ICO clarifies position on data sharing for financial risk checks

United Kingdom

The UK Information Commissioner’s Office (“ICO”), the UK’s data protection regulator, has written an open letter to UK Finance, an industry body for UK banking and financial services, to clarify its interpretation of UK data protection laws in the context of financial risk checks in the gambling sector, and in particular credit reference agencies sharing consumer credit risk data with gambling operators.

Financial risk checks – what does it mean for customer data?

The ICO’s letter to UK Finance follows a request for clarification from the industry body sent last year, to check the ICO’s position in relation to the sharing of personal data to facilitate “financial risk checks” by online gambling operators. This followed the Government and Gambling Commission’s (“Commission”) proposal to introduce new requirements on online gambling operators to carry out such checks as a condition of the licence. “Financial risk checks”, otherwise known as “affordability checks” are one of the new proposals that feature in the gambling White Paper (which we explored in our Law-Now article here) and are intended to identify whether a customer’s gambling is likely to be harmful in the context of their financial circumstances. Under these proposals, operators would be required to take steps to understand a customer’s financial situation. A key question is whether consumer credit risk data could be shared by credit reference agencies to gambling operators, and whether this would be considered “compatible” with the original processing purpose for that data under Article 5(1)(b) of the UK GDPR.

Clarification by the ICO

In its letter, the ICO has confirmed the following:

  1. The GDPR does allow credit reference agencies to share personal information with gambling operators to enable financial risk checks, as there is a close link between the original purpose and the new purpose for sharing data. In accordance with the GDPR, the information that is shared must be limited to what is necessary to fulfil the purpose.
  2. The ICO expects credit reference agencies to conduct a data protection impact assessment (“DPIA”) before processing personal information for financial risks checks, due to the nature of the processing and the outcomes generated from it, which could include the denial of a service.
  3. Gambling operators will be expected to put in place “robust safeguards” to ensure the personal information they receive from credit reference agencies is analysed accurately, held securely and used only for the purposes of carrying out the financial risk checks. (On the latter point, the ICO’s letter repeated the Commission’s position that any use of such data for commercial gain would be a “significant regulatory issue” and could attract a “significant sanction”.)
  4. Bankers, lenders and other parties should update their privacy notices and other relevant accountability information to reflect the increased scope of data sharing by the credit reference agencies. The ICO would also expect gambling operators to communicate to consumers the potential for data sharing and the Commission intends that the potential for financial risk checks will be prominently and clearly communicated to all customers by gambling operators.

Next steps

The ICO also used its letter to draw attention to the Data Protection and Digital Information Bill that is currently before Parliament. The ICO noted that the Bill is set to introduce provisions to clarify that the processing of personal data for a new purpose is to be treated as compatible with the original purpose when the processing is necessary for “safeguarding vulnerable individuals”. The ICO highlighted that it believes there is a strong case that processing financial data for these checks is considered necessary for safeguarding vulnerable individuals, and so these legislative reforms will only further support the development of the new checks in the White Paper.

The ICO has been working closely with the Commission elsewhere on tackling problem gambling, including on the design of privacy safeguards in the context of addressing gambling harms. In its press release, the ICO noted that it has “also lent its support to plans for gambling companies to share information about customers identified as high risk who are gambling across multiple sites”. The ICO referenced its report to the Betting and Gaming Council on the ICO Sandbox, where it set out its advice on the necessary safeguards required to share personal data between different operators. Following the completion of the GamProtect pilot, we can expect a Single Customer View (“SCV”) solution to share data on individual’s spending between businesses to be implemented across the gambling industry in due course.