Table of contents


The base principle

Any access, and subsequent activity, to any system or data must employ adequate accounting techniques to ensure events can be attributed to the authenticated entity.

Accounting information must be stored in a way that it cannot be readily manipulated, particularly by the authenticated entity.

Log data security & governance

Log data can include Personal Data or inadvertent sensitive data (when an application or system is unexpectedly verbose) and must be adequately protected and governed in a comparable way to the original system’s data.

Log data created and processed for information security purposes should be retained for no longer than 2 (two) years by default (this is subject to any legislative or regulative compliance requirements) but for a minimum of 6 months.

These times are general as a guide, and require contextual analysis particularly where Personal Data is involved.


If you have any questions or comments about this guidance, such as suggestions for improvements, please contact: