Regular Feed of Operator Core Data (ROCD) (Pilot Project)
Purpose
The Regular Feed of Operator Core data (ROCD) project aims to establish a process for the Gambling Commission to collect data from operators on customers gambling behaviour. This allows us to better understand aspects of customers gambling, such as how customers gamble between different types of products, how customer behaviour changes over time, and how customers use safer gambling tools.
This data will increase the evidence base for decision making, providing a data source for the Commission to:
- evaluate Commission policy changes, in relation to the specified aims
- provide timely visibility of changes in the use of gambling services offered by gambling operators, as well as operators’ interactions with their account holders
- improve the Commission’s understanding of consumer trends and data driven policy making.
Any personal data the Commission collects is pseudonymised. This means that the personal data we receive about customers can only be attributable to you (the data subject) with the use of additional information.
Legal basis
The lawful basis the Commission is relying on to process your personal information is Article 6(1)(e) of the UK General Data Protection Regulation (UK GDPR) which permits processing if it is necessary for the performance of a task carried out in the public interest. Special category data includes information about your health, racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, sex life or sexual orientation.
Although the Commission is not specifically collecting special category information, we have identified that through the information that we collect, such as that a customer uses one or more of a range of safer gambling tools (such as, self-exclusion, product locks, has a spending limit applied and so on) it could be reasonably inferred that an individual may have a gambling disorder which could be linked to a recognised mental health condition.
The lawful basis the Commission is relying on to process special categories of personal information is Article 9(2)(g) of the UK GDPR which permits processing if it is necessary for reasons of substantial public interest and is authorised by domestic law and Schedule 1 Part 2 Section 6(2)(a) of the DPA 2018 which provides for the exercise of a function conferred on a person by an enactment or rule of law
What personal information do we collect
A single record of your customer account will be provided by operators on a daily basis where your account has been active on that day.
All of these fields will not always be populated as they may relate to gambling activities that the operator does not offer, or that you have not used during that day.
Demographic data is grouped in a way that would make it difficult to identify an individual from this information.
The data comprises of fields such as:
- encrypted unique customer ID field
- gender
- year of birth ranges (5-year age bands)
- decile of index of multiple deprivation where the account holder lives
- year account opened
- amounts deposited
- amounts withdrawn
- account balance at end of day
- number of stakes placed or bets made by product type
- use of gambling management tools
- total marketing contacts made by the operator.
Who we share your personal information with
We use third party resources such as technical data scientists and analysts who assist the Commission with this project to analyse data solely for the furtherance of the agreed purpose. We have contracts in place with our data processors and any processing activities related to this project will take place within the UK. Our data processors will not share your personal information with any organisation apart from us. They will hold it securely and retain it for the period we instructed. Data will be deleted by the data processor upon completion of the project.
In some circumstances we are legally obliged to share information. For example, under a court order or where we cooperate with other authorities in handling complaints or investigations. We might also share information with other regulatory bodies in order to further their, or our, objectives. In any scenario, we’ll satisfy ourselves that we have a lawful basis on which to share the information and document our decision making and satisfy ourselves we have a legal basis on which to share the information.
How long we keep it
Operator Data we receive as part of this project will be securely stored and disposed of by secure means when no longer required for the purpose it was collected. Operator Data will be held by the Commission for no longer than 10 years.
Rights of data subjects
Under data protection law, you have rights we need to make you aware of.
The Commission is responsible for meeting its obligations under the Data Protection Act 2018 and the UK GDPR in relation to:
- Right to be informed (Privacy Notice)
- Right of Access (Data Subject Access Request)
- Right to rectification
- Right to restrict processing.
In addition, you have the right to object to the processing of your personal information at any time.
You are not required to pay any charge for exercising your rights and we have one month to respond to your request.
If you wish to make a request or contact our Data Protection Officer, please contact us at foi@gamblincommission.gov.uk.
If you are not happy or are concerned about how your information is being processed, you can make a complaint to the Information Commissioner (ICO) (opens in new tab).
The ICO can also be contacted at:
The Information Commissioner’s Office
Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF
Do you need any extra help?
Last updated: 24 March 2025
Show updates to this content
No changes to show.