This box is not visible in the printed version.
Request date: 12 March 2026
This version was printed or saved on: 26 May 2026
Online version: https://www.gamblingcommission.gov.uk/about-us/freedomofinformation/due-diligence-carried-out-prior-to-the-appointment-of-kirsty-caldwell
Please provide all due diligence carried out prior to the appointment of the same Kirsty Caldwell to the Industry Forum in 2024.
Thank you for your request which has been processed under the Freedom of Information Act 2000 (FOIA).
In your email you have requested all due diligence carried out prior to the appointment of Kirsty Caldwell to the Industry Forum in 2024.
The Gambling Commission can confirm that information is held falling within the scope of your request.
However, this information is exempt from disclosure under section 40(2) of the FOIA. Our considerations for applying this exemption are detailed below.
Section 40(2)
The Commission believes that the information you have requested relates to an identifiable individual and therefore constitutes personal data.
The Data Protection Act 2018 requires personal data to be processed lawfully, fairly and in a transparent manner in relation to the data subject. It is the view of the Commission that disclosing the personal information within the requested documents would constitute the disclosure of personal data and would contravene this principle.
This information is therefore exempt under section 40(2) of the Freedom of Information Act 2000.
If you are unhappy with the service you have received in relation to your Freedom of Information request you are entitled to an internal review of our decision. You should write to FOI Team, Gambling Commission, 4th floor, Victoria Square House, Victoria Square, Birmingham, B2 4BP or by reply to this email.
Please note, internal review requests should be made within 40 working days of the initial response. Requests made outside this timeframe will not be processed.
If you are not content with the outcome of our review, you may then apply directly to the Information Commissioner (ICO) for a decision. Generally, the ICO cannot make a decision unless you have already exhausted the review procedure provided by the Gambling Commission.
It should be noted that if you wish to raise a complaint with the ICO about the Commission’s handling of your request for information, then you are required to do so within six weeks of receiving your final response or last substantive contact with us.
The ICO can be contacted at: The Information Commissioner’s Office (opens in a new tab), Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF.
Information Management Team
Gambling Commission
I am writing to request an internal review of the Commission's response dated 9 April 2026 to my FOI request for all due diligence carried out prior to the appointment of Kirsty Caldwell to the Industry Forum in 2024.
The refusal under section 40(2) is not adequately supported and does not demonstrate that the exemption has been properly applied. In particular:
Failure to identify personal vs non-personal data The response does not explain which elements of the due diligence constitute personal data, nor whether any information is not personal data. Due diligence for a public appointment typically includes process-based assessments, governance checks, conflict-of-interest reviews, and procedural records, which are not automatically personal data.
Failure to consider partial disclosure or redaction The Commission has not demonstrated that it considered whether non-personal elements could be disclosed with personal data redacted, as required by FOIA and ICO guidance on mixed data.
Failure to apply the fairness test The response does not address the factors relevant to fairness under Article 5(1)(a) UK GDPR, including: - the public nature of the appointment, - the seniority of the individual, and - the public interest in transparency of appointment processes.
Failure to consider the public interest in transparency of public appointments ICO decision notices consistently recognise that individuals appointed to public-facing roles have a reduced expectation of privacy regarding appointment-related due diligence.
Blanket reliance on s40(2) The refusal appears to apply s40(2) in a blanket manner without engaging with the content of the information held. This does not meet the standard required by FOIA or ICO guidance.
For these reasons, I request that the Commission conducts a full internal review, including:
I am writing to you further to your Freedom of Information request dated 12/03/2026 which we responded to on 09/04/2026, and your subsequent request for an internal review received on 09/04/2026.
We have now concluded our review, and our findings are detailed below.
This internal review was conducted by someone who was not involved in the processing of your original request.
In your initial email you requested the following information:
Please provide all due diligence carried out prior to the appointment of the same Kirsty Caldwell to the Industry Forum in 2024.
In our initial response we advised that information was held falling within the scope of your request. However, this information is exempt from disclosure under section 40(2) of the FOIA In your request for an internal review, you have expressed concerns with the application of section 40(2). Including:
Internal Review
Section 40(2) of FOIA provides that information is exempt from disclosure if it is the personal data of an individual other than the requester and where one of the conditions listed in section 40(3A)(3B) or 40(4A) is satisfied.
In this case the relevant condition is contained in section 40(3A)(a) - the disclosure of the information to a member of the public otherwise than under this Act—
(a) would contravene any of the data protection principles,
This applies where the disclosure of the information to any member of the public would contravene any of the principles relating to the processing of personal data as set out in Article 5 of the UK General Data Protection Regulation (UK GDPR).
Firstly, we must determine whether the withheld information constitutes personal data. Section 3(2) of the Data Protection Act 2018 (DPA) defines personal data as:
‘any information relating to an identified or identifiable living individual’.
The two main elements of personal data are that the information must relate to a living person and that the person must be identifiable. An identifiable living individual is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of the individual. Information will relate to a person if it is about them, linked to them, has biographical significance for them, is used to inform decisions affecting them or has them as its main focus.
Having been a member of the Forum since March 2024, we can confirm that due diligence did take place on the appointment of Kirsty Caldwell. These checks are carried out to ensure the members of Industry Forum meet the requirements of the Code of Conduct. This information therefore falls within the definition of ‘personal data’ in section 3(2) of the DPA, as the withheld information relates to the professional backgrounds and experience of an individual that is identifiable. The fact that information constitutes the personal data of an identifiable living individual does not automatically exclude it from disclosure under FOIA.
Secondly, we must establish whether disclosure of that data would breach any of the data protection principles. There are seven data protection principles. In this case, it is principle (a) which is relevant to this request.
Principle (a) states:
‘Personal data shall be processed lawfully, fairly and in a transparent manner in relation to the data subject…’
Article 5(1)(a) of the UK GDPR states that “Personal data shall be processed lawfully, fairly and in a transparent manner in relation to the data subject”. This means that the information can only be disclosed if to do so would be lawful, fair and transparent.
In the case of an FOIA request, the personal data is processed when it is disclosed in response to the request. This means that the information can only be disclosed if to do so would be lawful, fair, and transparent.
In order to be lawful, one of the lawful bases listed in Article 6(1) of the UK GDPR must apply to the processing. It must also be generally lawful.
Article 6(1) of the UK GDPR specifies the requirements for lawful processing by providing that “processing shall be lawful only if and to the extent that at least one of the” lawful bases for processing listed in the Article applies.
The Commission considers that the lawful basis most applicable is basis 6(1)(f) which states: “processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child”.
In considering the application of Article 6(1)(f) of the UK GDPR in the context of this request for information under FOIA, it is necessary to consider the following three-part test:
i. Legitimate interest test: Whether a legitimate interest is being pursued in the request for information;
ii. Necessity test: Whether disclosure of the information is necessary to meet the legitimate interest in question;
iii. Balancing test: Whether the above interests override the legitimate interest(s) or fundamental rights and freedoms of the data subject.
Legitimate interest
In considering any legitimate interest(s) in the disclosure of the requested information under FOIA, the Commission recognises that a wide range of interests may be legitimate interests. They can be the requester’s own interests or the interests of third parties, and commercial interests as well as wider societal benefits.
It is recognised that in assuming the role, members of the Industry Forum take on public positions, not acting as private individuals. They have influence on statutory mechanisms that could materially impact on members of the public.
The Gambling Commission announced the appointment of Kirsty Caldwell as the Interim Chair of the Industry Forum in January 2026. Having been a member of the Forum since March 2024, Kirsty will serve as Interim-Chair whilst recruitment begins to appoint a substantive Chair to succeed Nick Rust, whose term as Chair ended in November 2025.
For context, members are appointed for 2 to 3 year terms and will need to meet the requirements of a Code of Conduct. This Code should be read in conjunction with the IF Terms of reference.
Therefore, basic details about their professional experience and backgrounds fall squarely within the scope of lawful, fair, and proportionate disclosure under both GDPR and FOIA.
The Commission accepts that the requestor, as well as the wider public, has a legitimate interest in understanding the due diligence conducted by the Commission, to make an assessment of an individual’s suitability to sit on the Industry Forum.
Necessity, is disclosure necessary?
In the context of the FOIA, ‘necessary’ means more than desirable but less than indispensable or absolute necessity.
Accordingly, the test is one of reasonable necessity and involves consideration of alternative measures which may make disclosure of the requested information unnecessary. Disclosure under the FOIA must therefore be the least intrusive means of achieving the legitimate aim in question.
As the request is specifically for details of the due diligence carried out prior to the appointment of Kirsty Caldwell to the Industry Forum in 2024, the Commission considers that disclosing the requested information would be necessary to fulfil the request. However, a biography of Kirsty Caldwell’s professional background is publicly available on the Gambling Commission website:
Balancing
Finally, it is necessary to balance the legitimate interests in disclosure against the data subject’s interests or fundamental rights and freedoms. In doing so, it is necessary to consider the impact of disclosure. For example, if the data subject would not reasonably expect that the information would be disclosed to the public under FOIA in response to the request, or if such disclosure would cause unjustified harm, their interests or rights are likely to override legitimate interests in disclosure.
A key issue is whether the individuals concerned have a reasonable expectation that their information will not be disclosed. These expectations can be shaped by factors such as an individual’s general expectation of privacy, whether the information relates to their professional role or to them as individuals, and the purpose for which their personal data was obtained.
Information about the professional background and experience, was gathered prior to Kirsty Caldwell’s appointment as a member of Industry Forum. Other than the Chair, IF members are not paid by the Commission, they are not employed by the Commission, they act in an advisory capacity to provide insight into the views of industry about the Commission's plans, the quality of Commission services, and the wider environment in which gambling operators work rather than serve as decision makers. Kirsty Caldwell has only recently taken the position of interim chair, whilst the Commission is in the process of recruiting a substantive Chair.
Whilst I acknowledge that there is a general legitimate interest in transparency regarding the appointment process of Industry Forum members, I do not consider that there is sufficient legitimate interest to outweigh the data subject’s fundamental rights and freedoms. I therefore consider that disclosing the requested information would be unlawful as it would contravene a data protection principle. As such, I uphold the decision to withhold the information under section 40(2), by way of section 40(3A)(a).
If you are not content with the outcome of your review, you may apply directly to the Information Commissioner (ICO) for a decision. Generally, the ICO cannot make a decision unless you have exhausted the complaints procedure provided by the Gambling Commission. The ICO can be contacted at www.ico.gov.uk