Data Governance
1.35 Data governance shall be in place to address data processing integrity and protection of sensitive data.
1.36 Sensitive data, including player information and data relevant to determining game outcomes, shall be secured and protected from unauthorized access or use at all times.
Requirements – At a minimum:
- The gaming system shall ensure that data is appropriately backed up in a manner that allows it to be completely and accurately restored.
- Data backups shall be stored off-site in a secure location and in accordance with applicable policies and laws.
1.37 Player information shall be securely protected and its usage controlled by OLG.
Requirements – At a minimum:
- Data collection and protection requirements for player personal information shall meet those set out in the Freedom of Information and Protection of Privacy Act.
- Player information shall only be used for OLG’s business unless there is prior approval from OLG.
1.38 Removed January 2022
1.39 Communication of sensitive game data shall be protected for integrity.
1.40 Procedures shall be established and documented for IT operations and incident management, including managing, monitoring, and responding to security and processing integrity events.
Requirements – At a minimum:
- Proactive monitoring and detection of errors in the gaming system and related components shall be in place. Action shall be immediately taken to correct incidents of non-compliance with the Standards and Requirements or control activities.
- There shall be time synchronization of the gaming system environment and related components.
- Event data shall be retained to provide chronological information and logs to enable the reconstruction, review and examination of the time sequences of processing.
1.41 Gaming applications on all portable devices shall be appropriately secured.
Guidance: This Standard is not intended to capture players using their own portable devices such as their smartphones, but rather employees or players using portable devices to access the Operator’s gaming system.
1.42 Operators and gaming-related suppliers shall only contract with reputable suppliers.
1.43 Service levels for management of suppliers shall be established.
Requirements – At a minimum:
- Service levels must be documented and enforceable.
- Corrective action is taken to address non-compliance with established service levels.
1.44 Operators and gaming-related suppliers shall provide the Registrar with a list of suppliers that provide them with goods or services in relation to lottery schemes and shall ensure that this list is kept up to date.