Remote gaming operators must process their players’ personal data before accepting them as registered players on their website, as well as, throughout the operator-player relationship and beyond. As such, operators must abide by nine basic principles of personal data processing.
According to the first principle, personal data must be fairly and lawfully processed. To fairly obtain data, the player must be made aware of the following information which should be included in the Terms and Conditions on the operators’ website: (a) the identity of the operator; (b) the purpose of collecting the data; (c) the persons to whom the data may be disclosed; and (d) any other information which is necessary for the processing to be fair. Processing personal data for the purposes of providing remote gaming services is lawful, provided the provisions of the Lotteries and Other Games Act, the Remote Gaming Regulations, and the Data Protection Act, are complied with.
Pursuant to the second principle, personal data must be processed in accordance with good practice. Operators should, therefore, process players’ personal data in accordance with industry best practices for information management, such as those published by the International Standards Organisation (ISO) and the Organisation for Economic Co-operation and Development (OECD) amongst others, as well as, the guidelines of the Lotteries and Gaming Authority (“LGA”).
The third principle requires that the data is collected only for specific, explicitly stated and legitimate purposes, which means that, the player must know the precise purpose for which his/her personal data is being processed. The description may be wide (e.g. “The Operator will only process your personal data for the purposes for which it collected it, namely to provide you with an online gaming service”), but it should not be ambiguous (e.g. “as may be required”).
Following on from the previous requirement, the fourth principle lays down that personal data is not processed for any purpose that is incompatible with that for which the information is collected. In other words, the processing must be in line with the disclosed purpose and use for any other purpose without the players’ consent is prohibited.
According to the fifth principle, personal data that is processed must be adequate and relevant in relation to the purposes of the processing. In practice, this means that an operator should ensure that it holds personal data about a player that is sufficient for the purposes it is being held. For example, in order to comply with KYC and other fraud management procedures, it is adequate and relevant for an operator to process the following information in relation to each player: name, address, age, telephone, e-mail address and payment details.
Under the sixth principle, no more personal data is processed than is necessary having regard to the purposes of the processing. Operators should, therefore, identify the minimum amount of personal data needed to provide a remote gaming service, and should hold that much information, but no more. This is known as “data minimisation”.
The seventh principle states that personal data that is processed must be correct and, if necessary, up to date. In order to satisfy this requirement, operators should: take reasonable steps to ensure the accuracy of players’ personal data; ensure that the source of any personal data is clear; carefully consider any challenges to the accuracy of information; and consider whether it is necessary to update such information.
The eight principle requires personal data to be completed, corrected, blocked or erased to the extent that such data is incomplete or incorrect, having regard to the purposes for which they are processed. This principle obliges operators to take all reasonable measures to rectify and block any data that is not complete or correct. The player has the right to acquire access to one’s own personal data and/or has the right to correct and/or erase wrong and/or inappropriate data.
The ninth and final principle of personal data processing requires that data is not kept for a period longer than is necessary, having regard to the purposes of the processing. Once an individual is no longer registered as a player on the operators’ website, then that individual’s data is no longer required for the purpose for which it was originally collected. However, in order to comply with anti-money laundering best practices, player data should be kept for a period of five years following the closure of the player account.