Foi Request foi-disclosure

UKGC Reveals Limited Data Protection Software Use

By Dr. Sarah Chen · Fact-checked by James Hartley, Regulatory Affairs Editor

FOI shows no dedicated tools for data breach or processing records, and no plans to acquire them.

A Freedom of Information request reveals the UK Gambling Commission does not use specialised software for key data protection tasks like breach management or recording processing activities, and has no plans to procure any within the next three years.

UKGC Reveals Limited Data Protection Software Use
Illustration for UKGC Reveals Limited Data Protection Software Use

A Freedom of Information (FOI) disclosure has revealed that the UK Gambling Commission (UKGC) does not use specialised software for several key data protection and information governance functions, including data breach management.

The response, dated 6 September 2023, shows the regulator has no plans to review, budget for, or procure such technology within the next three years.

Why This Matters

As the regulator of the British gambling industry, the UKGC handles a significant volume of sensitive information. This includes data on licence holders, financial information, and details relating to investigations and consumer complaints. Robust information governance is essential to ensure this data is managed securely and in compliance with legal obligations like the UK General Data Protection Regulation (UK GDPR).

While the use of specific software is not a legal requirement, dedicated platforms are commonly used by large organisations to automate, track, and audit data protection activities, improving efficiency and reducing the risk of human error.

Breakdown of the Findings

The FOI request asked the UKGC about its use of software across several information governance categories. The regulator confirmed it does not use any dedicated applications for:

  • Record of Processing Activity (ROPA): A legally required record under UK GDPR of how an organisation processes personal data.
  • Data Breach Management: Tools to manage and document the response to a data security incident.
  • ISO 27001 / ISO 27701 Compliance: Standards for information security management.
  • Policy Management: Centralised systems for managing internal policies.

The Commission stated it does use software for two functions:

  • Freedom of Information Management: WorkPro (version 5.31.2.4561)
  • Data Protection and Security Awareness eLearning: Learning Nexus

No Plans for Future Investment

Perhaps most significantly, the FOI response shows a clear lack of intent to invest in these areas. In response to a series of follow-up questions, the UKGC confirmed that in the next three years, it has:

  • No plans to review or explore the market for information governance technology.
  • No plans to allocate a budget for such technology.
  • No plans to develop a business case for procuring it.

Significance for Consumers

This disclosure provides a rare insight into the internal operational tools of the gambling regulator. It reveals a reliance on non-specialised or manual processes for critical data protection functions like recording processing activities and managing data breaches. For consumers, the security and proper handling of data held by a major public body is a key aspect of trust in the organisation. The Commission's stated position of having no plans to explore technological support in these areas for the next three years suggests this is not considered a current investment priority.

D

Written by

Research & Data Lead

PhD in Public Policy, London School of Economics. Member of the Royal Statistical Society. Published in the Journal of Gambling Studies and Addiction Research & Theory.

Dr. Chen holds a PhD in Public Policy from the LSE and has 8 years of experience in quantitative research, including 3 years as a Research Fellow at the Responsible Gambling Trust analysing operator self-exclusion data.

UKGC Freedom of Information Data Protection Information Governance Regulation

More Insights