In practice, government data storage is a mix of records management, security design, recovery planning, and day-to-day service delivery. The hard part is not capacity; it is deciding which information belongs in a live system, which belongs in an archive, and which should be deleted on schedule. In the UK public sector, those choices carry legal, operational, and reputational weight, so the technology has to fit the data rather than the other way around.
What matters most when public bodies store data
- Central government usually starts from cloud-first, but hybrid and dedicated setups still have a clear role.
- The right platform depends on classification, jurisdiction, recovery targets, and exit planning.
- Security basics are non-negotiable: encryption, role-based access, MFA, logging, and key management.
- Retention rules matter as much as technology; records need owners, metadata, and disposal paths.
- For leaders, the real test is whether staff can find, protect, recover, and delete information when needed.
What government data storage has to do in practice
I usually separate public-sector storage into four jobs, because organisations often buy one platform and expect it to do all four. First there is operational storage, which holds the live records staff need to run services. Then there is collaboration storage, where teams work on drafts, case notes, spreadsheets, and supporting evidence. Third comes analytical storage, which feeds dashboards, models, and reporting. Finally, there is preservation storage, which keeps records available for audit, public accountability, legal challenge, or history.
That distinction matters because each job has different risk and performance needs. A benefits casework system cannot be treated like a policy archive, and a data warehouse cannot be managed like a shared drive. In the UK, the Government Security Classifications Policy uses three tiers - Official, Secret, and Top Secret - and those labels should shape how the data is stored, who can reach it, and how tightly the system is monitored. If a team cannot explain those boundaries clearly, the storage strategy is already too vague.
Once you separate the jobs, the next decision becomes much easier: which storage model fits each layer of the estate.

The storage models public bodies actually use
In the UK public sector, I rarely see a single storage model used well for everything. The pattern is usually a mix, with each layer serving a different purpose. Cloud-first thinking has pushed most new services toward cloud platforms, but that does not remove the need for legacy hosting, dedicated environments, or archive-grade storage.
| Model | Best fit | Strengths | Trade-offs |
|---|---|---|---|
| On-premises data centres | Legacy systems, tightly controlled environments, specialist integrations | Direct control, familiar governance, easier fit for older workloads | Slower scaling, higher maintenance, more effort for resilience and refresh cycles |
| Public cloud | New services, variable demand, rapid rollout, modern collaboration tools | Elastic capacity, faster delivery, strong ecosystem of managed services | Needs disciplined configuration, cost control, and careful data-location checks |
| Private cloud or dedicated hosted environments | Workloads that need more separation or more predictable governance | More control than shared public cloud, useful for transitional estates | Can be expensive and can lose some of the simplicity cloud promises |
| Hybrid and multi-cloud | Organisations with mixed risk profiles, migration work, or resilience goals | Flexibility, better transition path, more options for continuity planning | Governance gets harder, and teams need strong architecture discipline |
| Object storage and archive repositories | Documents, scans, logs, backups, and long-term retention | Cheap at scale, durable, and well suited to immutable or versioned data | Not ideal for high-write transactional workloads or fast ad hoc editing |
Under the hood, the technology mix is usually more specific than the labels above suggest. Relational databases still dominate structured citizen records and transactions, object storage handles files and backups, document management systems add workflow and metadata, and data warehouses or lakes support analysis and AI-ready use cases. For long-term preservation, immutable storage or offline copies still matter, because resilience is not only about uptime - it is also about being able to trust what you restore.
For OFFICIAL data, an overseas region or non-UK service can be acceptable if the risk assessment, contract terms, and data protection obligations line up. For SECRET and Top Secret information, the constraints tighten fast, and a public-cloud assumption is usually the wrong starting point. That is why security has to be built into the architecture from day one, not added later as a procurement afterthought.
Security controls that should be non-negotiable
The NCSC’s cloud guidance makes one point especially clear: security has to be designed into the service, not bolted on after procurement. It frames cloud assurance through 14 security principles, and for lighter services it reduces the basics to four areas: encryption, authentication and access control, logging and incident management, and governance. In plain English, that means the platform should help you stay secure rather than forcing staff to work around weak defaults.
- Encrypt data in transit using modern protocols such as TLS, and do not accept legacy transport settings just because they are convenient.
- Encrypt data at rest, including backups and derived metadata where applicable, so physical access does not become data access.
- Use role-based access control so staff only see the records they need, with MFA for users and administrators.
- Separate admin duties so the people who run the platform are not the same people who approve every sensitive change.
- Keep audit logs and alerts that show who accessed what, when, from where, and whether anything suspicious happened.
- Manage encryption keys deliberately, with ownership, rotation, recovery, and escrow decisions documented in advance.
- Test restores, not just backups; a backup that has never been restored is only a promise, not proof.
- Sanitise or destroy media properly when systems are decommissioned or repurposed.
I would add one practical warning here: do not confuse distribution with protection. Sharding, replication, or spreading data across regions can improve availability, but it does not replace encryption, tenancy separation, or good key management. If a supplier cannot explain those controls in a way an auditor would understand, the platform is not ready for public-sector use. And once security is in place, the next question is how long the data should stay there at all.
Retention and deletion are part of storage design
The National Archives is blunt about retention: keep information only as long as it is needed for business, legal, or historical reasons. That sounds simple, but in practice it is where a lot of storage programmes drift off course. Teams build excellent repositories, then fail to define what should be kept, what should be destroyed, and what should be transferred to an archive.
Good retention design starts with a retention schedule and clear ownership. Every record class should have a named owner, a retention period, and a disposal action: delete, anonymise, restrict, or transfer for preservation. Metadata matters here because it proves authority, context, and integrity. If you cannot tell where a record came from, who changed it, and why it still exists, it is already harder to defend in an audit or an information request.
There is also a difference between deleting active data and disposing of the entire footprint. Backups, replicas, and export files need to be covered too, otherwise the “deleted” record still survives in another system. That is why legal holds and litigation holds have to be integrated into the process rather than handled as an ad hoc email chain. In my experience, teams that treat retention as an operational control rather than a compliance chore make better procurement decisions as well.
Once retention rules are clear, leaders can ask better questions about platforms, suppliers, and operating models instead of buying capacity first and governance later.
How to choose a platform without guessing
When I review storage decisions in the public sector, I start with the same questions every time. They are less about brand names and more about operating reality. A platform that looks attractive in procurement can still fail if it does not fit classification, recovery, jurisdiction, or exit requirements.
| Question | Why it matters |
|---|---|
| What classification level will the data carry? | It determines the baseline controls, supplier options, and where the workload can safely live. |
| Where will the data be stored and processed? | Jurisdiction affects privacy, contractual risk, and whether cross-border transfer is acceptable. |
| What are the recovery point and recovery time objectives? | These define how much data loss and downtime the service can tolerate. |
| Who owns access, keys, and audit trails? | Shared ownership is fine on paper, but unclear responsibility creates real incidents. |
| Can we export the data cleanly? | An exit plan protects the department from lock-in, supplier failure, and future migration cost. |
| Does the platform reduce work or move it elsewhere? | Some systems cut infrastructure effort but increase operational overhead through manual governance. |
| What is the total cost over the full lifecycle? | Licences, egress, support, storage growth, and staff time often matter more than headline pricing. |
| Can the supplier support audit and incident response? | Public bodies need evidence, not assurances written only for sales teams. |
The Cloud First direction in the UK means public cloud should usually be evaluated first for new or renewed services, but I would never treat that as a substitute for a written case. If the answer is not cloud, the team should be able to explain why in terms of risk, resilience, usability, and value for money. A decision that cannot survive an audit meeting is not a finished decision.
For senior leaders, the real mistake is not choosing the wrong vendor; it is failing to define the decision criteria before procurement starts. That is where storage strategy becomes a leadership issue rather than a technical one.
What a resilient setup looks like in 2026
In 2026, the strongest public-sector setups are usually the least dramatic. They are tiered, documented, and boring in the right way. Live systems sit on a controlled platform, collaboration spaces are separated from core records, analytical copies are curated, and archives or immutable backups are isolated from everyday change.
- Each dataset has an owner and a retention rule.
- Each system has a recovery target that someone can defend.
- Each supplier has an exit path and a tested export method.
- Each sensitive workload has encryption, logging, and access reviews.
- Each archive has a disposal or transfer route, not just more storage.
That is the pattern I trust most in public-sector work: not one big repository that tries to do everything, but a layered design that gives each type of information the right home, the right controls, and a clear end point. If you are shaping a storage strategy for a department, council, or arm’s-length body, start with the data lifecycle first and the technology second. The order matters more than most teams admit.
