With this document you can:

Print the full document
Save the page as a HTML document to your device
Save the page as a PDF file
Bookmark it - it will always be the latest version of this document

This box is not visible in the printed version.

Records Management Policy

The Gambling Commission's Records Management Policy.

Published: 20 March 2025

Last updated: 20 March 2025

This version was printed or saved on: 23 May 2025

Online version: https://www.gamblingcommission.gov.uk/policy/records-management-policy

Introduction

1.1. This policy sets out the Gambling Commission’s approach to managing records. The Commission is committed to the efficient management of records for the effective delivery of services, to document principal activities and decisions, and to maintain the corporate memory.

1.2. A record is defined as information created, received or maintained as evidence and information by an organisation, in pursuance of legal obligations or in the transaction of business.

1.3. The Commission acknowledges that the records it creates, receives, and uses while carrying out its functions are vital not just to its activities but also to providing accountability and maintaining public confidence in its operations.

1.4. Records management is a key part of the Commission’s functions and is a shared responsibility. Robust records management underpins all of the Commission’s activities and supports the delivery of its objectives.

1.5. The benefits of good records management are:

protecting our business-critical records and improving business resilience
ensuring our information can be found and retrieved quickly and efficiently
complying with legal and regulatory requirements
reducing risk for litigation, audit and government investigations
minimising storage requirements and reducing costs.

1.6. The principles outlined in this policy have been developed to give a consistent approach to managing records throughout their lifecycle regardless of their format.

1.7. This policy is required to ensure compliance with the Public Records Act 1958, the Data Protection Act 2018, the Freedom of Information Act 2000, the Freedom of Information Act Section 46 Code of Practice, and ISO 15489 Information and documentation – Records management.

1.8. This policy supports the strategic objective of improving gambling regulation, by facilitating efficient and effective use of information.

Policy statement

2.1. All records must be given a clear and unique title in accordance with the Gambling Commission’s agreed naming conventions.

2.2. All records must be saved in the most suitable format and given the appropriate data sensitivity classification.

2.3. All records must be stored in a suitable and appropriate location, in line with the relevant procedures and guidance.

2.4. Records must be retained for the designated period of time specified in the Records Retention Schedule. Retention labels must be applied electronically where possible.

2.5. Records which are selected for permanent preservation and transfer to the National Archives must be safeguarded until they can be transferred.

Legislative framework

3.1. The Gambling Commission is obliged to meet the legal requirements for the retention and disposal of records in accordance with relevant legislation, particularly:

Gambling Act 2005
National Lottery etc. Act 1993
Public Records Act 1958
Freedom of Information Act 2000
Data Protection Act 2018
UK General Data Protection Regulation
Lord Chancellor’s Code of Practice on the Management of Records under Section 46 of the Freedom of Information Act 2000.

Scope

4.1. This policy applies to all employees and appointees of the Gambling Commission, including temporary or fixed-term staff and contractors.

4.2. The policy applies to all records held by the Commission at every stage of the information lifecycle: creation, use, storage, and disposal. It applies to both paper and electronic records, and includes written, audio and video format.

4.3. A record is defined by its content and its context, not by its format. Emails, and any other form of electronic correspondence used by the Commission, which are produced or received in the conduct of business will be considered to be part of the corporate record.

Roles and responsibilities

5.1. Everyone is responsible for:

reading and following the relevant policies and guidance
completing available training
keeping accurate and appropriate records of work activities and actions taken
managing information in line with the applicable policies
retaining information securely for as long as needed, as defined in the Records Retention Schedule
flagging any concerns around the management of information.

5.2. Project managers are responsible for:

putting in place appropriate procedures for the management of project information
making arrangements for suitable actions to be taken at the project conclusion.

5.3. Line managers are responsible for:

ensuring their direct reports are aware of, and follow, all relevant policies and guidance
ensuring their direct reports complete available training
making sure appropriate processes for managing information are in place and followed in their teams
reviewing their team’s information management processes as necessary
making sure access controls are appropriate and up-to-date, especially for starters, movers, and leavers.

5.4. Information Asset Owners (IAOs) are responsible for:

ensuring that their information assets are managed appropriately
ensuring adequate access controls to their information assets for appropriate users
arranging transfer of responsibility for information assets to a new IAO if responsibility for the relevant function changes, e.g. restructure or the IAO changing role
updating the Information Management team if any changes need to be made to the Information Asset Register (IAR)
reviewing records that are due for disposal and approving or extending as required, and documenting these decisions for audit purposes.

5.5. Cheif Executive Officer (CEO) and Executive team are responsible for:

ensuring their business areas follow the policies and implement appropriate processes
putting in place suitable corporate plans and strategies to facilitate robust information management practices
providing executive level support to the Information Management function as needed.

5.6. Data Protection Officer, Records Manager and Information Management team are responsible for:

leading on Information Management practices across the Commission
creating and updating appropriate policies to govern the proper management of information through its lifecycle of creation, use, storage and disposition
providing guidance, advice, support and training to all staff to enable them to adhere to the relevant policies
creating and maintaining the corporate Information Asset Register and Records Retention Schedule
managing the identification and transfer of relevant records to the National Archives
monitoring and reporting on records management within the Commission to facilitate effective oversight and scrutiny.

5.7. Senior Information Risk Owner (SIRO) is responsible for:

implementation and maintenance of security standards across the organisation
ensuring correct procedures and delegations are in place to respond to security incidents
ensuring system upgrades and maintenance do not result in an adverse impact on retention requirements
ensuring records management and retention should be identified and agreed by programmes and projects prior to design, development and or implementation of a new process or system.

The Senior Information Risk Owner is the Chief Technology Officer.

5.8. Commissioners are responsible for oversight and scrutiny of records management processes ensuring that effective processes are in place as a key corporate control.

Monitoring and compliance

6.1. Compliance with this policy is mandatory.

6.2. Compliance will be monitored by team managers, Information Asset Owners and audit activities with oversight by the Executive Team, Information Management team, Data Protection Officer, Senior Information Risk Owner (SIRO) and CEO.

6.3. Individual business areas are expected to review their processes and ensure that these are documented, fit for purpose, and reviewed and updated regularly.

6.4. Guidance is provided by the Information Management team to aid the implementation of this policy.

6.5. Performance indicators and reports will cover the work of the Information Management team as well as compliance levels for individual business areas.

Policy review

7.1. To be reviewed every 2 years.

7.2. Next review due January 2026.

7.3. The Gambling Commission’s Policy Retirement Process will be followed when this policy is no longer required, has been superseded or has been integrated into another policy.

Policy exception

8.1. There are no circumstances where there should be exceptions to this policy.

Associated policies

This policy should be read in conjunction with the following Gambling Commission policies:

Records Retention Schedule
Information Security Policy
Data Protection Policy
Freedom of Information Policy
Acceptable Use Policy
Information Classification Policy
Remote Working Policy
Business Continuity Policy.

Version history

10.1. The version history record is detailed in the following table.

Version history record

Version history record
Version	Author or reviewed by	Date	Description of change
1.0	Records Manager	5 January 2024	Creation of new policy.
1.1	Head of Information Compliance Records Manager	7 March 2025	Added Senior Information Risk Officer (SIRO) role and responsibilities.