This section to be fleshed out in project month M30 release of D2.1. It will satisfy Req. D1.2-4.2-BPPrivacy.
The main issues are
Avoid logging anything that could become a correlation handle
Avoid logging PII unless absolutely necessary
Generally a lot of detail will be logged locally. This will include the tokens used in identification the user, usually in pseudonymous form as well as the PII handled by the Service Provider. This detail tends to be necessary to legally protect the Service Provider.