Hi Denis/Frank
The last time I did this with a German project (2010/2011) we settled on the following (cleared through German, Austrian, French & Belgian data controllers):
Logging everything was OK as there is are legitimate reasons for it. The following additional controls were required:
- Access to logs limited to Basis & Security team
- Acceptable use (of logs) policy circulated to everyone with access
- Data had to be summarised before use (e.g. could not be easily attributable to an individual. Obviously difficult to achieve if someone is in a team of 1...)
- Distribution of data outside security team had to be approved by local data controller (local to the people who's data it was).
- Detailed records existing outside the system had to be deleted after the summarisation work had been completed
Exceptions to these included:
- legitimate use of data in event of security breach (agreed by local counsel and data controllers)
- use of data with written approval of user (we used this a lot when redesigning access based on patterns of 'model' users).