PART 3Law enforcement processing
CHAPTER 4Controller and processor
General obligations
62Logging
1
A controller (or, where personal data is processed on behalf of the controller by a processor, the processor) must keep logs for at least the following processing operations in automated processing systems—
a
collection;
b
alteration;
c
consultation;
d
disclosure (including transfers);
e
combination;
f
erasure.
2
The logs of consultation must make it possible to establish—
a
the justification for, and date and time of, the consultation, and
b
so far as possible, the identity of the person who consulted the data.
3
The logs of disclosure must make it possible to establish—
a
the justification for, and date and time of, the disclosure, and
b
so far as possible—
i
the identity of the person who disclosed the data, and
ii
the identity of the recipients of the data.
4
The logs kept under subsection (1) may be used only for one or more of the following purposes—
a
to verify the lawfulness of processing;
b
to assist with self-monitoring by the controller or (as the case may be) the processor, including the conduct of internal disciplinary proceedings;
c
to ensure the integrity and security of personal data;
d
the purposes of criminal proceedings.
5
The controller or (as the case may be) the processor must make the logs available to the Commissioner on request.