Question

Based on the rules section 9.3 (1)(e) and 9.3 (3) highlighted below a data holder would be required to keep logs of instances where CDR data has not been disclosed in reliance of an exemption from the obligation to disclose for 6 years.

It is understood that this exemption would include where the data holder protects its system from malicious behaviour or high volumes (aligned to the NFRs) which would risk its platforms. Given these controls are generally performed at the first entry point to a data holder like a web application firewall (WAF), the data within these logs would be subject to the security controls of the regime. Does keeping the full log detail of these requests hold any value? At the point of capture the detail in this log cannot be tied back to a particular customer as the only thing that is present is a short lived access token which won’t have relevance to the customer until exchanged in the data holder's IDP.

These records are valuable in assisting construct counts for the reports and metrics endpoints, but is the whole record mandatory or could the data holder just keep a collection of the aggregated count information?

There is also some concern from security teams over the nature of the data in these logs which may indicate attack information or potential threat vectors and this information should only be kept for a period of time (12-18 months) and then purged from the records.

CDR Rule 9.3 - Records to be kept and maintained

Records to be kept and maintained – Data holder

(1)A data holder must keep and maintain records that record and explain the following:

(d) disclosures of CDR data made in response to consumer data requests;

(e) instances where CDR data has not been disclosed in reliance on an exemption from the obligation to disclose CDR data;

Specificity of records

(3) Each record referred to in this rule must include the date and time when the record was made and, if applicable, the date and time when the event described by the record occurred.

Period for retention of records

(5) Each record referred to in this rule must be kept for a period of 6years beginning on the day the record was created.

Regulatory reporting requirements defined in the data holder reporting form:

• Report on the ‘number of consumer data requests received from accredited persons on behalf of eligible CDR consumers’.

A reference to 'requests you received' includes all requests you received, regardless of whether the request was successful or not.

• Report on the ‘number of times you have refused to disclose CDR data’.

A reference to a 'refusal' to disclose CDR data is intended to cover all refusals to disclose CDR data. For the avoidance of doubt, circumstances where the data holder must report on the number of refusals to disclose CDR data include for technical reasons, refusals where it is considered necessary to prevent physical or financial harm or abuse, and refusals where the data holder has reasonable grounds to believe disclosure of some or all of the requested CDR data would adversely impact the security, integrity or stability to the Register of Accredited Persons or the data holder's ICT systems, and any other reason the data holder has not disclosed CDR data in response to a request.

Answer

Rule 9.3(1)(e) requires data holders to maintain records that record and explain instances where CDR data has not been disclosed in reliance on an exemption from the obligation to disclose CDR data.

In terms of maintaining the necessary records for rule 9.3(1)(e), we expect that the record log will contain the following minimum information for each instance where a data holder has not disclosed CDR data in reliance on an exemption from the obligation to disclose: the relevant exemption relied upon to refuse to disclose, as well as the date and time the relevant exemption was relied upon. We do not expect such record logs to contain information that would compromise the security of a data holder’s systems.

Rule 9.3(5) requires each record required to be kept under rule 9.3 for a period of 6 years beginning on the day the record was created.