PART 3Law enforcement processing
CHAPTER 4Controller and processor
General obligations
62Logging
(1)
A controller (or, where personal data is processed on behalf of the controller by a processor, the processor) must keep logs for at least the following processing operations in automated processing systems—
(a)
collection;
(b)
alteration;
(c)
consultation;
(d)
disclosure (including transfers);
(e)
combination;
(f)
erasure.
(2)
The logs of consultation must make it possible to establish—
(a)
the justification for, and date and time of, the consultation, and
(b)
so far as possible, the identity of the person who consulted the data.
(3)
The logs of disclosure must make it possible to establish—
(a)
the justification for, and date and time of, the disclosure, and
(b)
so far as possible—
(i)
the identity of the person who disclosed the data, and
(ii)
the identity of the recipients of the data.
(4)
The logs kept under subsection (1) may be used only for one or more of the following purposes—
(a)
to verify the lawfulness of processing;
(b)
to assist with self-monitoring by the controller or (as the case may be) the processor, including the conduct of internal disciplinary proceedings;
(c)
to ensure the integrity and security of personal data;
(d)
the purposes of criminal proceedings.
(5)
The controller or (as the case may be) the processor must make the logs available to the Commissioner on request.