Accountability, it’s not optional!
When people talk about the principles of data protection enshrined in law, it is generated from years of progress around human rights, not just some arbitrary ideas thought up in Brussels. The important word is “protection” and always will be. The 7th principle of data protection is key to demonstrate all other principles are met – accountability. Without accountability, there can be no guarantee that all other aspects of data protection are adhered to. A recent article we wrote explored the importance of accountability and the ICO requirements.
Elizabeth Denham, Information Commissioner
Accountability encapsulates everything the GDPR is about.
Over the past 18 months, GDPR in Schools Ltd has raised the importance of documentation and record keeping and the GDPRiS platform is core to our users’ accountability. It is important that you can see and track who and when breaches are raised, who has responded, and the action taken. However, GDPRiS is not the only source of records. Within the many systems and products, you use there will be records of how that system was used. Likewise, within your MIS there is a background log keeping a track of changes and access.
Thus, we know that it is the general practice to have logs and records but why? If we look at the principles of data protection as stated by ICO:
- Lawfulness, fairness and transparency
- Purpose limitation
- Data minimisation
- Storage Limitation
- Integrity and confidentiality (security)
It can be clearly seen that a ‘check’ can only be done if you are recording events. In the same way that Ofsted expects to see that evidence of good learning is being checked by the school, so too your DPO (and ICO, if the school is audited or investigated) will want to see evidence of checking, and even the evidence itself.
As part of your DPIAs, you should be asking ‘what am I going to check to make sure that everything is as it should be.’ You should be sure that where the logs retain personal data that you know for how long you are retaining them. (“forever” or “until we run out of space” are not the right answers!) It may be that the logs themselves are the core part of processing personal data.
If you are responding to incidents relating to security or breaches NCSC has a range of advice. They summarise “Once you have a logging strategy in place, you will be better prepared for the most pressing questions put to you by incident investigators should you suffer a cyber-attack. This will give you the best chance of recovering swiftly, and to defend your systems better against future incursions.”
Where software is local and controlled by you, many of your suppliers and provider will have guides about how to set up or manage logs, such as events logs on your windows-based computers or limiting the size of reporting data on Smoothwall filters. Where the logs are controlled by the supplier as part of the delivery of the service, the details will be in their Data Processing Agreement / Terms and Conditions / Contract / Privacy Notice.
In short, you should know what is recorded, why and make sure it is only kept for the period you need it for. If you are completing DPIAs, then this will help gather that information.