subpage_img01 subpage_img02 subpage_img03 filler
Images for the Office of the Provost - Harvard University
Home > Enterprise Security Policy > 5. Physical Environment and Recording the Activities of Individuals > 5.2 Recording Information About the Activities of Individuals

5.2 Recording Information About the Activities of Individuals

Policy

Any unit that maintains logs or automatically generated records of actions of individuals must adopt written policies on the purpose of, and retention and access policies for, such logs and records.

Discussion

Logs of the activity of individuals are made for many reasons. Some logs, for example those of the use of web servers, are used to determine the interests of visitors to the web site and can be helpful in revising the web site to better serve its visitors. Other logs are made during the course of an investigation into some security incident and are intended to help reveal the identity of an attacker and provide evidence for potential legal action. The most common reason for creating a log is to provide a combination of a deterrent against bad behavior and as an aid to any investigation when bad behavior was not deterred.

For logs to be useful as a deterrent, a statement of what information is being collected about an individual, why that information is being collected, how long that information will be kept and who will have access to the information must be developed for each such collection of information. This includes logs produced by building access control systems, web servers or other computer applications and surveillance camera recordings.

Such statements should be made available to the individuals who are the subjects of the information collecting activity by posting them, by distributing them or by making them available upon request. In most cases conspicuous signs should note the presence of surveillance cameras.

An example of such statements are the Privacy Statements that should appear on all Harvard web sites. (Note, web links to privacy statements should appear on the first page of each separately managed set of web pages but do not need to appear on every web page.)

The OGC should be consulted before any access is granted to collected information if the request for access does not meet the criteria defined in the statement.

This policy also does not cover the records generated in the normal course of business at Harvard, only the automatically created logs of the activities of individuals such as logs created by building access control systems, web and application servers and surveillance cameras. Other records are subject to the rules defined in the Harvard General Record Schedule.

Best Practice

If information is collected about user access, whether the access is physical (e.g. buildings) or electronic (e.g. web servers), users must be notified accordingly. The statement should contain what information is being collected, why that information is needed, duration of the log, and and who will have access to the information. See an example of privacy statements that may be used in these cases.

http://www.security.harvard.edu/resources/statements/web-privacy-statements

Supported by WDS