Where is our project data being stored - and who has access to it?

In most government digital projects, the choice of collaboration or delivery tool is made before the full delivery team is in place. This decision usually involves a combination of digital leadership, architecture, security and procurement functions, and is overseen by the Senior Responsible Owner (SRO) or Programme Director.

Once a preferred collaboration tool has been identified, attention usually turns to where project data will be stored and who will have access to it. These two areas, often referred to as Data Residency and Access Control, are not just technical concerns. They form a core part of your organisation’s responsibilities under data protection law and cyber security policy.

Data Residency refers to the geographic location where your organisation’s data is stored - for example, in a data centre located in the UK, the European Union or further afield. This matters because UK data protection legislation, including the UK GDPR, places specific legal responsibilities on public sector organisations - particularly those acting as data controllers. If personal or sensitive data is stored in a location without adequate legal safeguards, the data controller (usually your department or agency) may be in breach of its obligations.

A data controller is the person, department or organisation that decides:

• What personal data is collected

• Why it is collected

• How it is processed

• Where it is stored

• Who it is shared with

  
  

Under the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018, the data controller has the primary legal responsibility for ensuring that personal data is handled lawfully, fairly and securely.

Access Control refers to the permissions and restrictions that govern who can view, edit or manage that data, and under what conditions. It ensures that only the right people, at the right time can access delivery artefacts and that access can be monitored, reviewed and revoked. From a governance perspective, data controllers must ensure that appropriate access control is in place for any system handling personal or service-related information. This is particularly important in delivery teams with rotating contractors, multiple suppliers or matrixed team structures.

Let us start with Data Residency. Many cloud-based collaboration tools host their data in multiple regions around the world - most commonly in the United States or the European Union. Some providers offer UK-based data centres, but this is not always the default setting, and in some cases, it is not available at all. If you are working on a service that involves sensitive personal data, or if your department requires data to be held within the UK or EU, this becomes a critical issue.

You should never assume that “project tracking data” is harmless. Even simple user stories, notes or attachments may contain personal identifiers, test user data or policy-related information that could be considered sensitive. If that data is stored outside the UK without appropriate safeguards, it could place your team and your organisation at risk of breaching data protection obligations.

Then there is Access Control. Ask yourself:

• Who can see our backlog?

• Who has edit permissions?

• Can former team members, contractors or external partners still access it?

If you cannot confidently provide responses to these questions, then that should raise several red flags.

The tool you use must support features such as role-based access control, audit logging and, ideally, single sign-on using your organisation’s identity system. It should be easy to restrict access to specific projects, revoke it when needed, and ensure that all users are authenticated using secure credentials. Tools that rely on personal email addresses, invite-only access or shared passwords present a real risk - especially if team composition changes frequently.

I have seen cases where project boards remained accessible to former contractors months after they had left, simply because there was no off-boarding process linked to the tool. This not only undermines trust - it opens the door to unauthorised access, accidental data disclosure or audit failure.

Thank you for reading this post. I hope you found it interesting or thought-provoking. I enjoy hearing how others approach these questions, so your perspective is always welcome.

In my next post, I share my thoughts to the question: What Are We Actually Storing - And Should It Be There At All?

DataGovernance UKGDPR DigitalDelivery AgileTeams PublicSectorTech