Ref: PRI Title: Privacy Policy Date Issued: 14 May 2009 Status: Current Version: 2.0

1.1 This policy details the general provisions that apply to the .nz domain name space ("DNS").

1.2 This policy is essential reading for all parties involved in the shared registry system ("SRS").

2. Background

2.1 InternetNZ has the ultimate responsibility within New Zealand for the .nz DNS and has implemented a SRS for the management of .nz domain name registrations and the operation of the DNS. InternetNZ has appointed the Domain Name Commission ("DNC") to manage and administer the .nz domain name space on behalf of InternetNZ.

2.2 A SRS establishes a single register for registering domain names and associated technical and administrative information. .nz Registry Services ("NZRS") operates the register.

2.3 The registration of domain names and modification of information associated with that name on the register can be effected only by authorised registrars. Registrars are responsible for the information they collect.

3. Principles

3.1 The management of the DNS involves the collection of personal information to effectively operate the DNS. Only personal information that is directly related to the function of the register, and that is necessary for, or directly related to this functioning, will be collected. This is in line with other Internet domain name registration services worldwide.

3.2 All registrars are obliged to disclose to their registrants

• 3.2.1 What personal information is required.
• 3.2.2 Why the information is required.
• 3.2.3 How it will be collected.
• 3.2.4 How it will be stored.
• 3.2.5 Any risks that the registrant is exposed to as a result of supplying this information.

3.4 Personal information will only be collected or solicited which is relevant to the operation of the .nz DNS and the .nz register.

3.5 All parties are required to comply with the Privacy Act 1993.

3.6 The registrar will not misuse personal information relating to registrants that they collect while registering or managing their domain names for any reason other than for reasonable purposes associated with that.

3.7 NZRS will comply with the terms and conditions of privacy agreements between registrars and registrants, in the management of personal information held on the register.

3.8 NZRS will take reasonable steps to protect a registrar's personal information against loss or unauthorised access, use, disclosure, or other misuse.

3.9 Registrars will prevent their access to the NZRS system from being used to send unsolicited communications to registrants except to registrants for whom they act who have authorised such communications.

3.10 NZRS will ensure that the security for the system conforms to industry best practice standards current at the time of implementation, to secure the data in the register against damage, loss, or unauthorised access. The main requirement is that of integrity, both of the data held in the register and who is able to access it.

3.11 The security system will enable the register to grant or deny specific users (the registrars and NZRS) access to specific processes. Each user will be authenticated before being granted access to a process.

3.12 NZRS will not accept receipt of any information under any imposed conditions of confidentiality or non-disclosure, whether express or implied, by the registrant or their registrar.

3.13 It is the responsibility of registrants to ensure that their web site implementation complies with the Privacy Act and addresses the privacy concerns of net users.

3.14 With the exception of the content of WHOIS queries, registrars will only be able to access domain name records for the registrants whose domain names they manage.

4. Collection of WHOIS Information

4.1 As outlined in the "WHOIS Policy" document (WSP), a WHOIS search is a worldwide feature of domain name systems. It functions as a user query mechanism that allows users to conduct searches on the identity and contact details of registrants.

4.2 Following is a list of all the personal information that will be used by NZRS to facilitate a WHOIS search:

• Domain Name.
• Designated Registrar.
• Name Server List.
• Registrant Contact Details.
• Administrative Contact Details.
• Technical Contact Details.
• Registration status.
• Date registered.
• Date registered/billed until.

4.4 In order to secure a .nz domain name, registrants must grant their permission to their registrar for this information to be disclosed.

4.5 In order to protect the interests of registrants, the following use of the WHOIS data is disallowed:

• 4.5.1 Use of WHOIS data to enable the transmission of unsolicited communications.
• 4.5.2 Bulk access to WHOIS data.

5.1 The DNC, may collect personal information that is required to undertake the functions of managing the .nz DNS.

5.2 This information is likely to be collected as part of the authorisation process, and through the Dispute and Complaint ("DCP"), and Investigation and Inquiry ("IIP") processes.

5.3 The DNC will request only such information as is required for the functions to be undertaken and will only use that information for the purpose it was collected.

6. General Information

6.1 InternetNZ has further privacy statements on its web site as www.internetnz.net.nz.

6.2 A range of information about .nz policies, the SRS, registrant rights, and domain names in general is publicly available on the Internet. This includes:

• A list of all authorised registrars, with links to their home pages.
• A list of second level moderators and their contact details.
• Current policy about domain names in .nz, dispute resolution, etc.
• Frequently asked questions.
• Links to other relevant sites.