Who controls the technology behind a UK local council?
How much this sector depends on technology suppliers it cannot fully control — and where that matters most.
The big picture
A typical UK council scores 3.6 (High). Most building blocks are High exposure, clustered on one fact: many systems a council thinks of as British are run from UK offices but owned abroad. The revenues-and-benefits engine (Civica, US), planning (Idox, US) and a main children’s social-care platform (Liquidlogic, Jersey; OLM, US) are foreign-controlled, even though they host in Britain. The most sensitive data the state holds — children’s social-care and safeguarding records — sits in this group. The one bright spot the private sectors lack: the government’s own platforms (GOV.UK Pay, Notify, One Login) and UK-owned Netcall give councils real British options for payments, messaging, log-in and customer service.
We looked at the everyday layers of technology a UK local council relies on, from the cloud it runs on to the systems that define the sector. A supplier owned in the United States can be compelled to hand over data under US law — the CLOUD Act[1], and the surveillance powers in Section 702 of the Foreign Intelligence Surveillance Act[2] — even when that data is stored in Britain; a British supplier answers only to UK law. We scored each building block on four things — how few the suppliers are, whose laws they answer to, how hard they are to switch, and how essential they are.
Where the exposure sits
Who controls each layer
The building blocks this sector relies on, coloured by who ultimately controls each one:US-controlledOffshoreUK-controlled
The signature public-sector finding: several market leaders councils think of as British are foreign-owned under the ownership-not-headquarters test — Civica (US/Blackstone), NEC (Japan), Idox (US PE), OLM (US via Civica), Liquidlogic/System C (Jersey/CVC). Genuine UK-controlled options exist in Capita (revenues), Mosaic/Servelec (social care), Arcus (planning) and Netcall (CRM), and the UK state ships GOV.UK Pay, Notify and One Login. By layer: 3 of 9 are Medium (citizen services, payments — both with credible UK options) and 6 of 9 are High; the substrate concentrates on two US hyperscalers (Microsoft and Amazon) beneath nominally separate suppliers.
What this means, in plain terms
If a supplier pulled the plug, how fast would it hurt?
| Speed of impact | Layer | What happens |
|---|---|---|
| days; recovery >12 months | Revenues & benefits | Council tax billing and benefit payments stop. Migrating a revenues/benefits system is a multi-year programme — the deepest crisis gap on the profile. |
| days; recovery >12 months | Social-care case management | Live safeguarding and care records become unavailable while a statutory duty to continue persists; deep, high-risk data migration. |
| under 24 hours | Staff & citizen log-in (identity) | Fastest failure — an instant lockout across every system at once. |
| hours (per dominant vendor) | Microsoft event | Azure + Microsoft 365 + Entra + Power BI, plus Azure-hosted line-of-business, fail together — identity gates the set. One of the two true worst cases. |
| days (per dominant vendor) | Civica event | Revenues/benefits, a social-care platform and payments fail together — the operational core under one US-owned vendor. |
What organisations can do about this
| Building block | Practical steps |
|---|---|
| Revenues & benefits | Choose ownership at the framework renewal — prefer the UK-owned option (Capita) where it meets need, and insist on open-format data export and a clear exit clause so the next move is not blocked. Procurement cycles are long, so the renewal is the moment that matters. |
| Social care | Treat children’s data as the highest stakes. Where the UK-owned platform (Mosaic/Servelec) meets need, weigh it seriously against the Jersey-controlled Liquidlogic and US-controlled OLM. Switch deliberately, not by default. |
| Planning & building control | Weigh the British alternative (Arcus, UK) against the US-owned leader (Idox). Planning data is largely public, so the priority here is keeping the service running rather than confidentiality. |
| Log-in and payments | Adopt the government’s own platforms: GOV.UK One Login for citizen sign-in and GOV.UK Pay for resident payments. Both are British, state-run and in production — a real repatriation route the private sectors do not have. |
| Cloud, office and reporting | Reduce the Microsoft concentration over time by splitting log-in or reporting off Microsoft where feasible. UK and European cloud options include OVHcloud or Scaleway (France), IONOS (Germany) and Civo (UK). Heavy, longer-term work — the structural project, not the quick win. |
Sources
- US CLOUD Act 2018 (18 U.S.C. 2713) – compels US-incorporated providers to produce data in their custody wherever in the world it is stored. https://www.govinfo.gov/content/pkg/USCODE-2018-title18/html/USCODE-2018-title18-partI-chap121-sec2713.htm
- US Foreign Intelligence Surveillance Act, Section 702 (50 U.S.C. 1881a) – a US directed-surveillance authority. https://www.govinfo.gov/app/details/USCODE-2021-title50/USCODE-2021-title50-chap36-subchapVI-sec1881a
- Vendor ownership and hosting – taken from company filings, public registries (including UK Companies House) and suppliers’ own documentation, compiled in the Information Matters UK vendor sovereignty database.
How we did this. We scored each technology layer on four things — supplier concentration, whose laws they answer to, how hard they are to switch, and how essential they are — using the IM Sovereignty Framework and our UK vendor database. Control and hosting facts come from primary sources; the harder-to-quantify judgments are our reasoned view of a typical organisation. Scores are bands, not exact measurements. Full evidence record available on request.
This research consists of the opinions of the Information Matters team — human and AI — and should not be considered statements of fact.
Information Matters · informationmatters.net
If you have any questions or comments about this article please email info@informationmatters.net

