Truncated viewing of log files

We have updated how Airlock displays job logs. Users now see only the last 10kb of each log, typically a few hundred lines, rather than the full file.

These logs are produced by users’ own analysis code running inside the OpenSAFELY secure environment. They are used to diagnose errors. In rare cases a user might accidentally log a very small amount of refined, pseudonymised patient-level information, such as a few rows printed during debugging. As described in the national DPIA, this would only be a small subset of information, derived from complete EHR records, about a small number of arbitrarily sampled patients, with all identities fully pseudonymised, and only accessible inside the secure environment to users already approved by NHS England. No record-level data can be released from this environment.

Even in this rare scenario the multi-layered controls still apply. Access requires VPN and multi-factor authentication, and only approved users can view logs. As explained in our public walkthrough of the security model, these safeguards significantly limit any risk arising from accidental logging.

The change to truncate the displayed portion of logs reduces this already minimal possibility even further, while preserving the information that users rely on to understand and fix errors. Only the on-screen view is truncated. The full log is still stored securely, and OpenSAFELY support can provide access in the exceptional cases where this is required.

• Pull request: opensafely-core/airlock#999