Gratitude. This is the title of the email thread¹ that started a debate over privacy & data protection within the AFRINIC community.

The email was sent on the “community discuss” mailing list of AfriNIC. It was a reaction to something that was found in the minutes of a special board meeting that was held on 5 March 2019. The minutes were published² on the AfriNIC website.

The author of the email expressed his gratitude towards the current CEO of AfriNIC and one board director for their “efforts to keep the community involved in AfriNIC matters in an open and transparent way”.

What followed on the “community discuss” list were long heated emails mostly criticizing two board directors who raised an issue pertaining to board members and the CEO of AfriNIC publishing a document without consulting the board.

In fact, the special board meeting was called to discuss this matter. The document that was shared contained a court ruling, annexes, attorney letters and an affidavit sworn by the board director who during the meeting expressed that no decision was taken regarding the disclosure of personal data to the community.

I read the board meeting minutes and then I checked the redacted version³ of the court record published on the AfriNIC website.

The fuss on the mailing list is that the board director is complaining over a “petty matter”, that his consent is required before publication of the document containing his name and residential address. In my opinion, the board director is right to complain about the lack of consideration on part of the CEO and other board members for having shared the document without consulting the persons whose personal data are in the document. Personal data is not limited to name & a residential address. A sworn affidavit has more personal data than just names & addresses; I won’t go into details.

Even though if the personal data was limited to just a name & a physical address, it would still not be appropriate for the CEO and the board members to share the document on a public channel.

Names & addresses of company directors can be obtained from the Registrar of Companies of Mauritius upon request. Does that give the recipient of the information rights to re-publish?

In an article published by Le Mauricien⁴ newspaper, the Data Protection Commissioner of Mauritius, Mrs D. Madhub, said that all the governmental institutions, i.e the various departments of all ministries, should be registered as data controllers. That means, the Corporate and Business Registration Department⁵ which falls under the Ministry of Finance and Economic Development, should be a data controller too. Now, if personal data is included in a record obtained from the Registrar of Companies, does it become public data as some appear to insinuate on the AfriNIC Community Discuss list?

I wrote to the Data Protection Commissioner to obtain a better opinion on the matter. Based on past experience with the Data Protection Office though, I am not expecting a quick reply.