This policy applies to both centrally-managed and self-managed systems. It concerns information logged by services running on these machines. This document does not address data-protection, freedom-of-information or interception issues other than as they impact on logging.
This document is in two parts. The first part is the Policy itself. This is followed by an explanation and discussion.
In this policy a "service manager" is anyone who operates a service accessible to others, including on a self-managed machine. Note that this also includes personal machines (e.g. laptops) connected to the School network, by virtue of the University's Computing Regulations.
The terms "personal data" and "interception" are as defined in legislation. See the discussion below for details.
Service managers must document the purpose or purposes for which logs are produced. For each purpose:
For centrally-managed services, the service catalogue should be used to record DP or interception issues. For self-managed services, a support request should be used for notification.
Logs maintained ONLY for the purpose of debugging the operation of the service by that service's manager are normally "authorized" implicitly by the RIP act, but must still meet any DPA requirements. Any other use requires the permission of the Head of School or his nominee, to ensure that the University's statutory obligations are discharged.
"'Personal data' means data which relate to a living individual who can be identified- (a) from those data, or (b) from those data and other information which is in the possession of, or is likely to come into the possession of, the data controller ..." (Data Protection Act 1998 §1). In addition, various specified types are known as "sensitive personal data" (DPA §2) and are subject to much more stringent processing constraints. There's a thorough discussion in the JISC Legal Code of Practice for the Further and Higher Education Sectors on the Data Protection Act 1998.
In terms of the Act's definition, above, the issue is not just whether the log entries identify individuals per se. If it is possible for us to identify to whom the entries relate, possibly using other information available to us, then the log entries are by definition personal data and must be processed accordingly.
All processing of personal data must be done in accordance with the Data Protection Principles set out in Schedule 1 of the DPA, and for one of the purposes notified in the University's DP registration. "Purpose 5" of the University's registration allows for the "administration and provision of computing facilities", and our processing falls under Schedule 2 condition 6(1): "The processing is necessary for the purposes of legitimate interests pursued by the data controller or by the third party or parties to whom the data are disclosed, except where the processing is unwarranted in any particular case by reason of prejudice to the rights and freedoms or legitimate interests of the data subject."
(Fortunately it's unlikely that any sensitive personal data would be logged in most cases, but it would be as well to be aware of the possibility. It's hard to see which of the Schedule 3 conditions we could possibly meet!)
The effective requirement here, then, is that processing must be in accordance with the Principles. In particular, data must be: processed fairly; obtained only for specified purposes; not excessive; not kept for longer than necessary; protected against unauthorised processing; and not exported outside the EEA. This doesn't mean that such processing can't happen, rather that when it does it is done according to the DPA's rules.
The upshot of all this is that logging associated with a service which has the "purpose of facilitating the transmission of communications", such as a web service or a mail or messaging service, is likely to constitute "interception", and must therefore be "authorized" by the Act or its associated Regulations (in particular the Lawful Business Practice regulations). It is therefore necessary to identify for each service the purpose for which logging is being undertaken to confirm that it is in accordance with the Regulations (or indeed §3(3) of the Act, which allows for interception "connected with the provision or operation" of a service; but note that this must be interpreted tightly).
Note that logging must in each case comply with all of the statutory requirements which are relevant. The DPA and RIPA rules must all be followed as required, and following one Act does not obviate the need to also follow the other.
Note also that just because logs are allowed for one purpose, it does not necessarily follow that they can be used for some other purpose. Each case must be assessed separately on its own merits. It may be that some form of redaction or anonymisation is required before they can be used for a secondary purpose. The simple act of passing raw data to someone counts as "processing", and so even in this case the DPA conditions must be met.
There is currently no statutory requirement for us to undertake data retention (JISC Legal overview on data retention); and in any case, there is no requirement to collect data additional to that needed for normal operational purposes. However, for our own purposes and to allow us to monitor compliance with, for example, the JANET AUP, we would likely want to keep some logs for some period. The LINX Best Current Practice on traceability suggests keeping such data for at least 3 months but no longer than 6 months; and once no longer required for this purpose such data should be anonymised or deleted.
The question of backups and archives is discussed elsewhere. Generally speaking, though, data on archives is likely still to fall under the DPA and FoI(S)A provisions, while backups held for disaster-recovery purposes and regularly rotated as part of an exist schedule might not. As a rule, logs containing personal data should not be archived, owing to the difficulty there would likely be in complying with the subject-access rights.
Informatics Forum, 10 Crichton Street, Edinburgh, EH8 9AB, Scotland, UK
Tel: +44 131 651 5661, Fax: +44 131 651 1426, E-mail: firstname.lastname@example.org
Please contact our webadmin with any comments or corrections. Logging and Cookies
Unless explicitly stated otherwise, all material is copyright © The University of Edinburgh