Skip to main content
Hafan

What is logging?

Contents

Latest updates - 04 November 2025

04 November 2025  - We have updated this section of the guidance to reflect amendments from the Data (Use and Access) Act. 

Logs act as digital footprints and record the actions of users in automated processing systems. Logging is an internal accountability mechanism and provides a record of how somebody has used personal information within a system.

Examples of systems where users can access sensitive information about people and possibly make changes to that information include:

  • investigative casework;
  • searchable databases of people; or
  • electronically held files of information where use and access are limited to certain staff.

A log can be a record of the ‘who, what and when’ of a particular action.

The law enforcement provisions in the DPA 2018 do not include a definition of an ‘automated processing system’. However, it is interpreted to mean any system that uses personal information by automated means such as a computer and is likely to involve human interaction at some point (eg input of, or access to, information).

You must keep logs for at least the following actions:

  • collection – obtaining or gathering personal information in a system;
  • alteration – amending or supplementing an existing piece of information (eg updating or editing the information);
  • consultation – accessing or analysing information in a system;
  • disclosure (including transfers) – sharing information with another person or organisation, either within your organisation, internationally or with an authorised external third party;
  • combination – collating information, or consolidating files, on a system or from elsewhere; and
  • erasure – permanently deleting information.

For consultation and disclosure, you must record in the logs the identity of the person who accessed or disclosed the information so far as possible, along with the date and time of the associated action. For disclosures, you must also record the identity of the recipient of the information. This is particularly important as you may need to inform the recipients if you delete, amend or restrict the processing of this information following a request from someone.

You do not need to keep the erased information itself in your logs of erasure. Instead, you must produce a record that displays, for example, what information an identified user erased on a specific date. The log may simply record the ‘what’ (that certain information was updated) and the ‘who’ (the person who carried out the processing activity).