Introduction | JANET Policies | Laws on Networking | Regulated Activities | Other Documents
ACTIVITIES: LOGGING AND DATA COLLECTION
It is strongly recommended that anyone responsible for a computer or network should collect sufficient logs of activity to be able to identify the account and individual responsible for any misuse. The policies for connection to the JANET network expect that sites will maintain such logs. Although logging is not required by law for private networks in the UK (the most recent Data Retention Regulations only apply to public networks), JANET-connected organisations that have failed to keep logs have found themselves being blamed for misuse from their site that they could not trace. It is quite possible that such blame could develop into a formal claim of liability for damage caused, leaving the organisation with bad publicity at best and a large bill for damages and legal costs at worst.
There are a number of legal issues that must be addressed in any logging activity. Even if the logs contain only information that the network was used by particular accounts, then they will constitute personal data within the meaning of the Data Protection Act 1998 (particularly the Privacy and Electronic Communications (EC Directive) Regulations 2003). This places restrictions on how logs may be used, and also requires that they be protected against misuse by appropriate technical and procedural measures. Personal data may only be kept so long as there is good reason to do so: organisations should ensure that they have a retention policy stating how long logs will be held and that they are deleted after this period. If the logs contain the content of any communication, for example the text of e-mails, news or chatroom conversations, then recording them counts as interception and the conditions of the Regulation of Investigatory Powers Act 2000 must also be met.
Law Enforcement access to Logfiles
Logs may also be of interest to law enforcement and other authorities, who may request access to them. Details of the processes that can be used to request and disclose logfiles and other information can be found on the page on working with law enforcement.
Further Information
Our Guidance Note on Logfiles contains further information about log files: how and why to collect them, examples of their use, and the legal issues that must be addressed. Wider information about Records Management in Education is available from the JISC.