UK Regulatory Log Retention Requirements
| Regulation | Log Type | Minimum Retention | UK Data Residency |
|---|---|---|---|
| NHS DSP Toolkit Standard 7 | Clinical system access and change audit logs | 6 years | Required — AWS eu-west-2 or Azure UK South |
| FCA SYSC 9 | Records of regulated activities (transactions, communications) | 5 years (FCA regulated — up to 7 years for some instruments) | Recommended — NCSC Cloud Security Principles apply |
| ICO UK GDPR Article 32 | Security audit logs for personal data processing systems | Not specified — "appropriate period" (minimum 1 year recommended) | EU/UK — transfers require IDTA if US service |
| HMRC (business records) | Financial transaction logs evidencing business records | 6 years from end of accounting period | No specific requirement — UK common |
| GDS / PSBAR | Access logs for government digital services | As long as data in service + minimum 2 years | UK — NCSC guidance recommends UK data centres |
| PCI-DSS (Requirement 10) | All system component audit logs | 12 months (3 months immediately available) | Within PCI-DSS scope environment (AWS eu-west-2) |
The Three Pillars of Observability — UK Implementation
| Pillar | UK Purpose | ClickMasters Stack | Key Metrics/Queries |
|---|---|---|---|
| Logs | Audit trail (NHS/FCA), error investigation, GDPR incident evidence | AWS CloudWatch Logs (eu-west-2, 7-year retention) | Error rate by endpoint, authentication failures, data access by user |
| Metrics | Performance (FCA PS21/3 Impact Tolerance), SLA monitoring, capacity planning | AWS CloudWatch Metrics + Container Insights | p95/p99 latency, error %, RPS, CPU/memory per service |
| Traces | Distributed request debugging, bottleneck identification, SLA root cause | AWS X-Ray (or Jaeger for self-hosted Grafana stacks) | Trace duration by service, slow database queries, external API latency |
FCA PS21/3 Operational Resilience Observability
IBS-level availability dashboard: real-time uptime per IBS (payment processing, customer onboarding, claims handling). Alert at 95% of Impact Tolerance threshold.
Automated Impact Tolerance breach detection: if IBS downtime exceeds tolerance → automatic PagerDuty P1 alert → incident response playbook triggered.
Recovery time monitoring: time from failure detection to recovery documented automatically — fed into quarterly PS21/3 resilience testing report.
Synthetic monitoring: automated transaction every 5 minutes verifying IBS end-to-end (payment initiation → completion). Failure = IBS downtime start.
FCA PS21/3 requires firms to monitor Important Business Services (IBS) against Impact Tolerances. Observability for PS21/3:
NHS DSP Toolkit Observability Requirements
Access audit logs: every access to patient personal data logged (user ID, timestamp, action, data accessed). 6-year retention. Available to NHS on request.
Authentication event logging: all login attempts (success and failure), MFA events, privileged access. Alert on anomalous patterns (brute force, impossible travel).
Data export/download logging: any bulk export of patient data logged and alerted for security team review.
Availability monitoring: DTAC Domain 3 — system availability documented. ClickMasters configures 99.9% uptime SLA monitoring with monthly availability report.
NHS DSP Toolkit Standard 7 (Data Storage and Transmission) and Standard 6 (Cyber Security) require: