Skip to content

Privacy Policy

Introduction

The Horserace Betting Levy Board (HBLB) is committed to protecting personal data and respecting privacy in accordance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

HBLB is a registered Data Controller with the Information Commissioner, the United Kingdom’s (UK) regulatory authority for data protection.  Users of HBLB’s systems, and individuals who have personal information stored, collected or processed by a Data Controller (in this case, HBLB) are referred to as Data Subjects.

Any questions on this document should be submitted to the Data Protection Officer at HBLB via dpo@hblb.org.uk, or on 020 7333 0043.

Protection of Personal Data

We take the security of personal data seriously and will take all reasonable steps to ensure personal data is not lost, misused or accessed inappropriately.  Sensitive paper records, whenever held, will be in a secure location within the office that is accessible only by appropriate staff; access to all digital records will be restricted according to need.  The organisation will aim to maintain a secure and safe data environment through use of appropriate software, hardware, operational practice and organisational policy.  Use of any third parties to handle personal data will be managed in accordance with current data protection law.

The Rights of Data Subjects

Data Protection law sets out the rights of Data Subjects:

  • To know how and why your personal data is processed.
  • To request access to your personal data.
  • To ask for rectification of any incorrect personal data.
  • To ask for your personal data to be deleted.
  • To ask that processing of your personal data is restricted.
  • To ask for your data to be transferred.
  • To object to the use of your personal data.

These rights are not always absolute and there may be situations where they are not applicable.  A Data Subject who wishes to exercise their rights should contact the HBLB Data Protection Officer.  If a right is not applicable, the Data Protection Officer will explain why.

In case of an unsatisfactory response, a complaint may be made to the Information Commissioner (see Complaints).  Please note that a complaint may be made at any time to the Information Commissioner, regardless of whether HBLB have been contacted first.

Application of the Privacy Policy

This Privacy Policy applies to external users accessing:

  • Levy System
  • Racecourse System.
  • Grants System.

It also applies to Data Subjects who may have personal data stored on other Digital Systems, not directly accessible externally:

  • E-mail and Office Software.
  • Finance System.
  • Digital and Paper Archives.
  • Data and System Back-up Repositories.
  • Mailing / Contact List.

Categories of Personal Data

HBLB records and uses the following personal data in its function as a Data Controller:

Levy System

  • Name, role, organisation.
  • Contact details (email, phone, address).
  • Account credentials.
  • Levy returns and financial declarations.
  • Payment and transaction records.
  • System audit logs.

Racecourse System

  • Name, role, organisation.
  • Contact details.
  • Account credentials.
  • Attendance submissions.
  • Payment-related data.
  • System usage logs.

Grants System

  • Identity and contact data (name, address, email, phone).
  • Education, employment, qualifications and CV (curriculum vitae).
  • References.
  • Funding eligibility.
  • Financial details (for payment of grants).
  • System usage logs.

System usage logs can include the user’s IP address.

E-mail and Office Software

  • Identity and contact data (name, address, email, phone).

Finance System

  • Identity and contact data (name, address, email, phone).
  • Financial details (for payment of grants).
  • System usage logs.

Mailing/Contact List

  • Name, e-mail address, category and organisation/role.

Digital and Paper Archives

  • Identity and contact data (name, address, email, phone).
  • Education, employment, qualifications and CV (curriculum vitae).
  • References.
  • Funding eligibility.
  • System usage logs (where applicable).

Data and System Back-up Repositories

HBLB performs regularly back-ups of its data and systems.  This data holds a copy of that referenced above, which would be used in the case of a needing to invoke system and/or data recovery.

Purposes of Processing

HBLB process data in the above systems for the following purposes:

  • In administering its statutory levy obligations.
  • Processing racecourse payments and attendance submissions.
  • Administration of grants.
  • Making supplier payments.
  • Maintaining audit trails, for example, last access date / time.
  • Ensure system security and fraud prevention.

Presently, HBLB does not implement automated decision making in any system, nor does it hold/request special category data (for example, ethnicity).

Lawful Bases

HBLB utilises the following lawful bases to process personal data:

  • Legal obligation / public task, namely, levy collection and administration.
  • Contract, for example, following an application for a Grant or other agreement entered into.
  • Consent, where information is supplied for the use of a specific purpose (for example, adding to a mailing list).

Data Retention

HBLB retains personal data in accordance with its Information Management Policy.

Data Type

Retention Period

Rationale

Levy & financial records

6 – 7 years

HMRC/accounting compliance

Racecourse data

6 – 7 years

Financial/audit requirements

Grant (successful)

6 – 7 years post-completion

Audit & funding accountability

Grant (unsuccessful)

12 – 24 months

Allows for future re-submission / administration

Digital and Paper Archives

Various

In line with lawful retention periods (for example, up to 7 years for financial records)

The outcome(s) of research grants, for example research papers, are kept indefinitely by HBLB under the principle of storage limitation for research-related purposes.  Certain past information is published on the HBLB website.

In some cases, data may be retained for longer periods for legal claims or statutory obligations.

Data Sharing

In accordance with lawful processing, HBLB may share data with:

  • Government/regulatory bodies, for the provision of information as required by law.
  • Auditors and legal advisers, for compliance with statutory duties.
  • Payment service providers, to make or request payment(s).

International Transfers

Should data be required to be transferred outside the UK for storage and/or processing, safeguards put into place include the application of UK adequacy regulations and the use of Standard Contractual Clauses (SCCs).  HBLB, wherever possible, seeks to minimise the transfer of personal data outside of the United Kingdom.

Data Security

To maintain the security of data held, HBLB implement and/or use:

  • Role-based access controls to control access to data.
  • Multi-factor authentication, where possible.
  • Encryption (where appropriate).
  • System monitoring and logging.
  • Secure hosting environments.

Cookie Notice (Systems Use)

HBLB systems use cookies to enable functionality as well as for security and performance purposes.

Types of Cookies Used

Type

Purpose

Example

Essential

Authentication and session management

Login sessions

Security

Fraud prevention

Activity monitoring tokens

Performance

Improve system usability

Analytics (aggregated only)

HBLB do not employ advertising cookies, and any analytics data is anonymised where possible.

Where required, cookie consent is implemented.

Data Classification

HBLB classifies data to ensure appropriate handling.  The following table provides examples of the classification of data as it applies to HBLB.

Classification

Description

Examples

Public

Non-sensitive info

Published reports and/or items for the public domain

Official

Routine business data

Contact details of bookmakers

Confidential

Sensitive operational data

Financial returns / grant applications

Special Category

Highly sensitive personal data

Equality/diversity data

Note that HBLB holds no special category data in the aforementioned systems.

Record of Processing Activities (RoPA)

HBLB maintains an internal Record of Processing Activities (ROPA) in accordance with Article 30 UK GDPR.

The ROPA includes the following information:

  • Processing purposes.
  • Categories of data subjects and data.
  • Lawful bases.
  • Data recipients.
  • Retention periods.
  • Security measures.

The ROPA is maintained internally and reviewed regularly to ensure compliance and audit readiness.

Complaints

Data subjects have the right to complain if they feel their personal data is not being used.  Complaints can be made directly to the Information Commissioner, as follows:

Information Commissioner’s Office (ICO):
https://ico.org.uk
Tel: 0303 123 1113

 

Last Updated: 30 June 2026