UKGC: No Records on Remote Assessment Data Risks
FOI reveals no formal data protection impact assessments were recorded for remote compliance checks.
A Freedom of Information request has revealed the UK Gambling Commission holds no formal documents assessing the data protection risks of its remote compliance assessments. The regulator stated the process did not meet the 'high risk' threshold requiring a formal impact assessment, and any discussions may have been verbal.
Article Content
UKGC Holds No Recorded Analysis of Data Risks from Remote Assessments
A Freedom of Information (FOI) request has revealed that the UK Gambling Commission (UKGC) holds no formal documents analysing the data protection risks associated with its move to remote compliance assessments.
In a response dated 12 January 2023, the regulator confirmed it did not have any Data Protection Impact Assessments (DPIAs) or other records, such as board minutes, that identified or analysed the potential risks to personal data when it began conducting compliance checks remotely around 2015.
Why This Matters for Consumers
Compliance assessments are a key tool used by the UKGC to ensure gambling operators are adhering to licence conditions, including rules on social responsibility and anti-money laundering. These assessments can involve the regulator accessing sensitive customer information held by operators.
The shift to remote assessments meant this data was being accessed and reviewed from a distance, rather than during on-site visits. The absence of a formal, documented risk assessment raises questions about the initial due diligence performed to safeguard consumer data during this procedural change.
Details of the FOI Response
The request specifically asked for two types of information:
- Any DPIAs or similar documents that recorded the UKGC's analysis of data protection risks from introducing remote compliance assessments.
- Any documents describing the controls put in place to minimise those risks.
The Commission’s response stated: "Following a review of our records, including Board papers and minutes dating back to 2014, I can confirm that no recorded information falling within the scope of your request is held by the Commission."
The UKGC justified the lack of a formal DPIA by stating that, in its view, the introduction of remote assessments did not meet the threshold of "processing that is likely to result in a high risk to individuals." The regulator added that while the topic would have been discussed internally, these discussions "would not have necessarily generated recorded information" and "may have only been discussed verbally."
Significance for Regulatory Transparency
While the UKGC asserts that the process was not high-risk, the lack of a documented paper trail makes it difficult for external observers to scrutinise the basis for this conclusion. A formal DPIA is a standard procedure for organisations to demonstrate they have systematically considered and mitigated potential data protection risks before starting a new project or process involving personal data.
The response indicates that a significant change in how the regulator interacts with sensitive operator data was implemented without the creation of formal, recorded risk assessments. For consumers, this highlights a historical lack of documented assurance regarding how their personal data was protected during a key phase of regulatory oversight.