within the TDRP that claims under the policy may only be raised for a period of 12 months after the alleged breach (FN: see TDRP section 2.2) of the Transfer Policy (FN: see Section 1.15 of TDRP). For clarity, this does not prevent Requestors, including ICANN Compliance, from requesting disclosure of these retained data elements for purposes other than TDRP, but disclosure of those will be subject to relevant data protection laws, e.g., does a lawful basis for disclosure exist. For the avoidance of doubt, this retention period does not restrict the ability of registries and registrars to retain data elements for longer periods.
So, the Recommendation says registrars “MUST retain only those data elements deemed necessary for the purposes of the TDRP” but the OneDoc says “ALSO the other data mentioned in the RAA”. Those are clearly not aligned.
We could resolve this by simply removing the note F(c); our Policy requirement remains the same, and aligns with the Recommendation.
Alternatively, we could go through the "Non-exhaustive list of examples of information/data/evidence that is not covered by the TDRP” document that the Staff team put together of data they think should be retained outside this TDRP retention requirements. I have looked at every data element in that list and with the exception of the abuse reports (which have their own retention period clearly listed in 3.18.3) they all should be retained either only for the lifetime of the domain or are necessary for the TDRP.
So, unless someone can point to data which should be retained differently than described in the Recommendation, I still find that the Implementation Note F(c) is confusing and does not help the implementer, because it makes them think there are retention requirements which there are not.
If we must keep the note, we should update it to specifically indicate that only the Abuse Reports mentioned in RAA 3.18.3 are retained in this way.
--
Sarah Wyld, CIPP/E
Policy & Privacy Manager
Pronouns: she/they
swyld at tucows.com
From: Dennis Chang (Google Docs)
Sent: February 16, 2022 7:09 PM
To: swyld at tucowsinc.com
Subject: IRT.OneDoc RegDat... - There was a comment on this which I n...
Dennis Chang replied to a comment in the following document
IRT.OneDoc RegDataPolicy20201005
For purposes of clarity, unless specifically addressed and modified by this Policy, all other data retention requirements and obligations within Registrar’s Registrar Accreditation Agreement remain applicable and in force. For example, this Policy does not supersede or replace additional existing data retention requirements not applying to RDDS data elements that Registrars are subject to under the Registrar Accreditation Agreement. For clarity, this does not prevent Requestors, including ICANN Compliance, from requesting disclosure of these retained data elements for purposes other than TDRP. [P2P2R21]
Sarah Wyld
There was a comment on this which I now cannot find in the comment history. This point c is confusing and should be removed, thank you.
Dennis Chang
New
Hi Sarah, if you are referring to the comments that said that this policy replaces all retention requirements in RAA, that was closed since it is out-of-scope. This note is particularly important due to the Rec21 from Phase 2. Per the IRT call today, I'd like to close out the Recommendations related to retention. Would appreciate a reply here that it's ok to resolve this comment or point to specific language that is misaligned with the recommendation. thanks.
Open
Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA
You have received this email because you are a participant in this thread. Change what Google Docs sends you. You can reply to this email to reply to the discussion.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://mm.icann.org/pipermail/irt.regdatapolicy/attachments/20220217/3696f8d6/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: E7B9AC35181641D1B922FA9FF573A883.png
Type: image/png
Size: 15060 bytes
Desc: not available
URL: <https://mm.icann.org/pipermail/irt.regdatapolicy/attachments/20220217/3696f8d6/E7B9AC35181641D1B922FA9FF573A883.png>
More information about the IRT.RegDataPolicy
mailing list