Memorandum of Understanding between the Fundraising Regulator and the Gambling Commission
This Memorandum of Understanding (MoU) establishes a framework for cooperation and information sharing between the Fundraising Regulator (opens in new tab) (the FR) and the Gambling Commission (the Commission), collectively referred to as ‘the parties’ throughout this document.
It sets out the broad principles of collaboration and the legal framework governing the sharing of relevant information and intelligence between the parties. The shared aims of this MoU are to enable closer working between the parties, including the exchange of appropriate information, to assist them in discharging their respective regulatory functions and duties.
This MoU is a statement of intent that does not give rise to legally binding obligations on the part of either the FR or the Commission. The arrangements set out in this MoU are subject to what is permitted and required by law. It has been determined that personal information being shared will not require a separate Data Sharing Agreement at this time. This position will be kept under regular review.
The role and function of the FR
The FR is an independent body established in 2016 as the voluntary regulatory body for all charitable fundraising undertaken by charitable institutions and third parties in England, Wales and Northern Ireland. The FR also regulates fundraising in Scotland by charities registered with the Charity Commission for England and Wales.
The mission of the FR is to:
- inform and protect the public, donors, potential donors and beneficiaries
- take action to continue to improve standards in fundraising
- use our knowledge and insight to support excellent standards of fundraising now and in the future
- sustain and enhance public confidence in charitable fundraising.
Functions and powers of the Gambling Commission
The Commission is an independent, non-departmental public body, sponsored by the Department for Digital Culture, Media and Sport (opens in new tab). Under the Gambling Act 2005 (opens in new tab) the Commission regulates all commercial gambling in Great Britain, apart from spread betting, in partnership with local Licensing Authorities. The Commission also has powers to prosecute criminal offences under the Gambling Act 2005, including the offences of promoting or facilitating a lottery that is not an exempt lottery, misusing the profits of a lottery, and misusing the profits of an exempt lottery.
The Commission has a statutory obligation to permit gambling insofar as it is consistent with the pursuit of the licensing objectives, which are to:
- prevent gambling from being a source of crime and disorder, being associated with crime and disorder or being used to support crime
- ensure that gambling is conducted in a fair and open way
- protect children and other vulnerable persons from being harmed or exploited by gambling.
The Commission is also responsible for regulating The National Lottery including the company which runs The National Lottery.
The Commission has specific legal responsibilities in regulating the National Lottery, which are:
- ensuring that the interests of all players are protected
- ensuring the Lottery is run with due propriety
- that returns to good causes are maximised.
Purpose of information sharing
The purpose of the MoU is to enable the parties to share relevant information which enhances their ability to discharge their respective functions.
This MoU should not be interpreted as imposing a requirement on either party to disclose information in circumstances whereby doing so would breach their statutory responsibilities. In particular, each party must ensure that any disclosure of personal data pursuant to these arrangements fully complies with both the UK General Data Protection Regulation (opens in new tab) (GDPR) and the Data Protection Act 2018 (opens in new tab) (DPA). This MoU sets out the potential legal basis for information sharing, but it is for each party to determine for themselves that any proposed disclosure is compliant with the law.
Principles of cooperation and sharing
Subject to any legal restrictions on the disclosure of information (whether imposed by statute or otherwise) and at their discretion, the parties agree that they will alert each other to any potential breaches of relevant legislation or regulations, within the context of this relationship, discovered whilst undertaking their respective duties, and provide relevant and necessary supporting information.
Subject to any legal restrictions on the disclosure of information (whether imposed by statute or otherwise) and at their discretion, the parties will:
- communicate regularly to discuss matters of mutual interest (this may involve participating in multi-agency groups to address common issues and threats); and
- consult one another on any issues which might have significant implications for the other organisation.
The parties will comply with the general laws they are subject to, including, but not limited to, local data protection laws; the maintenance of any prescribed documentation and policies; and comply with any governance requirements in particular relating to security and retention, and process personal data in accordance with the statutory rights of individuals.
Legal basis for sharing information
Information shared by the FR with the Commission
The Commission’s statutory functions relate to the legislation set out previously and this MoU governs information shared by the FR to assist the Commission in meeting those responsibilities. To the extent that any such shared information is to comprise personal data, as defined under the UK GDPR and DPA, the FR is a Data Controller so must ensure that it has legal basis to share it and that doing so would otherwise be compliant with the data protection principles.
The Commission’s Privacy Statement includes a section entitled ‘Obtaining Data from Third Parties’. It states, in accordance with our statutory functions and powers, we will obtain data from third parties in the following ways (and for the following reasons): from complainants, other regulatory bodies, witnesses and experts about persons relevant to a regulatory investigation.
In the context of its stated purpose as ‘… a voluntary regulatory body that promotes and supports a culture of ethical fundraising, protecting the public, donors and potential donors, not least those who may be vulnerable, and creating a positive donor experience’ the FR is considered a ‘regulatory body’.
Information shared by the Commission with the FR
The Commission, during the course of its activities, will receive information from a range of sources, including personal data. The Commission may identify that information it holds, which may include personal data, ought to be shared with the FR as it would assist them in performing their functions and discharging their regulatory responsibilities. It will process all personal data in accordance with the principles of the UK GDPR, the DPA and all other applicable legislation.
Article 6(1)(e) of the UK GDPR (opens in new tab) provides a processing pathway which is relevant to the Commission’s intelligence, investigations and enforcement activity: that processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.
This pathway is reflected in Commission’s Privacy Statement which states that the Commission collects and processes personal data based on one or more of the following legal bases:
- legal obligation: the processing is necessary for us to comply with the law (not including contractual obligations)
- public task: the processing is necessary for us to perform a task in the public interest or for our official functions, and the task or function has a clear basis in law.
This position is further qualified by Article 6(3) which states that the basis for such processing must be laid down in domestic law.
- Section 8 of the DPA (opens in new tab) confirms that the public task basis will cover processing necessary for statutory functions
- Sections 1(a) and 1(b) of the Gambling Act 2005 (opens in new tab) outline the Commission’s statutory functions as being to keep crime out of gambling and to ensure gambling is conducted in a fair and open way
- Schedule 1, Part 2, Section 11 of the DPA (opens in new tab) outlines the substantial public interest conditions that apply relating to ‘protecting the public against dishonesty etc’. Sub-paragraph (1) outlines that the condition is met if the processing:
a. is necessary for the exercise of a protective function
b. must be carried out without the consent of the data subject so as not to prejudice the exercise of that function
c. is necessary for reasons of substantial public interest.
Given that the work of the Commission is directly related to pursuit of the first licensing objective (as per section 1(a) of the Gambling Act 2005), this MoU recognises that the Commission may choose to share information with the FR, provided it is satisfied that it is (a) necessary to, or (b) incidental and conducive to, the proper and effective exercise of its statutory functions.
Relevant sections of the Commission's Privacy Statement
The following sections of the Commission’s Privacy Statement include statements which are also considered relevant to this MoU:
What personal data do we collect, for what purpose and what is the basis for doing so?
We collect and process special categories of personal data based on one or more of the legal bases set out above and where one of the separate conditions for processing applies, the most likely being: processing is necessary for reasons of substantial public interest, on the basis of UK law and is proportionate to the aim pursued, or processing is necessary for the establishment, exercise or defence of legal claims.
As a regulatory body, most of the personal data that we collect and process is data relating to our regulatory functions and responsibilities. Therefore, for the most part (and for the reasons set out below), when we are processing data it will be on the basis that it is necessary for the performance of a task carried out in the public interest and or in exercising our statutory functions.
We will also be acting as a prosecutor in relation to certain gambling offences, and processing data for this purpose.
Who we share your personal data with
Your data may be shared with bodies where it is necessary to do so and where we are legally required or permitted to do so. This may include third party payment processors, relevant public authorities, gambling operators, sports governing bodies, other regulators and law enforcement agencies (including overseas).
Sharing data is primarily for the purpose of performing our regulatory functions, but it may also be necessary to share information for other reasons, such as the prevention and detection of crime.
Our systems are UK based. The prospect of international transfer of data will only generally arise in circumstances where we need to send information to our international gambling regulatory counterparts, sports governing bodies based overseas or to officials overseas in connection with regulatory or criminal investigations or processes.
Where a request for information is received by either party under data protection laws or Freedom of Information Act (opens in new tab) (FOIA), the recipient of the request will seek the views of the other party as described in the FOIA section 45 Code of Practice, where the information being sought under the request includes information obtained from, or shared by, the other party. However, the decision to disclose or withhold the information (and therefore any liability arising out of that decision) remains with the party in receipt of the request as Data Controller in respect of that data.
Method of exchange
Appropriate security measures shall be agreed to protect information transfers in accordance with the sensitivity of the information and any classification that is applied by the sender.
Confidentiality and data breach reporting
Where confidential material is shared between the parties it will be marked with the appropriate security classification.
Where one party has received information from the other, it will consult with the other party before passing the information to a third party or using the information in an enforcement proceeding or court case.
Where confidential material obtained from, or shared by, the originating party is wrongfully disclosed by the party holding the information, this party will bring this to the attention of the originating party without delay. This is in addition to obligations to report a personal data breach under the UK GDPR and or DPA where personal data is contained in the information disclosed.
Duration and review of the MoU
The parties will monitor the operation of this MoU and will review it triennially.
Any minor changes to this MoU identified between reviews may be agreed in writing between the parties.
Any issues arising in relation to this MoU will be notified to the key contact for each organisation as listed in the following section.
The parties have both identified a key person who is responsible for managing this MoU:
- Fundraising Regulator – Head of Policy, and Head of Casework
- The Gambling Commission – Executive Director of Research and Policy
Those individuals will maintain an open dialogue between each other in order to ensure that the MoU remains effective and fit for purpose. They will also seek to identify any difficulties in the working relationship, and proactively seek to minimise the same.