http://www.legislation.gov.uk/id/ukpga/2018/12

PART 3Law enforcement processing

CHAPTER 4Controller and processor

General obligations

62Logging

1

A controller (or, where personal data is processed on behalf of the controller by a processor, the processor) must keep logs for at least the following processing operations in automated processing systems—

a

collection;

b

alteration;

c

consultation;

d

disclosure (including transfers);

e

combination;

f

erasure.

2

The logs of consultation must make it possible to establish—

a

the justification for, and date and time of, the consultation, and

b

so far as possible, the identity of the person who consulted the data.

3

The logs of disclosure must make it possible to establish—

a

the justification for, and date and time of, the disclosure, and

b

so far as possible—

i

the identity of the person who disclosed the data, and

ii

the identity of the recipients of the data.

4

The logs kept under subsection (1) may be used only for one or more of the following purposes—

a

to verify the lawfulness of processing;

b

to assist with self-monitoring by the controller or (as the case may be) the processor, including the conduct of internal disciplinary proceedings;

c

to ensure the integrity and security of personal data;

d

the purposes of criminal proceedings.

5

The controller or (as the case may be) the processor must make the logs available to the Commissioner on request.