Re[2]: Nameless data can still be personal

[Chris Salter]

Hello Roland and UKCrypto,

Friday, November 7, 2008, 7:26:34 PM, you wrote:

> In article <1822185328.20081107144721@originalthinktank.org.uk>, Chris
> Salter <ukcrypto@originalthinktank.org.uk> writes
>>Taken at face value this means that standard Apache server logs are
>>covered by Data Protection Laws?

> They always were.

Obviously a 'mental blind-spot' on my part. While I have always been
careful not to include any 'end user' identifiable information in any
published web statistics, I've otherwise viewed both logs and reports
as proprietary (mine) rather than (other individuals) personal data.

>>So, for example, does this mean that all logs and associated traffic 
>>analysis reports must stored/transported encrypted?

> We haven't seen many cases of public criticism regarding data-loss where
> the data that was lost was as far removed from being able to facilitate
> identity theft as an Apache log would be.

> It would be good practice to encrypt any such data that was taken off 
> the premises, though.

More by accident than design it just so happens the logs themselves
and reports generated for my review are stored in encrypted form
(TruCrypt). However, I think I am going to have to take more
precautions with any reports I distribute 'internally'. Not that who
accesses the sites that I administer would in practice be considered
sensitive information.

Chris

-- 
 Chris Salter                      mailto:ukcrypto@originalthinktank.org.uk
 Cornwall United Kingdom        http://www.originalthinktank.org.uk/