Privacy Policy
Introduction
The Horserace Betting Levy Board (HBLB) is committed to protecting personal data and respecting privacy in accordance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.
HBLB is a registered Data Controller with the Information Commissioner, the United Kingdom’s (UK) regulatory authority for data protection. Users of HBLB’s systems, and individuals who have personal information stored, collected or processed by a Data Controller (in this case, HBLB) are referred to as Data Subjects.
Any questions on this document should be submitted to the Data Protection Officer at HBLB via dpo@hblb.org.uk, or on 020 7333 0043.
Protection of Personal Data
We take the security of personal data seriously and will take all reasonable steps to ensure personal data is not lost, misused or accessed inappropriately. Sensitive paper records, whenever held, will be in a secure location within the office that is accessible only by appropriate staff; access to all digital records will be restricted according to need. The organisation will aim to maintain a secure and safe data environment through use of appropriate software, hardware, operational practice and organisational policy. Use of any third parties to handle personal data will be managed in accordance with current data protection law.
The Rights of Data Subjects
Data Protection law sets out the rights of Data Subjects:
- To know how and why your personal data is processed.
- To request access to your personal data.
- To ask for rectification of any incorrect personal data.
- To ask for your personal data to be deleted.
- To ask that processing of your personal data is restricted.
- To ask for your data to be transferred.
- To object to the use of your personal data.
These rights are not always absolute and there may be situations where they are not applicable. A Data Subject who wishes to exercise their rights should contact the HBLB Data Protection Officer. If a right is not applicable, the Data Protection Officer will explain why.
In case of an unsatisfactory response, a complaint may be made to the Information Commissioner (see Complaints). Please note that a complaint may be made at any time to the Information Commissioner, regardless of whether HBLB have been contacted first.
Application of the Privacy Policy
This Privacy Policy applies to external users accessing:
- Levy System
- Racecourse System.
- Grants System.
It also applies to Data Subjects who may have personal data stored on other Digital Systems, not directly accessible externally:
- E-mail and Office Software.
- Finance System.
- Digital and Paper Archives.
- Data and System Back-up Repositories.
- Mailing / Contact List.
Categories of Personal Data
HBLB records and uses the following personal data in its function as a Data Controller:
Levy System
- Name, role, organisation.
- Contact details (email, phone, address).
- Account credentials.
- Levy returns and financial declarations.
- Payment and transaction records.
- System audit logs.
Racecourse System
- Name, role, organisation.
- Contact details.
- Account credentials.
- Attendance submissions.
- Payment-related data.
- System usage logs.
Grants System
- Identity and contact data (name, address, email, phone).
- Education, employment, qualifications and CV (curriculum vitae).
- References.
- Funding eligibility.
- Financial details (for payment of grants).
- System usage logs.
System usage logs can include the user’s IP address.
E-mail and Office Software
- Identity and contact data (name, address, email, phone).
Finance System
- Identity and contact data (name, address, email, phone).
- Financial details (for payment of grants).
- System usage logs.
Mailing/Contact List
- Name, e-mail address, category and organisation/role.
Digital and Paper Archives
- Identity and contact data (name, address, email, phone).
- Education, employment, qualifications and CV (curriculum vitae).
- References.
- Funding eligibility.
- System usage logs (where applicable).
Data and System Back-up Repositories
HBLB performs regularly back-ups of its data and systems. This data holds a copy of that referenced above, which would be used in the case of a needing to invoke system and/or data recovery.
Purposes of Processing
HBLB process data in the above systems for the following purposes:
- In administering its statutory levy obligations.
- Processing racecourse payments and attendance submissions.
- Administration of grants.
- Making supplier payments.
- Maintaining audit trails, for example, last access date / time.
- Ensure system security and fraud prevention.
Presently, HBLB does not implement automated decision making in any system, nor does it hold/request special category data (for example, ethnicity).
Lawful Bases
HBLB utilises the following lawful bases to process personal data:
- Legal obligation / public task, namely, levy collection and administration.
- Contract, for example, following an application for a Grant or other agreement entered into.
- Consent, where information is supplied for the use of a specific purpose (for example, adding to a mailing list).
Data Retention
HBLB retains personal data in accordance with its Information Management Policy.
|
Data Type |
Retention Period |
Rationale |
|---|---|---|
|
Levy & financial records |
6 – 7 years |
HMRC/accounting compliance |
|
Racecourse data |
6 – 7 years |
Financial/audit requirements |
|
Grant (successful) |
6 – 7 years post-completion |
Audit & funding accountability |
|
Grant (unsuccessful) |
12 – 24 months |
Allows for future re-submission / administration |
|
Digital and Paper Archives |
Various |
In line with lawful retention periods (for example, up to 7 years for financial records) |
The outcome(s) of research grants, for example research papers, are kept indefinitely by HBLB under the principle of storage limitation for research-related purposes. Certain past information is published on the HBLB website.
In some cases, data may be retained for longer periods for legal claims or statutory obligations.
Data Sharing
In accordance with lawful processing, HBLB may share data with:
- Government/regulatory bodies, for the provision of information as required by law.
- Auditors and legal advisers, for compliance with statutory duties.
- Payment service providers, to make or request payment(s).
International Transfers
Should data be required to be transferred outside the UK for storage and/or processing, safeguards put into place include the application of UK adequacy regulations and the use of Standard Contractual Clauses (SCCs). HBLB, wherever possible, seeks to minimise the transfer of personal data outside of the United Kingdom.
Data Security
To maintain the security of data held, HBLB implement and/or use:
- Role-based access controls to control access to data.
- Multi-factor authentication, where possible.
- Encryption (where appropriate).
- System monitoring and logging.
- Secure hosting environments.
Cookie Notice (Systems Use)
HBLB systems use cookies to enable functionality as well as for security and performance purposes.
Types of Cookies Used
|
Type |
Purpose |
Example |
|
Essential |
Authentication and session management |
Login sessions |
|
Security |
Fraud prevention |
Activity monitoring tokens |
|
Performance |
Improve system usability |
Analytics (aggregated only) |
HBLB do not employ advertising cookies, and any analytics data is anonymised where possible.
Where required, cookie consent is implemented.
Data Classification
HBLB classifies data to ensure appropriate handling. The following table provides examples of the classification of data as it applies to HBLB.
|
Classification |
Description |
Examples |
|
Public |
Non-sensitive info |
Published reports and/or items for the public domain |
|
Official |
Routine business data |
Contact details of bookmakers |
|
Confidential |
Sensitive operational data |
Financial returns / grant applications |
|
Special Category |
Highly sensitive personal data |
Equality/diversity data |
Note that HBLB holds no special category data in the aforementioned systems.
Record of Processing Activities (RoPA)
HBLB maintains an internal Record of Processing Activities (ROPA) in accordance with Article 30 UK GDPR.
The ROPA includes the following information:
- Processing purposes.
- Categories of data subjects and data.
- Lawful bases.
- Data recipients.
- Retention periods.
- Security measures.
The ROPA is maintained internally and reviewed regularly to ensure compliance and audit readiness.
Complaints
Data subjects have the right to complain if they feel their personal data is not being used. Complaints can be made directly to the Information Commissioner, as follows:
Information Commissioner’s Office (ICO):
https://ico.org.uk
Tel: 0303 123 1113