This is a DRAFT Logging Policy. It is intended to apply to both managed and self-managed system and concerns information logged by services running on these machines. This document does not address data-protection, freedom-of-information or interception issues other than as they impact on logging.
This document is in two parts. The first part is the Policy itself. This is followed by an explanation and discussion.
Service managers must document the purpose or purposes for which logs are produced. For each purpose:
"'Personal data' means data which relate to a living individual who can be identified- (a) from those data, or (b) from those data and other information which is in the possession of, or is likely to come into the possession of, the data controller ..." (Data Protection Act 1998 §1). In addition, various specified types are known as "sensitive personal data" (DPA §2) and are subject to much more stringent processing constraints. There's a thorough discussion in the JISC Legal Code of Practice for the Further and Higher Education Sectors on the Data Protection Act 1998.
In terms of the Act's definition, above, the issue is not just whether the log entries identify individuals per se. If it is possible for us to identify to whom the entries relate, possibly using other information available to us, then the log entries are by definition personal data and must be processed accordingly.
All processing of personal data must be done in accordance with the Data Protection Principles set out in Schedule 1 of the DPA, and for one of the purposes notified in the University's DP registration. "Purpose 5" of the University's registration allows for the "administration and provision of computing facilities", and our processing falls under Schedule 2 condition 6(1): "The processing is necessary for the purposes of legitimate interests pursued by the data controller or by the third party or parties to whom the data are disclosed, except where the processing is unwarranted in any particular case by reason of prejudice to the rights and freedoms or legitimate interests of the data subject."
(Fortunately it's unlikely that any sensitive personal data would be logged in most cases, but it would be as well to be aware of the possibility. It's hard to see which of the Schedule 3 conditions we could possibly meet!)
The effective requirement here, then, is that processing must be in accordance with the Principles. In particular, data must be: processed fairly; obtained only for specified purposes; not excessive; not kept for longer than necessary; protected against unauthorised processing; and not exported outside the EEA.
The upshot of all this is that logging associated with a service which has the "purpose of facilitating the transmission of communications" (such as a web service or perhaps a mail service or messaging service) is likely to constitute "interception", and must therefore be "authorized" by the Act or its associated Regulations (in particular the Lawful Business Practice regulations. It is therefore necessary to identify for each service the purpose for which logging is being undertaken to confirm that it is in accordance with the Regulations (or indeed §3(3) of the Act, which allows for interception "connected with the provision or operation" of a service; but note that this must be interpreted tightly).
The University does notify all users fairly regularly that interception and processing of personal data may take place for the purposes given in the notification.
Note that logging must in each case comply with all of the statutory requirements which are relevant. The DPA and RIPA rules must all be followed as required, and following one Act does not obviate the need to also follow the other.
Note also that just because logs are allowed for one purpose, it does not necessarily follow that they can be used for some other purpose. Each case must be assessed separately on its own merits. It may be that some form of redaction or anonymisation is required before they can be used for a secondary purpose. The simple act of passing raw data to someone counts as "processing", and so even in this case the DPA conditions must be met.
There is currently no statutory requirement for us to undertake data retention (JISC Legal overview on data retention); and in any case, there is no requirement to collect data additional to that needed for normal operational purposes. However, for our own purposes and to allow us to monitor compliance with, for example, the JANET AUP, we would likely want to keep some logs for some period. The LINX Best Current Practice on traceability suggests keeping such data for at least 3 months but no longer than 6 months; and once no longer required for this purpose such data should be anonymised or deleted.
The question of backups and archives is discussed elsewhere. Generally speaking, though, data on archives is likely still to fall under the DPA and FoI(S)A provisions, while backups held for disaster-recovery purposes and regularly rotated as part of an exist schedule might not. As a rule logs containing personal data should not be archived, owing to the difficulty there would likely be in complying with the subject-access rights.
Please contact us with any comments or corrections.
Unless explicitly stated otherwise, all material is copyright The University of Edinburgh