Home / News / Governance Considerations for Long-Term Storage of Confidential and Regulated Data in the UK

Governance Considerations for Long-Term Storage of Confidential and Regulated Data in the UK

Information such as patient records, legal files, financial records, contract archives, audit evidence, backups and historic operational datasets may need to be retained for years or even decades. Decisions about how this information is stored, protected, accessed and eventually disposed of increasingly influence governance, resilience and legal readiness across UK organisations. For regulated sectors in particular, retained information is no longer solely a records management issue. It affects infrastructure design, cyber resilience, operational continuity and the ability to demonstrate accountability to regulators, customers and other stakeholders.

This article examines the governance controls that matter most when confidential and regulated information is retained over long periods. It does not attempt to revisit GDPR in detail. Instead, it explores the practical infrastructure and governance considerations that sit behind principles such as accountability, storage limitation, integrity and confidentiality, including classification, retention, access control, encryption, immutability, auditability, supplier governance, legal hold, recovery testing and hosting location. These considerations matter because retained information is rarely static. It may need to be restored after a cyber incident, produced during litigation, preserved for regulatory inspection, migrated from legacy systems or securely destroyed once its purpose has expired.

The issue deserves attention now because UK organisations continue to replace paper-based records with digital services while retaining increasing volumes of electronic information across cloud platforms, collaboration systems, backups and archive repositories. At the same time, regulators are placing greater emphasis on accountability, third-party oversight and operational resilience. The ICO’s 2024/25 Annual Report recorded 42,315 data protection complaints, up from 39,721 in 2023/24. The ICO’s £14m fine against Capita in 2025, following a breach affecting over 6m people, showed how historic, outsourced and sensitive records can become a regulatory and reputational issue when security controls are not sufficient. 

The UK has long operated within a relatively mature information governance environment, particularly across healthcare, financial services and public administration, where retained information often carries legal, evidential and operational significance. In this article, governance controls refer to the policies, processes and technical safeguards that organisations implement to manage confidential and regulated information throughout its lifecycle. Some arise directly from legislation, regulatory requirements and sector-specific obligations, while others represent widely adopted good practice designed to demonstrate accountability, support resilience and reduce operational risk.

Regulatory, technological and market drivers

Globally, organisations are retaining growing volumes of digital information for operational, legal, analytical and regulatory purposes. Annual data creation continues to expand as cloud services, artificial intelligence, connected devices and increasingly digital business processes generate ever larger quantities of information. This growth is occurring alongside rising expenditure on storage, cyber security and data protection capabilities as organisations seek to retain, protect and govern expanding data estates.

The enterprise information archiving market reflects this broader shift. Fortune Business Insights estimates that the market was worth approximately USD 9.9 billion in 2025 and could exceed USD 33 billion by 2034. The significance of these trends extends well beyond storage capacity. Decisions about retained information increasingly influence infrastructure planning, storage economics, cyber recovery arrangements and information governance practices. Long-term retention strategies can also affect choices between public cloud services, private cloud environments, sovereign hosting arrangements and dedicated infrastructure.

Artificial intelligence is also creating new governance considerations. Historic records increasingly represent potentially valuable data assets for analytics and machine learning initiatives, creating incentives to retain information for longer periods. Organisations therefore face a balancing exercise between preserving information that may have future value and applying retention principles that remain proportionate, justifiable and defensible.

At the same time, regulators and industry bodies are placing greater emphasis on dependency management and third-party oversight. The Basel Committee’s principles on third-party risk management reflect growing concern that critical business services increasingly depend on external technology providers, including cloud, storage and data service providers. Decisions about retained information are therefore becoming intertwined with wider questions of resilience, operational control and supplier governance.

European privacy regulation has played a significant role in shaping modern information governance. GDPR introduced concepts such as accountability, storage limitation and privacy by design, influencing not only European organisations but also global approaches to data retention and governance. The European Union’s Digital Operational Resilience Act has also introduced a more structured approach to ICT risk management, third-party oversight and incident management within financial services. Although UK organisations are not universally within the scope of European legislation, numerous firms maintain operations, customers or technology relationships that cross jurisdictions and are affected by similar expectations around resilience, accountability and third-party risk management.

In the UK, long-term storage governance is shaped by several overlapping legal and regulatory frameworks rather than a single set of storage rules. UK GDPR and the Data Protection Act 2018 establish principles around accountability, storage limitation, integrity and confidentiality. The ICO’s guidance makes clear that personal data should not be retained longer than necessary and that retention periods should reflect legitimate business and legal purposes.

Several sectors are also subject to additional obligations. The NHS Records Management Code of Practice provides detailed retention and disposal guidance for health and care records, including requirements around appraisal, deletion and preservation. Financial services firms must consider FCA record-keeping rules, outsourcing requirements and operational resilience obligationswhere retained information supports important business services. Legal services firms are also subject to confidentiality and record management expectations under Solicitors Regulation Authority requirements.

The UK’s wider resilience landscape is also evolving. The forthcoming Cyber Security and Resilience Bill is expected to strengthen cyber governance and incident reporting expectations across critical sectors. Although not specifically a records management regime, it reflects increasing policy attention on how important information assets are governed, protected and recovered.

The same information may often exist simultaneously within production systems, backups, replicated copies and long-term archives, making ownership, retention and recovery governance considerably more complex. As a result, questions that were once largely confined to records management functions increasingly involve infrastructure teams, cyber security specialists, legal advisers and operational resilience stakeholders.

This creates a practical challenge for legal, healthcare, financial services and other regulated organisations. Confidential information often needs to be retained for legitimate operational, legal and regulatory reasons, but indefinite retention can be difficult to justify unless purpose, ownership, security arrangements and disposal processes are clearly defined. Governance of retained information therefore sits at the intersection of information management, infrastructure, cyber security, legal obligations, procurement and disaster recovery. Governance failures frequently arise not because information was retained, but because organisations cannot clearly explain why it is still held, who is responsible for it, how it is protected, where it resides, when it should be reviewed and whether it can be recovered or securely disposed of when required.

Analysis of key governance practices

Data classification and ownership

Confidential and regulated information should not be treated as a single category of retained data. Patient records, legal matter files, financial transactions, board documents, human resources investigations and backup copies may all contain sensitive information, but they often have different retention requirements, access permissions, hosting considerations and recovery priorities. Effective classification determines who may access information, how it should be protected, where it may be stored, how long it should be retained and whether additional measures, such as immutable retention or legal hold, are required.

As information accumulates across file systems, cloud repositories, backups and archive platforms, governance becomes progressively more complex. Information frequently exists in several storage locations and recovery environments, creating multiple versions with different owners, retention periods and security requirements. Without a clear classification and ownership model, organisations may apply unnecessarily stringent controls to low-value information while under-protecting genuinely sensitive data. Classification therefore becomes an architectural consideration as much as a governance exercise because storage platforms, retention policies and recovery arrangements increasingly depend on understanding what information is being protected and why.

A robust classification model allows security controls, retention requirements and infrastructure resources to be aligned more closely with business risk and operational priorities. Legal teams can preserve matter files without indefinitely retaining duplicate information. Healthcare providers can distinguish between clinical records, administrative records and operational datasets. Financial services firms can align record-keeping obligations with storage controls that support audit, regulator access and resilience requirements. Decisions about capacity planning, storage location, cyber recovery and long-term retention are more effective when they reflect the value, sensitivity and operational importance of the information being retained.

No single UK regulation explicitly prescribes data classification frameworks or ownership models. Instead, classification is a governance practice supported by broader legal and regulatory principles. UK GDPR requires organisations to demonstrate accountability and implement appropriate measures to protect personal information, while ISO 27001, the NCSC Cyber Assessment Framework, the NHS Data Security and Protection Toolkit and FCA systems and controls requirements all reinforce the need to understand what information is held, how sensitive it is and who is responsible for it. In practice, data classification and ownership provide the foundation upon which retention, access control, encryption, supplier governance and recovery decisions are built.

Retention schedules and defensible deletion

Retention management is one of the most operationally important aspects of governing confidential and regulated information. The ICO’s storage limitation guidance states that personal data should not be kept for longer than necessary, and that organisations should set retention periods wherever possibleNHS England’s Records Management Code of Practice also emphasises appraisal, documented decisions and the management of records once minimum retention periods have been reached. The objective is not simply to delete information more aggressively, but to retain information for legitimate operational, legal and regulatory purposes and dispose of it in a controlled and defensible manner when those purposes no longer exist.

Falling storage costs have reduced some barriers to retention but have not removed the governance, security and operational consequences of keeping information indefinitely. As retained information expands across primary platforms and secondary storage environments, the cost and complexity of governing it also increase. If retention requirements are not translated into storage policies and technical controls, information can remain in primary platforms and secondary copies long after its original purpose has expired. This increases storage consumption, backup requirements, replication overhead and the volume of information potentially exposed during cyber incidents, legal disclosure exercises and regulatory investigations.

A well-governed retention model delivers both operational and economic benefits. Defensible deletion can reduce unnecessary storage, backup, replication and indexing requirements while simplifying long-term governance activities. Legal teams are less likely to review irrelevant historic material during disclosure exercises, and infrastructure teams can manage smaller and better understood data estates. Retention policies also provide a stronger basis for capacity planning, recovery objectives and storage lifecycle management because infrastructure resources can be aligned more closely with genuine business and regulatory requirements. For regulated organisations, the ability to demonstrate why information is being retained can be as important as demonstrating how it is protected.

Retention management is one of the most clearly regulated aspects of long-term data governance in the UK. UK GDPR and the Data Protection Act 2018 establish the principle that personal data should not be retained for longer than necessary. Additional requirements arise from sector-specific and statutory obligations, including NHS records management requirements, FCA record-keeping rules, Companies Act provisions and HMRC retention requirements. Defensible deletion therefore represents more than a storage optimisation exercise. It is an important governance process that helps organisations demonstrate that retained information has a legitimate purpose and that disposal decisions are properly documented and controlled.

Access governance and privileged control

Access governance is particularly important for retained confidential and regulated information because archive platforms, backup repositories and secondary storage environments are often treated primarily as administrative systems rather than sensitive information assets in their own right. Over time, permissions may be granted to infrastructure teams, external suppliers, former project groups and shared service accounts without being reviewed regularly. The result can be a gradual expansion of access rights that no longer reflects business requirements or actual responsibilities.

Governance challenges increase as information is retained over long periods and passes through multiple infrastructure and organisational changes. Staff move roles, suppliers change, platforms are migrated and business ownership can become less clear. At the same time, retained information is frequently distributed across numerous platforms and recovery environments, each with different administrative models and access requirements. Identity and access management therefore becomes a central element of information governance because storage decisions are not solely concerned with where information resides, but also with who can read, export, restore, modify, delete or alter retention settings.

Strong access governance can substantially reduce insider, supplier and credential-related risks while providing greater evidential assurance. Role-based access controls, least-privilege principles, multi-factor authentication, privileged access management, periodic access reviews and separation of duties all reduce the likelihood that a single compromised account could expose large volumes of retained information. For regulated organisations, access logs also support investigations, audits and regulatory enquiries. From an operational perspective, robust access governance can improve recovery confidence because archive repositories and backup platforms remain subject to clear administrative control during incidents when access decisions often need to be made quickly and under pressure.

Access governance and privileged access management are primarily principle-based requirements rather than prescriptive legal obligations. UK GDPR requires organisations to implement appropriate measures to preserve the integrity and confidentiality of personal data, while the Network and Information Systems Regulations, FCA operational resilience expectations, NCSC guidance and ISO 27001 all reinforce the need to control access to sensitive information and critical systems. In practice, this means organisations should understand who can view, export, modify or delete retained information and should regularly review whether those permissions remain appropriate.

Encryption and key management

Encryption supported by disciplined key management is a fundamental governance control for confidential and regulated information. Encryption at rest and in transit is increasingly regarded as a baseline expectation, but the governance challenge extends well beyond enabling encryption technologies. Organisations must understand who controls encryption keys, how keys are generated and rotated, who can recover them and what happens if platforms, suppliers or administrative arrangements change. Encryption without effective key governance can create a false sense of security because information may be protected from certain threats while administrative access, recovery arrangements and supplier dependencies remain insufficiently controlled.

This has become increasingly important as retained information is distributed across public cloud services, private cloud environments, object storage platforms, backup repositories and managed hosting services. Although most platforms provide encryption capabilities, their operating models differ considerably. Some organisations rely entirely on provider-managed keys, while others seek greater control through customer-managed encryption models and hosting arrangements that provide clearer visibility of administrative authority and data location. Key management therefore becomes an architectural consideration rather than simply a security feature, because decisions about encryption influence administrative control, supplier dependency and long-term recoverability.

Effective encryption and key governance can reduce the impact of lost media, unauthorised access and supplier-side exposure while supporting broader resilience and sovereignty objectives. For organisations handling confidential or regulated information, greater visibility of key ownership and administrative authority can provide increased confidence over who can potentially access retained information and under what circumstances. Key continuity is particularly important for archives and backup repositories because information may need to remain accessible and recoverable many years after the original applications, infrastructure platforms or supplier arrangements have changed. Retained information that cannot be decrypted when required may have limited operational, evidential or regulatory value.

UK legislation rarely mandates encryption technologies in specific terms. Instead, organisations are generally required to implement security measures that are appropriate to the risks associated with the information they hold. UK GDPR, the Network and Information Systems Regulations, FCA expectations, the NHS Data Security and Protection Toolkit and NCSC cryptographic guidance all support this risk-based approach. Encryption and effective key management are therefore commonly adopted as practical mechanisms for demonstrating appropriate security, particularly where confidential, regulated or long-term retained information is involved.

Immutability, Object Lock and integrity assurance

Immutability and integrity assurance are increasingly important governance controls for selected categories of retained information. Technologies such as Object Lock, WORM-style retention, versioning, checksums and tamper-evident logging can help protect information from unauthorised deletion, alteration or corruption. These capabilities are particularly relevant for backup repositories, evidential archives, compliance records and other information that must remain unchanged for defined periods. They are not necessary for every dataset, but they become increasingly important where organisations need confidence that retained information remains authentic, complete and trustworthy.

Recent cyber incidents have demonstrated that backup repositories and secondary storage environments are increasingly targeted alongside production systems. At the same time, information may be modified inadvertently through administrative error, migration activities or poorly controlled operational processes. If historic records or recovery copies can be altered or deleted without detection, organisations may lose both evidential assurance and recovery capability. Integrity assurance therefore connects storage governance directly with cyber resilience and disaster recovery because retaining information is of limited value if organisations cannot demonstrate that the information has remained unchanged and trustworthy over time.

For regulated organisations, immutable storage can improve confidence that recovery copies have not been altered prior to restoration and that retained records remain suitable for evidential and regulatory purposes. Object storage platforms are particularly relevant in this context because S3-compatible APIs and Object Lock-style controls allow established backup and archive tools to implement policy-based retention without requiring bespoke storage platforms. Object storage can also support lifecycle policies, versioning and metadata management, allowing organisations to align long-term retention requirements more closely with governance policies, recovery objectives and storage economics.

Immutability and technologies such as Object Lock are generally not prescribed by legislation. Most UK laws and regulations do not require organisations to implement specific storage technologies. However, resilience frameworks, cyber security guidance and evidential preservation requirements increasingly emphasise the importance of maintaining data integrity and protecting critical information from unauthorised alteration or deletion. As a result, immutable storage is increasingly viewed as good governance practice for selected use cases such as backup repositories, evidential archives and regulated records that must remain trustworthy over defined periods.

Auditability, legal hold and evidential readiness

Governance of retained information increasingly depends on the ability to demonstrate how information has been managed throughout its lifecycle. Archive platforms, backup repositories and long-term storage environments should be capable of evidencing who accessed information, who changed retention settings, when information was restored, when legal hold arrangements were applied and when disposal activities occurred. These capabilities can be important during litigation, regulatory inspections, internal investigations and post-incident reviews. Although the expectations of the ICO, FCA, SRA and NHS differ, all place importance on accountable handling of confidential and regulated information.

Retained information is increasingly required as evidence of operational, legal and regulatory decisions. Organisations may need to demonstrate how records were preserved, whether information was altered, why information was deleted and whether access permissions were appropriate. This places greater importance on observability within storage environments. Audit logs, retention metadata and administrative histories therefore become governance assets in their own right and should be appropriately protected, retained and available when required.

Strong auditability can improve legal readiness, accelerate investigations and provide greater confidence in governance processes. Legal teams can preserve relevant information without unnecessarily restricting access to entire storage environments. Compliance teams can demonstrate how retention and disposal decisions were reached and implemented. Security teams can investigate potentially inappropriate access to archive repositories and recovery copies. For regulated organisations, auditability supports confidence that retained information remains understandable, explainable and defensible throughout its lifecycle.

Requirements around auditability and evidential readiness arise from several overlapping obligations rather than a single storage regulation. FCA record-keeping rules, SRA expectations, NHS records management requirements, the Civil Procedure Rules governing disclosure and litigation, UK GDPR accountability obligations and ISO 27001 logging requirements all contribute to an expectation that organisations should understand how information has been accessed, changed, retained and, where appropriate, disposed of. Legal hold requirements are similarly driven by evidential and litigation obligations rather than by dedicated storage legislation.

Supplier governance, sovereignty and exit planning

Supplier governance is an increasingly important consideration for organisations that retain confidential and regulated information over long periods. The FCA’s outsourcing and operational resilience guidance highlights the importance of due diligence, ongoing monitoring, business continuity, contingency planning and exit strategies in outsourced and third-party arrangementsThe Bank of England’s summary of SS2/21 also identifies data security, cloud context, business continuity and exit strategies as part of the lifecycle of outsourcing and third-party arrangements. These issues are particularly relevant for retained information because archive repositories, backup platforms and long-term storage environments often remain in service long after the original procurement decision has been made.

Growing dependence on external platforms for backup, archive, object storage and managed hosting services provides organisations with access to scalable infrastructure, specialist expertise and operational flexibility. At the same time, governance responsibilities increasingly extend beyond organisational boundaries. For legal, healthcare, financial services and government-related organisations, decisions about where information is stored, who administers it and under which jurisdiction it operates are not solely commercial considerations. They form part of wider information risk management, resilience planning and accountability arrangements.

Long-lived information assets can create significant dependency risks if supplier relationships are not governed carefully. Data stored in proprietary formats, platforms with high egress charges or environments with poorly documented deletion processes may become difficult and costly to move. Support arrangements that span multiple jurisdictions or involve complex subcontracting chains can make access governance, accountability and incident management more difficult to demonstrate. Supplier changes, acquisitions, service withdrawals or changes in commercial terms can also introduce operational uncertainty, particularly where retained information remains important for regulatory, evidential or recovery purposes.

Supplier governance therefore extends well beyond contractual due diligence. Storage environments should provide sufficient transparency around hosting location, administrative access, encryption arrangements, subcontracting models, portability, deletion processes, incident management and recovery capabilities. Infrastructure characteristics such as UK hosting locations, support for S3-compatible storage, immutable retention capabilities, private cloud environments and dedicated hosting models can materially influence how easily retained information can be governed throughout its lifecycle. Exit planning is equally important. Information that cannot be migrated, recovered or securely disposed of without disproportionate cost, complexity or operational disruption may ultimately weaken resilience rather than strengthen it. The strategic question is therefore not simply where information is stored today, but whether the chosen operating model can continue to support accountability, resilience and future change over the full life of the data.

Recovery testing and lifecycle assurance

Governance of retained information is incomplete if information cannot be restored, interpreted and used when required. Backup copies may exist but fail to restore successfully. Archive files may remain intact but become unreadable because application formats are obsolete or supporting systems no longer exist. Encrypted datasets may be preserved but inaccessible because encryption keys are unavailable or recovery processes have not been maintained. In each case, information has technically been retained but may no longer have meaningful operational, evidential or regulatory value.

Retention periods increasingly exceed the lifespan of applications, infrastructure platforms and supplier arrangements. A ten-year archive may pass through several generations of technology and multiple changes in hosting, storage and administrative responsibility. Regulated records may need to be produced long after the original systems have been replaced, and disaster recovery arrangements may depend on information stored on platforms that are operationally separate from production environments. For some regulated workloads, organisations may deliberately maintain recovery environments that are independent of primary cloud platforms in order to reduce dependency risks and simplify governance oversight. Retained information therefore needs to be considered as part of resilience planning and lifecycle management rather than simply measured in terms of storage capacity.

Regular recovery testing provides greater confidence that retained information remains usable, accessible and recoverable throughout its lifecycle. Testing can demonstrate whether information can be restored within realistic timeframes, whether access approvals and administrative processes function as intended, whether encryption keys remain available and whether archive metadata still provides meaningful context. It can also identify information that is technically retained but no longer practically usable. For boards and senior technology leaders, recovery testing provides evidence that resilience assumptions are supported by operational capability rather than by the mere existence of stored data.

Recovery testing and lifecycle assurance are rarely prescribed as specific storage obligations. However, UK operational resilience frameworks, information security standards and business continuity guidance increasingly expect organisations to demonstrate that important data can be restored, accessed and used when required. FCA operational resilience requirements, the Network and Information Systems Regulations, NHS business continuity guidance, ISO 22301, ISO 27001 and NCSC recommendations all support this expectation. For long-term archives and backup repositories, retention without recoverability provides only partial assurance because information that cannot be restored may have limited operational, evidential or regulatory value.

Conclusion

Decisions about retaining confidential and regulated information increasingly influence resilience, governance, legal readiness and infrastructure strategy. Organisations in legal, healthcare, financial services and other regulated sectors often need to retain information for years or even decades, but they also need to demonstrate that retained information remains justified, appropriately protected and recoverable when required.

The more fundamental shift is from viewing retention as a storage capacity exercise to treating it as an accountability challenge. Organisations should be able to explain what information is held, why it is being retained, who is responsible for it, where it resides, how it is protected, how long it should be kept, how it can be restored and how it will eventually be disposed of. None of these considerations is sufficient in isolation. Classification without retention management can create unnecessary complexity. Encryption without recoverability can limit operational value. Immutable storage without governance can preserve information that should no longer be retained. Supplier sovereignty without portability and exit planning can still create dependency.

For UK IT leaders, the practical lesson is that retained information should be designed and governed with the same seriousness as production infrastructure. Architecture decisions influence not only storage location and cost but also resilience, recovery capability and operational accountability over many years. Sovereign object storage, private cloud and dedicated hosting environments can all play valuable roles where they provide greater clarity around location, administrative control, recoverability and future flexibility. The important question is therefore not whether information resides in object storage, private cloud or dedicated infrastructure, but whether the chosen operating model enables organisations to govern, protect and recover retained information confidently throughout its lifecycle.

30 June 2026