Skip to content
FR ESP

Privacy notice: BIT Yaspa Open Banking Project

Introduction

We are undertaking a research project which aims to evaluate an approach to communicating spending behaviour to consumers, specifically regarding their gambling behaviour. Bank transaction data will be used to allow for personalised communications to be generated for you. This privacy notice sets out how we collect and use your personal data if you are a participant in this research project.

Our research is being conducted in collaboration with Cint UK Limited and Yaspa Limited.

In addition to our project, Yaspa Limited is carrying out its own research project which is using financial data to explore gambling spend and identify patterns of users who may need additional support.  Their privacy notice can be found here.

Contact details

Behavioural Insights Ltd (the Behavioural Insights Team (BIT)) is the data controller and is responsible for your personal data collected in connection with this project. This means that we will be responsible for keeping your information safe and only using it for the purposes set out in this notice.

We have appointed a Data Protection Officer (DPO) who is responsible for overseeing questions in relation to this privacy notice. If you have any questions about this privacy notice, including any requests to exercise your legal rights in relation to your personal data, please contact the DPO and provide enough information to identify yourself (e.g. your name and address):

Email: [email protected] 

Post: 58 Victoria Embankment London UK EC4Y 0DS 

If you are unhappy about how we use your personal data or have a complaint, you have the right to make a complaint at any time to the Information Commissioner’s Office (ICO), the UK supervisory authority for data protection issues. We would, however, appreciate the chance to deal with your concerns before you approach the ICO so please do contact us in the first instance.

What personal data will we collect? 

All of the data we collect will be on a pseudonymised basis as set out below.  This means that while we know the personal data relates to an individual, we do not know who this individual is.

We will collect directly from you the following personal data: 

  • Survey responses;
  • A unique ID generated to match your survey responses to your bank transaction data for the purpose of showing you your bank transaction data; and
  • Problem Gambling Severity Index (PGSI) score: The PGSI is a nine-question survey designed to measure gambling behaviour. Each response is scored on a scale, and the total score determines the PGSI result. Based on this score, respondents are classified into different categories reflecting their level of harm from gambling.

In addition the following personal data will be shared with us by Cint UK Limited: 

  • Ethnicity;
  • Aggregate location information: the region of Great Britain you live in (e.g. North East, Scotland, East of England, etc.); and
  • A hashed version of your IP address: A hashed IP address is an IP address that has been changed into a string of characters. This process transforms the IP address into an unreadable format that cannot be easily traced back to the original IP address, helping to protect user privacy. 

In addition the following personal data will be shared with us by YASPA: 

  • Aggregate bank transaction data: This refers to financial data from different financial accounts being combined and shared anonymously. An example could be a summary of your spend at a specific company over a 4 week time frame. No personal data is shared, only the transactions. 

What do we do with information we collect and what is our legal basis for this?

The purpose for which we are processing your personal data is to provide personalised information relevant to you within the project. This will include personalised summaries of spending behaviour using your bank transaction data.

Legal basis

Data protection law requires us to have a specific legal basis for processing your personal data. For this project, our lawful basis will be:

For the data we collect as part of BIT’s research project:

  • Legitimate business interest: We have a legitimate business interest in delivering a meaningful RCT. The research project fulfils our organisation’s aims including undertaking innovative research, evaluation and information activities that will deliver social impact.

As part of this project we will be processing special categories of personal data including the PGSI scores. As well as the legal basis referred to above, data protection law requires us to have an additional condition for processing this type of personal data. Our additional condition for this project is: 

  • Research purposes: we will process your special category personal data on the basis that such processing is necessary for scientific research purposes or statistical purposes.  When we rely on this basis, we ensure that necessary safeguards are in place, including minimising our use of personal data, pseudonymising that data where possible, and ensuring the research does not cause substantial damage or distress, and is not used in order to take specific decisions or measures impacting you. 

Who has access to your information?

Your information will be accessed by a limited number of researchers and advisors in our project team working on this project.

We may share your personal data with the following organisations that we are collaborating with as part of this project: 

  • Yaspa Limited – we will share with Yaspa the following:
    • Your unique ID for the purposes of matching your survey responses with your bank transaction data; and
    • your PGSI score and unique ID with Yaspa for the purposes of Yaspa’s Innovate UK-funded research, involving the use of the PGSI score to train a machine learning model, to enable Yaspa to predict the risk levels of individuals based on their bank transaction data in order to help gambling operators identify risky individuals. Please see their privacy notice for more information.

In addition, we may disclose your information to third parties in connection with the purposes of processing your personal data set out in this notice.  These third parties may include:

  • other companies in our group;
  • regulators, law enforcement bodies and the courts, in order to comply with applicable laws and regulations, assist with regulatory enquiries, and cooperate with court mandated processes, including the conduct of litigation;
  • suppliers, research assistants and sub-contractors who may process information on our behalf e.g. cloud services to store data. These third parties are known as data processors and when we use them we have contractual terms and policies and procedures in place to ensure that your personal data is protected. This does not always mean that they will have access to information that will directly identify you as we will share anonymised or pseudonymised data only wherever possible. We remain responsible for your personal information as the controller; and
  • any third party to whom we are proposing to sell or transfer some or all of our business or assets.

We may also disclose your personal information if required by law, or to protect or defend ourselves or others against illegal or harmful activities, or as part of a reorganisation or restructuring of our organisations.

International Transfers

Your personal information will not be transferred outside of the UK and the European Economic Area.

Security

We take reasonable steps to protect your personal information and follow procedures designed to minimise unauthorised access, alteration, loss or disclosure of your information.

Data Retention

General principle: We will only retain your personal data for as long as necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, accounting, or reporting requirements. When it is no longer necessary to retain your personal data, it will be securely deleted.

To determine the appropriate retention period for personal data, we consider the amount, nature, and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means, and the applicable legal requirements.

Taking the above factors into consideration, our anticipated date of deletion for your personal data is March 2026.

In some circumstances, we will retain an anonymised dataset (so that it can no longer be associated with you) for research or statistical purposes, in which case we may use this information indefinitely without further notice to you.

Your legal rights

Under certain circumstances, you have rights under data protection laws in relation to your personal data, including rights to:

  • Request access to your personal data: this enables you to receive a copy of the personal data we hold about you and to check we are lawfully processing it.
  • Request correction of your personal data: this enables you to have any incomplete or inaccurate data we hold about you corrected.
  • Request erasure of your personal data: this enables you to ask us to delete or remove personal data where there is no good reason for us continuing to process it.
  • Object to processing of your personal data: for example, you can object where we are relying on a legitimate interest (or those of a third party) and there is something about your particular situation which makes you want to object to processing on this ground as you feel it impacts on your fundamental rights and freedoms.
  • Request restriction of processing your personal data: This enables you to ask us to suspend the processing of your personal data.
  • Data portability: Where the processing takes place on the basis of your consent or contract, and is carried out by automated means, you have the right to request that we provide your personal data to you in a machine-readable format, or transmit it to a third party data controller, where technically feasible.
  • Right to withdraw consent to the processing of your personal data: This applies where we have relied on consent to process personal data. Please note that withdrawal of consent will not affect the lawfulness of any processing carried out before withdrawing your consent.

If you wish to exercise any of the rights set out above, please send your specific request to the Data Protection Officer using the contact details provided at section 2

It is important to understand that the extent to which these rights apply to research will vary and that in some circumstances your rights may be restricted. Please also note that we can only comply with a request to exercise your rights during the period for which we hold personal information that identifies you. If personal data has been irreversibly anonymised and has become part of the research data set, it will not be possible for us to comply. 

Changes to this Notice

We may change this Privacy Notice from time to time.  If we make any significant changes in the way we treat your personal information we will contact you directly.

Design and development by Soapbox.