CNIL publishes draft recommendation on retention of traceability data

This article was first published by the IAPP in the Privacy Advisor 

On May 28, France’s data protection authority, the Commission nationale de l’informatique et des libertés, launched a public debate over its draft recommendation relating to terms of retention and use of data logs. According to the CNIL, maintaining data logs is an essential tool for respecting the security of processing personal data, provided for in Articles 5 and 32 of the EU General Data Protection Regulation. 

In its draft recommendation, the CNIL underlines one of the purposes of data logs, particularly in multi-user systems, is to ensure traceability of access and actions on the information systems within an organization facilitating security policy compliance. A data log can help during a security event (i.e., intrusion into computer systems or misuse of data processed by authorized persons) for purposes of flagging events, detection and forensic investigations.  

In order to be able to identify unauthorized access, misuse of personal data or the origin of a security incident, the CNIL underlines actions performed on computer systems should be recorded through a technique for managing traces and incidents. Records must be accurately maintained and should not be kept for an excessive period of time. Therefore, the CNIL recommends organizations to implement a system for processing and analysing the data collected and formalizing a process for generating and managing alerts in the event of suspicious or deviating behaviour.

When it comes to retention periods for data logs, the CNIL recommends a period not exceeding six months to one year is sufficient except for cases when a legal obligation or particularly significant risk would require another retention period. The data controller must be able to justify and document reasons to consider a longer period, such as claiming a particular legal obligation. It may also be justified as this is the only measure to deal with high risks for individuals who are part of a data protection impact assessment or an equivalent assessment. This analysis should be carried out on a case-by-case basis by applying the principles of the GDPR to determine the guarantees in terms of security conditions, access and storage purposes for this data.

In any case, retention terms of data logs are required to strike a balance between the need for logging to identify breaches of the processing system and the need to maintain only a reasonable amount of data to better avoid attacks or misuse.

cpu, processor, macro-564771.jpg

The minimum amount of data for fulfilling the detection and investigation purposes must be considered. Normally, it is recommended that data logs contain the username, the date and time of their connection and the date and time of their disconnection and, if necessary, details of the actions performed by the user, the types of data consulted, and the reference of the record concerned.

Organizations are advised to be accountable and maintain transparency toward users by informing them of the implementation of the system following a critical look at it with their consulting staff representatives and working counsels. Furthermore, according to the draft regulation, organizations should protect logging equipment and logged information from unauthorized access, including making it inaccessible to those whose activity is logged, and establish procedures detailing the monitoring of processing usage and periodical reviews of logs event searching for possible anomalies. It is advisable that data controllers train the staff in charge of overseeing the traces and incidents systems and notify them as soon as they identify any attempt at tampering. Data controllers should determine the permissions required for access to data logs and relevant restrictions.

A balance needs to be found between security, surveillance and risks. Data logs can include data relating to authorized users of the system, which, through log analysis (collection, cleaning and structure), may reveal private information about them related to their professional performance, their working habits or their behavior. Data controllers should be aware of the Recital 50 of the GDPR, which requires data controllers to only process data for the purposes for which they have been collected.

Therefore, purpose limitations apply for the use of data logs to maintain the integrity and security of both data and systems. Data logs cannot be used outside of this purpose unless additional purposes are compatible with the original purpose or there is a legal prescription for it. Additionally, the CNIL observes the long storage of data logs can generate additional risks for the security of the information system from the server’s oversaturation that can lead to unavailability or illegitimate access allowing information to be extracted, altered or lost.

The DPA recommends keeping data logs segregated from the main system, such as written on physically separate and accessible equipment without the possibility of overwriting existing data.

Additionally, data logs should contain only identifiers pseudonyms, or data for which reidentification is particularly difficult. Setting up purging procedures and tools aimed at deleting the data whose shelf life has expired is recommended.

It is important to balance the security provided by logging, the monitoring that this type of processing activity can create and the emergence of risks linked to long retention periods.

Another practical consequence of keeping log files is the data controller’s ability to provide data subjects with the list of third-party recipients the data has been disclosed to for an access request. The European Court of Human Rights judgment in College van burgemeester en wethouders van Rotterdam v M. E. E. Rijkeboer highlights how essential this obligation is in privacy protection. 

The ruling had important consequences regarding how long access logs need to be archived when an application provides access to personal data. According to the ruling, it is on Member States to set up a time limit to store the information and provide access to that information, thus needing to balance the interest of the data subject in exercising his rights and the burden on the controller to store the information.

CNIL recommends the operations of creation, consultation, modification and deletion of personal data and information contained in processes where logging is applied are correspondently mapped to include individual details, the time stamp, the nature of the operation carried out as well as the reference of the data concerned by this processing activity. Duplication of data in logs is not recommended. Logging activities can be integrated at the application level or managed at a technical level by the application software.

The draft recommendation provides for a generic analysis of data log processing activities. Additional protective measures may be necessary for certain processing activities. Conducting a data protection impact assessment is recommended to determine appropriate additional measures.

The recommendation is aimed at all private and public bodies and, more specifically, data controllers, data protection officers and those responsible for the security of information systems.

The draft guidance is open for public debate until July 23. Shortly thereafter, a new version of the draft recommendation will be presented in a plenary session for final adoption.

Author Petruta Pirvan, Founder and Legal Counsel Data Privacy and Digital Law @EU Digital Partners