However, any sharing of personal information must be done transparently and proportionately.
As part of the Gambling Act review, the ICO has collaborated with the UK Gambling Commission (UKGC) to develop privacy safeguards for financial risk checks.
Specifically, the UKGC plans to consult on two forms of financial risk check. Firstly, background checks at moderate levels of spend, to take place at £125 net loss within a month or £500 within a year.
Second, at proposed thresholds of £1,000 net loss within 24 hours or £2,000 within 90 days, there should be “more detailed” checks for a customer’s financial position.
Go-ahead for UKGC consultation
The UKGC has welcomed the ICO’s decision and described it as an “important step” ahead of its own consultation.
The ICO’s decision “will allow stakeholders to progress discussions about how such assessments can take place, the necessary safeguards and transparency for data sharing, and to build appropriate data-sharing agreements,” the UKGC said.
Meanwhile, Stephen Almond, executive director of regulatory risk at the ICO, emphasised the severe consequences of problem gambling.
He said: “Problem gambling has devastating consequences for people’s finances, relationships and health. We are keen to see the financial sector share data to protect people from unaffordable losses and spiralling debt.”
The ICO informed that it is of the opinion that the UK’s General Data Protection Regulation (GDPR) “does allow credit reference agencies to share personal information with gambling operators for the purposes of enabling financial risk checks.”
“We are keen to see the financial sector share data to protect people from unaffordable losses and spiralling debt.”
However, “in accordance with the GDPR, the information that is shared must be limited to what is necessary,” Almond added.
Additionally, the ICO stated that credit reference agencies should carry out a data protection impact assessment prior to processing personal information for financial risk checks.This assessment is necessary due to the nature of the processing and the potential outcomes, which could include denial of service.
Moreover, the ICO emphasised that gambling operators have a responsibility to protect any additional information they receive and utilise it solely for the purpose of conducting financial risk checks.
Furthermore, the ICO has called for banks, lenders, and other involved parties to update their privacy notices and other relevant accountability information to reflect the expanded scope of data sharing.
Data-sharing between operators
The ICO has also expressed its support for the initiative of gambling companies to share information regarding customers identified as high risk and engaged in gambling across multiple platforms.
Earlier this year, the Betting and Gaming Council (BGC), along with operators such as Entain, William Hill, 888, Gamesys, bet365, and Flutter, participated in a pilot project that was also referred to as “single customer view”.
The project aimed to explore data-sharing practices among gambling operators when there are signs of potential harm to the customers.
Almond added: “Data sharing can be a force for good, enabling organisations to protect people from gambling-related harm. We’ve been pleased to work with the Betting and Gaming Council through our Regulatory Sandbox to help them safeguard gamblers while upholding their rights to privacy.”
Following the successful completion of the Sandbox pilot, the data-sharing single customer view project, now named GamProtect, will be implemented across the gambling industry with the support of the BGC and its member operators.
The UKGC added: “Now that the sandbox phase is complete and a solution is in place, we look forward to the rapid development of GamProtect.
“This will include the onboarding of more gambling businesses and the expansion of markers of harm to identify individuals at serious risk.”
The ICO’s full report on GamProtect, including guidance on the necessary safeguards for sharing personal data between different operators, can be accessed here.
