Who must keep logs?
Latest updates - 04 November 2025
04 November 2025 - We have updated this section of the guidance to reflect amendments from the Data (Use and Access) Act.
You must keep logs if you are a competent authority, or an organisation working on behalf of a competent authority (eg a processor). A competent authority includes specified policing bodies but also any organisation using personal information for law enforcement purposes. For example, authorities with investigatory functions or functions relating to offender management, such as a prison.
You must put logging arrangements in place for your automated processing systems and should make users of systems aware of these arrangements. This may act as a deterrent to unwanted behaviours. You should provide users with privacy information to promote transparency. You could make appropriate information available to them in staff policies and procedures about how actions on the system will be recorded.
You must have logging capabilities in place, in keeping with the deadline set out at paragraph 14 of schedule 20 of the DPA 2018. The deadline is 6 May 2026 for you to comply with logging obligations for legacy systems (eg systems that were processing personal information before 6 May 2016). If you miss this deadline, you must be able to justify why doing so would involve disproportionate effort.