I don't know the first thing about what the UK Data Protection Act covers, but you can clearly see in the iCloud and Mail, Contacts, Calendars settings that you can slide off Mail yet still slide on the other categories of data.
Contacts (addresses), Calendars, Reminders, Notes.
If it's OK to store that sort of information, then your consultant can continue to use Mobile Me / iCloud to put that information in the cloud. Again, you are trusting them to not store actual "protected data" inside an appointment as an attachment (mail message) as well as not enable the mail slider.
You might just decide to require them to use a hosted mail and account that complies with your data storage requirements. Period, full stop. Sometimes that is the cost of doing business as a professional.
Also - you can bank fairly certainly that Apple won't change the drop dead date to finish MobileMe since it's been published for about 13 months now.
http://www.apple.com/mobileme/transition.html
All MobileMe mail will shut off on June 30th, 2012 - presumably pacific time in the US.
The system keychain is stored in /Library/Keychains/System.keychain and the key to unlock it is stored in /var/db/SystemKey (its default file permissions are readable by root only). The location of these files is referenced in the security-checksystem script (from the security_systemkeychain source). It is even possible to test to automatic locking/unlocking of the system keychain by using
systemkeychain -vt
The keychain security framework allows non-privileged programs to make requests for information provided they are in the ACL stored within the keychain entry. Obviously if a user has root they on a system they can directly access both the file storing the system keychain and the key to unlock it, thus they do not have make requests via the security framework and are not beholden to the ACLs stored within the keychain itself.
(I didn't actually answer the original questions so let's give this another go)
How are the keys architected such that any administrative user can unlock the System Keychain?
The libsecurity keychain framework allows regular processes to interact with the system keychain in an authenticated manner using Apple's XPC interprocess communication framework (IPC).
Program A sends a request to access the system keychain information using IPC. A check is made that the requesting user is already in the wheel group and also knows the password of a user in the wheel group. Once authorization is confirmed, the privileged kcproxy daemon can be used to access material in /var/db/SystemKey, unlock the system keychain and return the requested information.
Are there cryptographic restrictions that limit what an administrative user can do with information in the System Keychain in any way?
No - an administrative user is allowed to access/change anything in the system keychain. Even if they couldn't, they could copy the underlying files to another machine on which they have complete control and just unlock/access it there.
Given an unencrypted system backup without /Users, how would you gain access to the keys in the System Keychain?
If the backup contained copies of /Library/Keychains/System.keychain and /var/db/SystemKey then I would copy them to their respective locations on a new OS X system and use systemkeychain to make the later unlock the former and dump the keychain database using security dump-keychain.
Best Answer
1Password does not use "iCloud" which is a service offering from Apple, by default it uses Dropbox but can also use other cloud solutions. 1Password does not support storing data on Apple's iCloud.
1Password 3 data file sync solutions
About 1Password Encryption
And more about Agile Keychain Design and encryption
Information about Dropbox and encryption. Keep in mind that Dropbox does not encrypt the files that you store with their service, but they do encrypt the traffic between your computer and their servers at Amazon.
UPDATE 20121217: I see that the latest version of 1Password does offer the ability to use Apple's iCloud for storing and sharing.
Here is an knowledge base article from Apple on the subject, iCloud: iCloud security and privacy overview. But it does not cover the encryption of non-Apple application data.
Ars has a much better article discussing encryption in iCloud, Apple holds the master decryption key when it comes to iCloud security, privacy
It seems to me that Agilebits has really fallen behind on updating their web site with information about the latest version of 1Password for iOS. It looks like 1Password Pro, which I have been using for awhile now, has been removed from iTunes and the only version available is the new version here. I would guess that a new version for the desktop is also on its way.