The obligation to log is not only a requirement under data protection law, it also arises from IT security. This functionality should be taken into account both with self-programmed applications and when procuring third-party IT systems. The following article explains which data protection aspects must be observed when logging the system.
Logging / log files / logging
When logging, every activity (e.g. reading, changing, copying, deleting) is recorded together with further information such as time and user. The computer scientist also likes to use the expressions: “protocol files”, “log data” or “log files” in this context. There are three types of protocol:
- Activities of the IT systems themselves (mostly for system monitoring)
- Activities of the administrators (e.g. during installation, configuration, changes to hardware and software)
- User activities
Content and scope of the log files
The log files must be used to verify who has processed which personal data and in what way. The content of the log files is primarily based on the protection requirements of the processed data, the risk assessment and the control purpose. If sensitive and critical systems or data are used and processed, a higher standard must be applied.
Regardless of this, however, there is a fundamental requirement that the content should be possible for the verification of system errors and also manipulation or unauthorized activities. In addition, the principle of necessity must also be observed, so that only data may be recorded that is necessary to fulfill the logging purpose (logging in advance is not permitted).
In particular, a log file should contain the following information:
- who (authentication)
- when (timestamp)
- which activity (data entry and modification)
- on what dates.
Earmarking and evaluation
Log data may be recorded for the purpose of data protection control, data backup or to ensure the proper operation of a data processing system ( Section 31 BDSG ). The log data must be able to provide information on who has processed which personal data and in what way, for example, in order to be able to detect manipulations. Before starting the initial logging, it must be determined for what purpose the logging is to be made. The justification should not be generalized (eg “security purpose”), but as detailed as possible (eg detection and analysis of system weaknesses and their elimination).
Log files should be evaluated on a regular basis in a certain cycle (e.g. once a month) on a random basis, whereby an automated evaluation should be used if possible. In addition, the logs may be evaluated as required. Particularly with the event-related evaluation and evaluation of personal data, it should be noted that this should be carried out and documented according to the four-eyes principle.
It is very important to note that log files may not be evaluated to monitor the behavior and performance of employees (Section 31 BDSG).
Deletion of log files
Log files may only be stored for as long as they are required for the intended purpose. That is why the deletion periods must be set before the start of the logging. Since there is no statutory regulation on deletion periods, it is advisable to orientate yourself on the requirement for the fulfillment of the purpose . How long the log data can be kept depends on the specified purpose and can also correspond to the evaluation cycle.
Normally, however, the data should be deleted after 6 months at the latest (similar to Section 15 (7) TMG). In addition, however, other legal requirements should also be observed, which may justify a longer storage period.
Data protection requirements
When procuring IT systems, but also with existing IT systems, the data protection officer should also keep an eye on proper logging during his examination. The following checklist gives an overview of what has to be considered:
1. Creation of a logging concept with the following points:
- Purpose of logging
- Content and scope
- Evaluation (when by whom, four-eyes principle, typical scenarios)
- Deletion periods
- Roles and authorization concept
- Responsibilities for controlling compliance
2. Pseudonymization or anonymization of personal data, if possible
- Use of evaluation software
- Choice of a common format for the log files
- Technical measures to protect against manipulation of log files (e.g. separate log server)
- Technical measures to protect against unauthorized access
- Use of encryption techniques (e.g. when log files with personal data are transmitted)
- Consideration for prior checking
- Examination of the involvement of the works council
- Test Procedure: Testing Proper Logging
- Regular control and adjustment