Well, to put that in a realistic context, they should keep the minimum of data as possible, since there are not the military and have nearly no chance of keeping it secured if a real hacker group gets interested.
Real security, is about 0-proprietary, 100% assembly up to specific FPGA designs, very simple code/standards (but does a good enough job), chip foundries ready to produce and deploy "fixed" asics, 24/24 7/7 active monitoring teams in contact with ISPs/datacenters for active threat mitigation/detection/tracking, etc.
I forgot to mention, that much power should only be in the hands of the state and severely controlled, as that could be used for the "wrong", or "not wrong enough" reason. I already can smell some ppl from the music and movie industry lurking... or some authoritative regime ppl...
