Logging Policy: Data Protection, Interception and Freedom of Information

This policy applies to both centrally-managed and self-managed systems. It concerns information logged by services running on these machines. This document does not address data-protection, freedom-of-information or interception issues other than as they impact on logging.

This document is in two parts. The first part is the Policy itself. This is followed by an explanation and discussion.

Policy

In this policy a "service manager" is anyone who operates a service accessible to others, including on a self-managed machine. Note that this also includes personal machines (e.g. laptops) connected to the School network, by virtue of the University's Computing Regulations.

The terms "personal data" and "interception" are as defined in legislation. See the discussion below for details.

Service managers must document the purpose or purposes for which logs are produced. For each purpose:

  1. service managers must check whether personal data might be logged; if so, a justification must be given and steps to ensure compliance with the Data Protection Principles (Data Protection Act 1998 Schedule 1) noted
  2. service managers must check whether interception might be taking place; if so, the "authorization" must be noted
  3. service managers must ensure that retention periods are appropriate

For centrally-managed services, the service catalogue should be used to record DP or interception issues. For self-managed services, a support request should be used for notification.

Logs maintained ONLY for the purpose of debugging the operation of the service by that service's manager are normally "authorized" implicitly by the RIP act, but must still meet any DPA requirements. Any other use requires the permission of the Head of School or his nominee, to ensure that the University's statutory obligations are discharged.

Examples

The following are just some examples of personal data. Bear in mind that the DPA definition refers to "other information which is in the possession of, or is likely to come into the possession of, the data controller", so it isn't sufficient to consider just whether the data per se identify living individuals.

Discussion

In terms of the regulatory framework in which our logging has to operate, the main influences are the Human Rights Act 1998, the Data Protection Act 1998 and the Regulation of Investigatory Powers Act 2000 (see links below). In addition, the information we log will (subject to the usual exemptions) be available on request under the Freedom of Information (Scotland) Act 2002.
  1. The Human Rights Act incorporates the European Convention on Human Rights and its various Protocols into UK law. Everything the University does must be in accordance with the ECHR. Working within the constraints of the Data Protection Act and the Regulation of Investigatory Powers Act, which were set up in part as a result of ECHR issues, and following established industry practice should allow us to argue that we are indeed in accord with the HRA, though we should always bear in mind its underlying principles.
  2. The Data Protection Act 1998 imposes constraints on how we process personal data, as well as providing statutory rights of access and correction for data subjects.

    "'Personal data' means data which relate to a living individual who can be identified- (a) from those data, or (b) from those data and other information which is in the possession of, or is likely to come into the possession of, the data controller ..." (Data Protection Act 1998 §1). In addition, various specified types are known as "sensitive personal data" (DPA §2) and are subject to much more stringent processing constraints. There's a thorough discussion in the JISC Legal Code of Practice for the Further and Higher Education Sectors on the Data Protection Act 1998.

    In terms of the Act's definition, above, the issue is not just whether the log entries identify individuals per se. If it is possible for us to identify to whom the entries relate, possibly using other information available to us, then the log entries are by definition personal data and must be processed accordingly.

    All processing of personal data must be done in accordance with the Data Protection Principles set out in Schedule 1 of the DPA, and for one of the purposes notified in the University's DP registration. "Purpose 5" of the University's registration allows for the "administration and provision of computing facilities", and our processing falls under Schedule 2 condition 6(1): "The processing is necessary for the purposes of legitimate interests pursued by the data controller or by the third party or parties to whom the data are disclosed, except where the processing is unwarranted in any particular case by reason of prejudice to the rights and freedoms or legitimate interests of the data subject."

    (Fortunately it's unlikely that any sensitive personal data would be logged in most cases, but it would be as well to be aware of the possibility. It's hard to see which of the Schedule 3 conditions we could possibly meet!)

    The effective requirement here, then, is that processing must be in accordance with the Principles. In particular, data must be: processed fairly; obtained only for specified purposes; not excessive; not kept for longer than necessary; protected against unauthorised processing; and not exported outside the EEA. This doesn't mean that such processing can't happen, rather that when it does it is done according to the DPA's rules.

  3. "Interception" is subject to the Regulation of Investigatory Powers Act 2000. The definitions are somewhat convoluted, but essentially interception is making "some or all of the contents of the communication available, while being transmitted, to a person other than the sender or intended recipient of the communication." There is a limited exclusion for "traffic data", which amounts to header, addressing and routing information, but it is stated explicitly in the Act's Explanatory Note ¶34 as well as rather obliquely in the Act itself that the traffic data "may identify a server but not a website or page."

    The upshot of all this is that logging associated with a service which has the "purpose of facilitating the transmission of communications", such as a web service or a mail or messaging service, is likely to constitute "interception", and must therefore be "authorized" by the Act or its associated Regulations (in particular the Lawful Business Practice regulations). It is therefore necessary to identify for each service the purpose for which logging is being undertaken to confirm that it is in accordance with the Regulations (or indeed §3(3) of the Act, which allows for interception "connected with the provision or operation" of a service; but note that this must be interpreted tightly).

The University does notify all users fairly regularly that interception and processing of personal data may take place for the purposes given in the notification.

Note that logging must in each case comply with all of the statutory requirements which are relevant. The DPA and RIPA rules must all be followed as required, and following one Act does not obviate the need to also follow the other.

Note also that just because logs are allowed for one purpose, it does not necessarily follow that they can be used for some other purpose. Each case must be assessed separately on its own merits. It may be that some form of redaction or anonymisation is required before they can be used for a secondary purpose. The simple act of passing raw data to someone counts as "processing", and so even in this case the DPA conditions must be met.

There is currently no statutory requirement for us to undertake data retention (JISC Legal overview on data retention); and in any case, there is no requirement to collect data additional to that needed for normal operational purposes. However, for our own purposes and to allow us to monitor compliance with, for example, the JANET AUP, we would likely want to keep some logs for some period. The LINX Best Current Practice on traceability suggests keeping such data for at least 3 months but no longer than 6 months; and once no longer required for this purpose such data should be anonymised or deleted.

The question of backups and archives is discussed elsewhere. Generally speaking, though, data on archives is likely still to fall under the DPA and FoI(S)A provisions, while backups held for disaster-recovery purposes and regularly rotated as part of an exist schedule might not. As a rule, logs containing personal data should not be archived, owing to the difficulty there would likely be in complying with the subject-access rights.

Useful Links


Home : Systems : Policies 

Informatics Forum, 10 Crichton Street, Edinburgh, EH8 9AB, Scotland, UK
Tel: +44 131 651 5661, Fax: +44 131 651 1426, E-mail: school-office@inf.ed.ac.uk
Please contact our webadmin with any comments or corrections. Logging and Cookies
Unless explicitly stated otherwise, all material is copyright © The University of Edinburgh