Data Protection Act 2018

82.

Data logging for automated processing system

82. (1) Subject to subsection (5), where a controller or processor carries out processing of personal data by automated means, the controller or processor, as the case may be, shall create and maintain a log (in this section referred to as a “data log”) of the following processing operations carried out in automated processing systems in respect of that processing:

(a) the collection of personal data for the purposes of such processing and the alteration of any such data;

(b) the consultation of the personal data by any person;

(c) the disclosure of the personal data, including the transfer of the data, to any other person;

(d) the combination of the personal data with other data;

(e) the erasure of the personal data, or some of the data.

(2) Where a data log contains information specified in paragraph (b) or (c) of subsection (1), the controller or processor, as the case may be, shall ensure that the data log contains sufficient information to establish the following:

(a) the date and time of the consultation or disclosure, as the case may be;

(b) the reason for the consultation or disclosure, as the case may be;

(c) in so far as is possible, the identification of the person who consulted or disclosed, as the case may be, the personal data;

(d) the identity of any recipient to whom the personal data were disclosed.

(3) A data log shall not be used by any person for any purpose other than—

(a) verifying the lawfulness of the processing,

(b) the monitoring by the controller of processing carried out by the controller,

(c) the monitoring by the processor of processing carried out by the processor,

(d) ensuring the integrity and security of the personal data concerned, or

(e) for the purposes of criminal proceedings.

(4) A controller or processor shall, where requested to do so, make a data log created and maintained by the controller or processor, as the case may be, available to the Commission for inspection and examination.

(5) This section shall not apply, in respect of an automated processing system established on or before 6 May 2016—

(a) prior to 6 May 2023, where compliance by a controller or processor, as the case may be, with this section prior to that date would involve disproportionate effort, or

(b) prior to 6 May 2026, where compliance by a controller or a processor, as the case may be, with this section prior to that date would cause serious difficulties for the operation of the automated processing system to which the data log relates.

(6) A controller or processor who intends to rely upon subsection (5)(b) in respect of an automated processing system operated by the controller or processor, as the case may be, shall notify the Minister in writing of the said intention on or before 31 December 2022.

(7) A notification referred to in subsection (6) shall include a description of the serious difficulties referred to in subsection (5)(b) in respect of the automated processing system concerned.