Register direct
Home Home Policy Recommendations
Policy
RFC | Whois and Privacy Policy

The complete Word and PDF versions of the draft agreements and policy may be downloaded by clicking one of the links below.
Download rfc-privacy.pdf Download rfc-privacy.doc

Executive Summary:

Purpose:

This document contains updated versions of three CoCCA template documents, the Registrant Agreement, Acceptable Use Policy (“AUP”) and Privacy and WHOIS Policy. The changes proposed herein are largely to the Privacy and WHOIS Policy. The inter-related nature of the policy documents also necessitated minor modification of the AUP and Registrant Agreement.

Context:

The issues of WHOIS policy and data quality are recognised as important components of the effort to combat abuse of the DNS, address cybercrime, protect intellectual property, and align use of a ccTLD register with the legislative and public policy environment in the country or territory it represents. Attempts to address the shortcomings of existing WHOIS and data quality policy in the generic top level domains (“gTLD”) have been frustrated by technical, commercial and contractual restrictions in zones ICANN has oversight of. Similar constraints generally do not exist in most ccTLDs; they do not exist under the CoCCA model.

CoCCAs’ best practice framework has historically sought to address the acceptable use of domain in recognition that the DNS is often part of the publication of internet content. While a register operator cannot remove prohibited or unlawful content from the internet, they can, however, ensure the ccTLD’s network is not part of the publication chain. This framework contrasts somewhat with the largely intellectual property driven policy in the gTLD name spaces, and its focus on who has the “best rights” to a particular character string.

The proposed changes do not reflect a substantive change in CoCCA policy. The policy continues to recognize the compelling public interest in ensuring that accurate “registrant contact data” (for an individual domain) is publicly available via an automated process and on a continuous basis. It extends the WHOIS concept to include Historical Abstracts.

Registrants provide their information to the registry directly or via a registrar for specific purposes detailed in the Policy. The registry operator and sponsoring organisation have a responsibility to put mechanisms and policies in place that are consistent with the objectives of data collection.

The Modifications Summarised:

1. Make available to the general public, regulatory bodies and law enforcement Historical Abstracts that contain complete historical records related to a domain. The AUP filing process - or a nominal fee - for Historical Abstracts introduces very modest administrative or fiscal burdens for persons requesting information. The notion of a Historical Abstract is common in other environments and is largely analogous to ordering a corporate history from a statutory body. Under this common model some information is freely available online (in the case of the DNS via WHOIS), while a complete history may be ordered from an information broker and may attract a processing fee.

2. Allow the registry to enable automated procedures to contact a registrar’s clients (the registrant) by phone or email for the purpose of having registrants update and confirm their contact details BEFORE activation of a domain and at least once a year after that. It is difficult to confirm the identity of registrants, but technology can assist in verifying the accuracy of the phone and email. The registry may also opt to notify registrants directly via registry email or “SMS alerts” of activity and changes to their registry data.

3. Allow registrars that have adopted a practice of replacing some address contact details with alternate addresses that may represent an “agent of the registrant” to create these as subordinate contact records. This will continue to give registrants who desire a very limited level of protection from abuse and data mining of the public WHOIS servers an effective option to combat this known problem.
Registrars will no longer be able provide only limited or “filtered” contact data “sufficient to contact the registrant.” The revised policy and technology allows a registrant to opt to nominate alternate phone, email and address information for publication via the WHOIS server (not registrant name or organisation).

Historical Abstracts and requests for information that flow from an AUP complaint will show both the authoritive (superordinate) registrant information and, if applicable, the alternate “agent” contact information. Requests for AUTH codes and other notices, or any other interaction required to comply with policy, will use the superordinate contact email.

Given the importance of data quality and the various levels of automation and technical proficiency in various CoCCA registrars, the changes allow the registry to be more proactive in verifying the accuracy of information inserted by the registrar and also provide a direct channel for registrants to maintain various aspects of their contact information. These changes also extend the availability (and format) of registrant information to be delivered to the general public. This document is meant to be a practical guide to adoption of the CoCCA best practice policy framework for administration code Top Level Domains (ccTLDs).

Assumptions:

The framework assumes the ccTLD operates as a shared registry, and that policy development, operation of the central registry, and commercial activities are viewed as discrete activities - even if carried out by related entities. Implementing these policies in the CoCCA software requires upgrading to version 3.01 or later.
The framework also assumes that the ccTLD manager desires to ensure the use of the ccTLD remains consistent with local culture, customs and legislation, and wishes to employ a model that includes registry-level suspensions.
The use of a domain is subject at all times to an AUP that addresses cybercrime, prohibited content, intellectual property abuses and other issues of interest to internet users.

Registration Agreement

– This collateral agreement binds the registrant to ccTLD Acceptable Use, Privacy & WHOIS policy and the Complaint Resolution Service.

Acceptable Use Policy

– This policy is incorporated by reference into the Registration Agreement and defines the acceptable use of domains and the ccTLD manager’s network.

Privacy & WHOIS Policy

This policy is incorporated by reference into the Registration Agreement and describes the registry’s privacy and WHOIS policy.
 
Policy Master Document PDF  | Print |
Purpose:
This document contains a complete set of inter-related template agreements (Registrant, Registrar and Registry), AUP and privacy policy recommendations, and a Complaint Resolution framework. This document is meant to be a practical guide to the COCCA best practice policy framework for administration of small and medium-sized country code Top Level Domains (ccTLDs).
Read more...
 
Acceptable Use Policy PDF  | Print |
This Acceptable Use Policy ("AUP") sets out the actions prohibited to users of the [Country Code Administrator] Network ( [Country Code Administrator] Network). Users are defined as anyone who uses or accesses the .[Insert] domain registry, who has responsibility for one or more host records in the .[Insert] zone files generated from the .[Insert] registry, registrants of a .[Insert] country code Top Level ( ccTLD ) Domain name ( .[Insert] Domain name ), and/or users of hardware, name servers, bandwidth, telecommunications transport, zone files or e-mail routing services or of any other domain name resolution systems and services in the .[Insert] registry and zone.
Read more...
 
Registration Agreement PDF  | Print |
This REGISTRATION AGREEMENT (the "Agreement") is entered into, by and between the .[Insert] domain name registrant ("Registrant") and [Country Code Administrator] [Country Code Administrator] . Additional agreements, if any, may be entered into between the Registrant and accredited registrars relating to domain name services in the .[Insert] TLD provided by such accredited registrars, provided that no such additional agreement may waive, alter, or supersede any provision of this Agreement. If there is any conflict between such additional agreements and this Agreement, this Agreement shall control.
Read more...
 
Privacy and Whois Policy PDF  | Print |

1. OBJECTIVES:

1.1 The objectives of this Privacy Policy are:
(1) To disclose to the Registrant, and in doing so obtain the Registrant's consent, to the fact that the Personal Information (defined below) provided by the Registrant may be dealt with in the following manner by [Country Code Administrator]:

(a) Personal Information shall be collected in the form of a Registrant database, which is used, maintained and corrected from time to time in accordance with this Policy;
(b) Personal Information shall be collected by [Country Code Administrator] for the purpose of the storage and maintenance of the Personal Information. [Country Code Administrator] shall not disclose or transfer the Personal Information to any third party other than the .[Insert] ccTLD Escrow Agent unless under the circumstances detailed in the Use and disclosure section of this Policy;
(c) All personal information about the Registrant which is supplied to [Country Code Administrator] or an accredited registrar is held by [Country Code Administrator] for the benefit of {Country} and global internet communities and may be required to be publicly disclosed to third parties and used to maintain a public Whois service, provided that such disclosure is consistent with:
(i) Privacy principles specified in CoCCA recommended policies; and
(ii) The [Country Code Administrator] Policies.
(2) To outline [Country Code Administrator]'s procedures for the appropriate collection, holding, use, correction, disclosure and transfer of a Registrant's Personal Information by [Country Code Administrator];
(3) For [Country Code Administrator] to undertake the requirements of paragraph 1.1(1) in such a way so as to ensure that [Country Code Administrator]:
(a) meets international concerns and obligations relating to privacy;
(b) recognises a Registrant's interests in protecting their privacy;
(c) recognises important human rights and social interests that compete with privacy, including the general desirability of a free flow of information and the right of [Country Code Administrator] to achieve its objectives efficiently; and
(d) encourages Registrants to provide and maintain accurate and reliable contact details with the knowledge that [Country Code Administrator] will respect their privacy.

2. DEFINITIONS
2.1 AUP or [Country Code Administrator] AUP means the Acceptable Use Policy available at {link} ;
2.2 "[Country Code Administrator]" means [Country Code Administrator];
2.3 Domain means a .[Insert] Domain name applied for by a Registrant, whose registration application has been processed and accepted by [Country Code Administrator];
2.4 "Escrow Agent" means a third party contracted to perform data escrow services for [Country Code Administrator]. The data escrow arrangement with the Escrow Agent will ensure the transfer of all relevant DNS data and Registrant information, including Personal Information to a nominated replacement/back-up system, and will ensure the safety and integrity of the .[Insert] country code Top Level Domain ( ccTLD ) database. The Escrow Agent is prohibited from use or disclosure of the .[Insert] ccTLD Data unless that use or disclosure is deemed essential to ensure the stability and integrity of the .[Insert] ccTLD;
2.5 Identifier for the purposes of paragraph 10 includes a number assigned by [Country Code Administrator] to an individual to identify uniquely the Registrant for the purposes of [Country Code Administrator]'s operations. However, an individual's name is not an identifier;
2.6 "Personal Information" means information or an opinion (including information or an opinion forming part of a database), whether true or not, and whether recorded in a material form or not, about a Registrant whose identity is apparent, or can reasonably be ascertained, from the information or opinion provided by the Registrant including information contained in applications for [Country Code Administrator] domain names;
2.7 "Policy" means the contents of the [Country Code Administrator] Privacy Policy and any amendments or updates to the Policy made by [Country Code Administrator] from time to time and posted on the [Country Code Administrator] website {link} ;
2.8 Sensitive information means Personal Information that would be considered to be sensitive under the CoCCA recommended policies;
2.9 "Registrant" means the individual, entity or the authorised agent for the individual or entity who applied for or caused to be applied for a Domain and whose registration application has been processed and accepted by [Country Code Administrator];
2.10 "Whois Service" means the service provided by [Country Code Administrator] to the public, as described in paragraph 3 of this Policy, which is available at http://www.nic.[Insert] .

3. {Country} ccTLD "Whois" SERVER IMPLICATIONS:
3.1 [Country Code Administrator] will maintain a publicly accessible information service known as the .[Insert] ccTLD "Whois" service which will provide limited information in relation to a Domain as follows:
(1) technical information on the DNS servers resolving a Domain;
(2) the date the Domain was inserted into the .[Insert] ccTLD registry;
(3) the date of last modification; and
(4) the date of expiration.
3.2 [Country Code Administrator] shall not release a Registrant's phone numbers, addresses or email contact details without the consent of the Registrant, unless under the circumstances detailed in Use and disclosure section below.
3.3 [Country Code Administrator] or CoCCA Accredited Registrars are required, as a condition of their accreditation, to provide Registrants with the tools to make visible Extended Whois" information on .[Insert] ccTLD domains registered through them.
3.4 [Country Code Administrator] will provide registrants with an on-line tool at http://www.nic.[Insert] to edit information published in the ccTLD Whois. The registrant will require a registry key and will not be able to disable display of data set in 3.1.

4. COLLECTION
4.1 [Country Code Administrator] shall only collect Personal Information necessary for one or more of its functions or activities:
(1) as the trustee for the .[Insert] ccTLD database;
(2) for the provision of the Whois Service;
(3) to contact the Registrant as necessitated by the .[Insert] ccTLD Polices;
(4) To provide law enforcement with information required to investigate or prevent a crime
4.2 The "Primary Purpose of Collection" by [Country Code Administrator] shall be for one of the necessary functions or activities of [Country Code Administrator] as described in paragraph 4.1 above and [Country Code Administrator] will exercise its reasonable endeavours to ensure that:
(1) [Country Code Administrator] shall collect Personal Information only by lawful and fair means and not in an unreasonably intrusive way.
(2) At or before the time (or, if that is not practicable, as soon as practicable after) [Country Code Administrator] collects Personal Information about a Registrant from the Registrant, [Country Code Administrator] shall take reasonable steps to ensure that the Registrant is aware of:
(a) the identity of [Country Code Administrator] and the Escrow Agent and how the Registrant may contact [Country Code Administrator]; and
(b) the fact that the Registrant is able to gain access to the Personal Information; and
(c) the purposes for which the Personal Information is collected (as outlined in the paragraph 4.1 above); and
(d) the organisations (or the types of organisations) to which [Country Code Administrator] usually discloses the Personal Information; and
(e) any law that requires the particular Personal Information to be collected; and
(f) the main consequences (if any) for the Registrant if all or part of the Personal Information is not provided.
(3) If it is reasonable and practicable to do so, [Country Code Administrator] shall collect Personal Information about a Registrant only from that individual.
(4) If [Country Code Administrator] collects Personal Information about the Registrant from someone else, it shall take reasonable steps to ensure that the Registrant is or has been made aware of the matters listed in the Objectives paragraph 1 above except to the extent that making the Registrant aware of the matters would pose a serious threat to the life or health of any individual.
4.3 [Country Code Administrator]'s website does not utilise technology to collect user information or track usage. [Country Code Administrator]'s website may feature links to other websites. [Country Code Administrator] is not responsible for the content and privacy practices of such other websites.

5. USE AND DISCLOSURE
5.1 [Country Code Administrator] shall NOT use or disclose Personal Information about a Registrant for a purpose (the Secondary purpose) other than the Primary Purpose of Collection unless:
(1) the Registrant has consented to the use or disclosure; or
(2) [Country Code Administrator] reasonably believes that the use or disclosure is necessary:
(a) to lessen or prevent a serious and imminent threat to an individual's life, health or safety; or
(b) to lessen or prevent a serious threat to public health or public safety; or
(c) because [Country Code Administrator] has reason to suspect that unlawful activity or a violation of the AUP has been, is being or may be engaged in, and uses or discloses the Personal Information as a necessary part of its investigation of the matter or in reporting its concerns to relevant persons (including parties effected by a violation of the AUP) or authorities; or
(d) because the use or disclosure is required or authorised by or under law; or
(e) because [Country Code Administrator] reasonably believes that the use or disclosure is reasonably necessary for one or more of the following by or on behalf of an enforcement body:
(i) the prevention, detection, investigation, prosecution or punishment of criminal offences, breaches of a law imposing a penalty or sanction or breaches of a prescribed law;
(ii) the enforcement of laws relating to the confiscation of the proceeds of crime;
(iii) the protection of the public revenue;
(iv) the prevention, detection, investigation or remedying of seriously improper conduct or prescribed conduct; or
(v) the preparation for, or conduct of, proceedings before any court or tribunal, or implementation of the orders of a court or tribunal.
(f) because a third party has filed a complaint relating to the AUP and providing the Personal Information may contribute to resolution of the complaint.
5.2 [Country Code Administrator] shall lawfully co-operate with agencies performing law enforcement functions.
5.3 This "Use and disclosure" section in this paragraph 5 does not override any existing legal obligations not to disclose Personal Information. Nothing in this Use and disclosure paragraph 5 requires [Country Code Administrator] to disclose any Personal Information; [Country Code Administrator] is always entitled not to disclose Personal Information in the absence of a legal obligation to disclose it.
5.4 [Country Code Administrator] is also subject to the requirements set out in the Transborder data flows section in paragraph 12 of this Policy if it transfers Personal Information to a person in a foreign country, situated outside of {Country}.
5.5 If [Country Code Administrator] uses or discloses Personal Information under this Use and disclosure paragraph 5, it shall make a written note of the use or disclosure, and except where requested by a law enforcement agency, inform the Registrant by email of the identity of the requesting entity and stated reasons for the release of the information. These reasons must be one of the stated reasons in paragraph 5.1(2).

6. DATA QUALITY
6.1 [Country Code Administrator] shall take reasonable steps to make sure that the Personal Information it collects, uses or discloses is accurate, complete and up-to-date.

7. DATA SECURITY
7.1 [Country Code Administrator] shall take reasonable steps to protect the Personal Information it holds from misuse and loss and from unauthorised access, modification or disclosure.
7.2 [Country Code Administrator] shall take reasonable steps to destroy or permanently de-identify Personal Information if it is no longer needed for any purpose for which the information may be used or disclosed under the Use and disclosure section of this Policy, except where prohibited by law or applicable policy

8. OPENNESS
8.1 This Policy sets out [Country Code Administrator]'s policies on its management of Personal Information. [Country Code Administrator] shall make this document available to anyone who asks for it.
8.2 On request by any person, [Country Code Administrator] shall take reasonable steps to let the person know, generally, what sort of Personal Information [Country Code Administrator] holds, for what purposes, and how it collects, holds, uses and discloses that information.

9. ACCESS AND CORRECTION
9.1 If [Country Code Administrator] holds Personal Information about a Registrant, it shall provide the Registrant with access to the information on request by the Registrant, except to the extent that:
(1) in the case of Personal Information, providing access would pose a serious and imminent threat to the life or health of any individual; or
(2) providing access would have an unreasonable impact upon the privacy of other individuals; or
(3) the request for access is frivolous or vexatious; or
(4) the information relates to existing or anticipated legal proceedings between [Country Code Administrator] and the Registrant and the information would not be accessible by the process of discovery in those proceedings; or
(5) providing access would reveal the intentions of [Country Code Administrator] in relation to negotiations with the Registrant in such a way as to prejudice those negotiations; or
(6) providing access would be unlawful; or
(7) denying access is required or authorised by or under law; or
(8) providing access would be likely to prejudice an investigation of possible unlawful activity; or
(9) providing access would be likely to prejudice:
(a) the prevention, detection, investigation, prosecution or punishment of criminal offences, breaches of a law imposing a penalty or sanction or breaches of a prescribed law; or
(b) the enforcement of laws relating to the confiscation of the proceeds of crime; or
(c) the protection of the public revenue; or
(d) the prevention, detection, investigation or remedying of seriously improper conduct or prescribed conduct; or
(e) the preparation for, or conduct of, proceedings before any court or tribunal, or implementation of its orders by or on behalf of an enforcement body; or
(f) an enforcement body performing a lawful security function asks [Country Code Administrator] not to provide access to the information on the basis that providing access would be likely to cause damage to the security of {Country}.
9.2 However, where providing access would reveal evaluative information generated within [Country Code Administrator] in connection with a commercially sensitive decision-making process, [Country Code Administrator] may give the Registrant an explanation for the commercially sensitive decision rather than direct access to the information.
9.3 If [Country Code Administrator] charges for providing access to Personal Information, those charges:
(1) shall not be excessive; and
(2) shall not apply to the lodging of a request for access by Registrants to their own Personal Information.
9.4 If [Country Code Administrator] holds Personal Information about a Registrant and the Registrant is able to establish that the information is not accurate, complete and up-to-date, [Country Code Administrator] shall take reasonable steps to correct the information so that it is accurate, complete and up-to-date, as requested by the Registrant.
9.5 If the Registrant and [Country Code Administrator] disagree about whether the Personal Information is accurate, complete and up-to-date, and the Registrant asks [Country Code Administrator] to associate with the information a statement claiming that the information is not accurate, complete or up-to-date, [Country Code Administrator] shall take reasonable steps to do so.
9.6 [Country Code Administrator] shall provide written reasons for denial of access or a refusal to correct Personal Information under this paragraph 9 in relation to Access and correction .

10. IDENTIFIERS
10.1 [Country Code Administrator] shall not adopt as its own identifier of a Registrant, an identifier of the Registrant that has been assigned by:
(1) an agency; or
(2) an agent of an agency acting in its capacity as agent; or
(3) a contracted service provider for a government contract acting in its capacity as contracted service provider for that contract.
10.2 [Country Code Administrator] shall not use or disclose an identifier assigned to an individual by an agency, or by an agent or contracted service provider mentioned in paragraph 10 in relation to Identifiers unless:
(1) the use or disclosure is necessary for [Country Code Administrator] to fulfill its obligations to the agency; or
(2) one or more of the requirements in relation to Use and disclosure in paragraph 5.1 applies to the use or disclosure.

11. ANONYMITY
11.1 A Registrant's request not to be identified when entering transactions with [Country Code Administrator] shall be considered by [Country Code Administrator] on a case by case basis, in its sole discretion, although [Country Code Administrator] may to honour such request wherever it is lawful or practicable to do so.

12. TRANSBORDER DATA FLOWS
12.1 [Country Code Administrator] may transfer Personal Information to someone (other than [Country Code Administrator], its affiliates or the Registrant) who is in a foreign country only if:
(1) [Country Code Administrator] reasonably believes that the recipient of the information is subject to a law, binding scheme, or contract which effectively upholds principles for fair Resolution of the information that are substantially similar to the privacy principles under CoCCA recommendations; or
(2) The Registrant consents to the transfer; or
(3) The transfer is necessary for the performance of a contract between the Registrant and [Country Code Administrator], or for the implementation of pre-contractual measures taken in response to the Registrants request; or
(4) The transfer is necessary for the conclusion or performance of a contract concluded in the interest of the Registrant between [Country Code Administrator], its affiliates or a third party; or
(5) All of the following apply:
(a) the transfer is for the benefit of the Registrant;
(b) it is impracticable to obtain the consent of the Registrant to that transfer; and
(c) if it were practicable to obtain such consent, the Registrant would be likely to give it; or
(6) [Country Code Administrator] has taken reasonable steps to ensure that the information which it has transferred will not be held, used or disclosed by the recipient of the information inconsistently with the privacy principles in the CoCCA recommendations.

13. SENSITIVE INFORMATION
13.1 [Country Code Administrator] shall not collect sensitive information about a Registrant unless:
(1) the Registrant has consented; or
(2) the collection is required by law; or
(3) the collection is necessary to prevent or lessen a serious and imminent threat to the life or health of any individual, where the Registrant whom the information concerns:
(a) is physically or legally incapable of giving consent to the collection; or
(b) physically cannot communicate consent to the collection; or
(4) where the information is collected in the course of the activities of a non-profit organisation the following conditions are satisfied:
(a) the information relates solely to the members of [Country Code Administrator] or to individuals who have regular contact with it in connection with its activities;
(b) at or before the time of collecting the information, [Country Code Administrator] undertakes to the Registrant whom the information concerns that [Country Code Administrator] will not disclose the information without the Registrant's consent; or
(5) the collection is necessary for the establishment, exercise or defence of a legal or equitable claim.

14. REVIEW OF POLICY:
14.1 [Country Code Administrator] reserves the right to review or revise this policy at any time and those people who volunteer their personal details to [Country Code Administrator] are deemed to acknowledge and be bound by this policy and any changes made to it. This in no way affects the privacy protection available under CoCCA recommendations or other relevant laws.

About the Council of Country Code Administrators
http://www.cocca.cx
Taking the view that administrators of ccTLDs are trustees for the internet domain, CoCCA Members seek, through consensus, to develop approaches, policies and technologies which improve the utility, technical stability, and interoperability of member ccTLD's with the DNS.

CoCCA has been established as an inclusive forum for collaboration among those trustees of ccTLDs that support responsible administration of the DNS, accountability models, and industry self-regulation. CoCCA is a non-profit, member owned company.