On 7 October 2021, the Information Commissioner’s Office (ICO) published its outcome report from Phase 1 of the Gambling Commission’s (GC) participation in the ICO’s Regulatory Sandbox (Sandbox). The GC entered the Sandbox to explore the concept of Single Customer View (SCV). SCV, if introduced, would allow data gathered by gambling operators regarding individual player behaviours to be aggregated and shared with other operators.
What is the Sandbox?
The ICO introduced the Sandbox service to support organisations who are developing products or services that use personal data in innovative and safe ways and where such products or services deliver a potential public benefit. As part of Phase 1/Objective 1 of the GC’s Sandbox plan, the GC and the ICO agreed to work together to:
- establish whether there is an appropriate lawful basis under Article 6 of the UK General Data Protection Regulation (UK GDPR) that allows for the sharing of behavioural or affordability data between online gambling operators via SCV, including the examination of existing legal gateways; and,
- consider the processing of special category personal data and the appropriateness of Article 9 conditions for processing under the UK GDPR.
What is SCV and how would it work?
The stated aim of SCV is to drive better decision making, actions and evaluation, to reduce gambling related harms across all online gambling operators. The model before the ICO refers to a process in which an individual hits different trigger points1 that leads to the online gambling operator sharing that data with the SCV solution, where it will then be subject to an algorithm that produces a “risk score” or “banding” for an individual. The “risk score” or “banding” will be shared with other online gambling operators, and interventions are expected to be made based on an individual’s level of risk. The exact data set and the datapoints that online gambling operators will be
expected to provide, and in what form, is still to be confirmed.
What did the ICO conclude?
Lawful basis for sharing
The ICO concluded2 that the processing and sharing of behavioural data3 between gambling operators in order to identify individuals who may be “at-risk” of gambling related harms via a SCV may be lawful under Article 6 (1)(e) (Public Task) or Article 6 (1)(f) (Legitimate Interests)4. Both lawful bases would provide a discretionary gateway to the processing, and would require an assessment of the proportionality of the processing when the benefits to those individuals who are at risk, are balanced against the potential detriment to all the data subjects whose data will be shared in connection with the SCV. There must also be a right for a data subject to object to such sharing.
Special Category Data
The ICO considered that it is likely that some elements of the data proposed to be processed via the SCV may qualify as special category data. The UK GDPR prohibits the processing of special category data without an Article 9 processing condition. Here, the ICO concluded that Article 9 (2)(g) – “processing is necessary for reasons of substantial public interest”5 – may be appropriate.
The GC has been advised that the data protection implications of any wider data sets intended to be used or shared in the SCV, such as affordability data, should be considered separately, based on their own merits and the factual situation. Therefore, when intending to incorporate affordability data into the SCV solution, the data protection risks will need to be considered separately, to ensure the use of this data is compatible with the purpose for processing, an appropriate lawful basis has been identified, alongside other data protection considerations.
What might this mean for gambling operators and bettors?
The ICO is clear that public task or legitimate interest may be relied on by gambling operators to share data with the SCV, and a right to object must be available. Whilst the right to object is not absolute, gambling operators would need to consider how best to explain this in their privacy information and ensure there is a mechanism in place for objections to be made and considered.
The lawful basis of legitimate interests can relate to interests of third parties such as those individuals with gambling “problems”, commercial interests, as well as wider societal benefits, these interests must be balanced against the interests, rights or freedoms of all the data subjects whose data is shared. If legitimate interests are to be relied upon, a legitimate interests assessment (LIA) will be required. If the LIA identifies any high risks6, a data protection impact assessment must also be completed. The gambling operator must be transparent about all of this and so the privacy notice must also explain those interests to the data subjects (bettors).
If data has been shared with the SCV and this results in a user’s gambling accounts being restricted, the ability to appeal or challenge that status is unclear. Further, the automated decision making element of the SCV arguably warrants greater scrutiny7. The ultimate arbitrator of whether an individual’s behaviour renders them a “problem gambler” – so whether the SCV’s decision is correct – is also unclear. In the event that data is wrong or inaccurate, the individual would be able to exercise their various data subject rights under the UK GDPR but it is not clear whether that is the most direct approach to resolving unforeseen or incorrect outcomes.
In an industry where successful gamblers regularly face account restrictions, it will be important that any decision making by online operators is clearly documented and fully in accordance with their legal obligations. In this context, given the ICO’s view that some elements of the data to be processed by the SCV may be special category data, this will require careful consideration and analysis by all industry participants, to ensure lawful processing conditions are satisfied.
In addition to behavioural data, the GC is considering the extent to which more detailed “Know Your Customer”8 data could be incorporated into the SCV and potentially explored within the Sandbox. This affordability data (or affordability “checks”) are currently completed differently by each gambling operator. Due to this, the ICO did not consider the incorporation of affordability data into the SCV and the ICO’s steers apply only to behavioural data. The steers provided by the ICO and contents of its Report could therefore be subject to change, due to the specific technical specification, architecture, or construction of the final SCV solution, or if any additional factual information is provided to the ICO about the processing activity.
It is open to the GC to continue in Phase 2 of the Sandbox, which would focus on potential data sharing solutions and wider compliance with data protection legislation. If the GC decide to proceed to Phase 2, the incorporation of affordability data into the SCV may also be explored in more detail.
It is understood that development of the SCV software underpinning the solution is well-advanced. It will be vital that the final software undergoes thorough testing and, if implemented by operators, its use closely monitored, to ensure operators are acting within the legal framework. If introduced, the ICO is likely to maintain a keen interest on any operators and non-compliance could be met with significant fines under the UK GDPR.
In circumstances where the Gambling Act9 dictates that where an offence under that Act is committed by a body of persons corporate or unincorporate (other than a partnership) and it is proved that the offence was committed (a) with the consent or connivance of an officer of the body, or (b) as a result of the negligence of an officer of the body, the officer10, as well as the body, shall be guilty of the offence, the risks for such officers cannot be understated. Getting it wrong could see both operators, their officers, and punter alike, backing a long odds-on losing horse
1 The core set of indicators proposed by the Commission included consumer spend; patterns of spend; time spent gambling; gambling behaviour indicators; customer-led contact; use of gambling management tools; and
2 The ICO’s conclusions are delivered by way of “steers”.
3 But not “affordability data” – see further, below.
4 The ICO also concluded that, should changes be made to gambling legislation, or if in the future the Commission inserted a new requirement into the Licence Conditions and Codes of Practice (‘LCCP’) about implementing the SCV, gambling operators may rely on Article 6 (1)(c) “Legal Obligation” of the UK GDPR as the lawful basis for processing. .
5 Schedule 1, Part 2, Paragraphs 18 and 19 to the Data Protection Act 2018 - “Safeguarding of children and individuals at risk” or “Safeguarding of economic well-being of certain individuals” - may be appropriate substantial public interest conditions to enable reliance on Article 9 (2)(g).
6 Examples of high risk processing include the use of new technologies, or the novel application of existing technologies (including AI)..
7 The ICO acknowledges this at paragraph 4.43 of its Report..
8 For example, customer provided or credit reference data on consumer income, financial vulnerability, or likelihood that the gambling is unaffordable.
9Section 341 Gambling Act 2005.
10Reference to an officer of a body includes a reference to (a) a director, manager or secretary, (b) a person purporting to act as a director, manager or secretary, and (c) if the affairs of the body are arranged by its members, a member – Section 341(3), Gambling Act 2005.