Observability — UK Software Engineering Guide (2025)

📊 Metrics📋 Logs🔍 Traces⚖️ FCA/NHS Audit🆓 Free Review
August 202511 min readJames Whitmore, CTO

Direct Answer

Observability for UK regulated software requires three pillars: logs (audit trail for FCA, NHS DSP Toolkit, and ICO), metrics (performance monitoring for FCA PS21/3 Impact Tolerance and NHS DTAC availability requirements), and traces (distributed request tracing for diagnosing issues in microservices). UK-specific requirement: logs must be retained in UK data residency (AWS eu-west-2) for 6–7 years for NHS and FCA applications.

UK Regulatory Log Retention Requirements

RegulationLog TypeMinimum RetentionUK Data Residency
NHS DSP Toolkit Standard 7Clinical system access and change audit logs6 yearsRequired — AWS eu-west-2 or Azure UK South
FCA SYSC 9Records of regulated activities (transactions, communications)5 years (FCA regulated — up to 7 years for some instruments)Recommended — NCSC Cloud Security Principles apply
ICO UK GDPR Article 32Security audit logs for personal data processing systemsNot specified — "appropriate period" (minimum 1 year recommended)EU/UK — transfers require IDTA if US service
HMRC (business records)Financial transaction logs evidencing business records6 years from end of accounting periodNo specific requirement — UK common
GDS / PSBARAccess logs for government digital servicesAs long as data in service + minimum 2 yearsUK — NCSC guidance recommends UK data centres
PCI-DSS (Requirement 10)All system component audit logs12 months (3 months immediately available)Within PCI-DSS scope environment (AWS eu-west-2)

The Three Pillars of Observability — UK Implementation

PillarUK PurposeClickMasters StackKey Metrics/Queries
LogsAudit trail (NHS/FCA), error investigation, GDPR incident evidenceAWS CloudWatch Logs (eu-west-2, 7-year retention)Error rate by endpoint, authentication failures, data access by user
MetricsPerformance (FCA PS21/3 Impact Tolerance), SLA monitoring, capacity planningAWS CloudWatch Metrics + Container Insightsp95/p99 latency, error %, RPS, CPU/memory per service
TracesDistributed request debugging, bottleneck identification, SLA root causeAWS X-Ray (or Jaeger for self-hosted Grafana stacks)Trace duration by service, slow database queries, external API latency

FCA PS21/3 Operational Resilience Observability

IBS-level availability dashboard: real-time uptime per IBS (payment processing, customer onboarding, claims handling). Alert at 95% of Impact Tolerance threshold.

Automated Impact Tolerance breach detection: if IBS downtime exceeds tolerance → automatic PagerDuty P1 alert → incident response playbook triggered.

Recovery time monitoring: time from failure detection to recovery documented automatically — fed into quarterly PS21/3 resilience testing report.

Synthetic monitoring: automated transaction every 5 minutes verifying IBS end-to-end (payment initiation → completion). Failure = IBS downtime start.

FCA PS21/3 requires firms to monitor Important Business Services (IBS) against Impact Tolerances. Observability for PS21/3:

NHS DSP Toolkit Observability Requirements

Access audit logs: every access to patient personal data logged (user ID, timestamp, action, data accessed). 6-year retention. Available to NHS on request.

Authentication event logging: all login attempts (success and failure), MFA events, privileged access. Alert on anomalous patterns (brute force, impossible travel).

Data export/download logging: any bulk export of patient data logged and alerted for security team review.

Availability monitoring: DTAC Domain 3 — system availability documented. ClickMasters configures 99.9% uptime SLA monitoring with monthly availability report.

NHS DSP Toolkit Standard 7 (Data Storage and Transmission) and Standard 6 (Cyber Security) require:

Frequently Asked Questions

Common questions about observability — uk software engineering guide (2025).

Yes — UK GDPR data minimisation applies to logs. Principles: (1) do not log personal data in application logs unless necessary for security/audit (use pseudonymous IDs where possible), (2) do not log passwords, payment card data, or health data in plain text (ever), (3) set log retention based on purpose — general error logs: 90 days, security audit logs: 6 years, (4) treat logs as a UK GDPR processing activity — include in your Article 30 ROPA. ClickMasters configures structured logging (JSON) with explicit personal data fields excluded from default log output.

ClickMasters standard observability stack: AWS CloudWatch Logs (application logs, 90-day default + configurable per regulation), CloudWatch Metrics (p95/p99 latency, error rate, RPS per endpoint), CloudWatch Alarms (error rate > 1% → PagerDuty alert, p99 latency > SLA → alert), AWS X-Ray (distributed tracing for all Lambda and ECS services), CloudTrail (AWS API audit log — who did what in AWS infrastructure, 7-year retention for regulated projects), and monthly availability report (SLA evidence for NHS DTAC and FCA PS21/3).

About the Author

James Whitmore, CTO UK observability and regulatory compliance specialist ClickMasters configures AWS CloudWatch observability stacks on all projects with UK regulatory log retention as standard.

Free Observability Architecture Review ClickMasters will...

Free Observability Architecture Review ClickMasters will review your observability stack and confirm NHS/FCA/UK GDPR compliance. → clickmasterssoftwaredevelopmentcompany.co.uk/contact/

Book a Free Consultation