It is strongly recommended that anyone responsible for a computer or network should collect sufficient logs of activity to be able to identify the account and individual responsible for any misuse.
The policies for connection to the Janet Network expect that sites will maintain such logs.
Requirements for logs are discussed in our technical guide.
Risks of not keeping logs
Even though logging may not be required by law (see the section on Data Retention above for circumstances when it may be), Janet-connected organisations that have failed to keep logs have found themselves being blamed for misuse from their site that they could not trace. It is quite possible that such blame could develop into a formal claim of liability for damage caused, leaving the organisation with bad publicity at best and a large bill for damages and legal costs at worst.
There are a number of legal issues that must be addressed in any logging activity. Even if the logs contain only information that the network was used by particular accounts, then they will constitute personal data within the meaning of the Data Protection Act 2018 (particularly the Privacy and Electronic Communications (EC Directive) Regulations 2003).
This places restrictions on how logs may be used, and also requires that they be protected against misuse by appropriate technical and procedural measures. Personal data may only be kept so long as there is good reason to do so: organisations should ensure that they have a retention policy stating how long logs will be held and that they are deleted after this period.
If the logs contain the content of any communication, for example the text of e-mails, news or chatroom conversations, then recording them counts as interception and the conditions of the Investigatory Powers Act 2016 must also be met.