T 2.61 Unauthorised collection of personal data

When management systems are used, a large amount of auditing data usually arises which, as a rule, is produced and evaluated automatically. This is particularly true for the areas of network and system monitoring. Without keeping detailed records of the system activities it is, for example, also impossible to detect security violations. One requirement is that the monitoring system can determine when certain data has been accessed and which user has accessed it. Therefore, a record of the monitored activities must be kept for each user. As a rule, the management strategy determines for the whole organisation, in agreement with the data security officer, which user activities should be monitored for security reasons. You must inform the affected users of this correspondingly. Within the framework of the system revision, you must check that the requirements laid down by the management strategy are adhered to. It is possible that the management system, while performing a normal function, draws up temporary log files which are then stored in the poorly-protected area for log files. The log files are then potentially accessible at least as long as they exist and may also contain user information.