Registration and data protection
Disclaimer: Whilst every effort has been made to ensure the accuracy of the information contained in the Pink Book of Legislation, we regret that we cannot be responsible for any errors. Read our full disclaimer.
- If you hold any personal information on customers or any other individuals, including employees, the Data Protection Act applies.
- Unless you have an exemption, you are required to pay an Annual Data Protection Fee to the Information Commissioner’s Office (ICO).
- The General Data Protection Regulation (GDPR) came into force on 25th May 2018 and enhanced consumer rights, including the ability to access the information you hold.
- All serviced and self-catering accommodation premises must keep a record of all guests over the age of 16. The record should include their full name and nationality. You must keep each guest's details for at least 12 months.
- Surveillance equipment can only be used if there is a legitimate reason to do so. Customers should be made aware that they are being monitored, who is undertaking the activity and the purpose for which that information is to be used.
The holding and use of personal information of individuals is regulated by the Data Protection Act 2018 (DPA), which sits alongside the General Data Protection Regulation 2018 (GDPR). As the provisions in the Act are extensive, you should read the paragraphs below to see if they apply to you.
Note: the paragraphs in this section focus on personal data held on customers, as this is perhaps the most relevant situation for smaller tourism businesses. However, the Acts apply equally to personal data held on other individuals, including employees, although the specific provisions vary. For further information, contact the Information Commissioner's Office.
What is the purpose of the DPA?
The Act is to protect the privacy of individuals (data subjects) by preventing the misuse or unauthorised use of personal information (personal data) that is held by others (data controllers). The Act achieves this by:
- regulating the use of personal data held by data controllers, and
- giving rights to data subjects.
Does this Act apply to me?
The Act applies to the ‘processing of personal data’, for any business purpose, regardless of the size of the business. This includes personal data on either employees or customers.
What is 'personal data'?
Personal data is any information that relates to an identifiable individual. It can range from their name, phone number or email address through to more personal information such as their sexual orientation or whether they are disabled. It is important to note that personal information also includes images, including CCTV recordings. As a general rule, if it is possible to identify an individual directly from the information you process, then that information is personal data.
What is 'processing'?
Processing of personal data is pretty much anything you do from collecting, storing, organising and using that data through to deleting it.
What is a 'controller'?
A controller is the person that decides how and why to collect and use the data. Employees are deemed acting on behalf of the employer, meaning that, as the business operator, you are the controller even if you do not actually process the data yourself.
Data Protection Principles
Controllers are required to follow strict rules called ‘data protection principles’. You must make sure that all data is:
- used fairly, lawfully and transparently
- used only for specified, explicit purposes
- used in a way that is adequate, relevant and limited to only what is necessary
- accurate and, where necessary, kept up to date
- kept for no longer than is necessary
- handled in a way that ensures appropriate security, including protection against unlawful or unauthorised processing, access, loss, destruction or damage.
I think the Act applies to me. What must I do?
The three basic requirements are set out below. Please note that even if you are exempt from (a), you still need to comply with (b) and (c).
(a) Pay an Annual Data Protection Fee
No: if you only hold personal data on a manual filing system, you do not need to pay this fee.
Yes: if you hold personal data on a computer (or any other automated system), you must pay this fee. However, you are exempt if you only hold personal data for the following purposes:
- staff administration (including payroll)
- accounts and records (i.e. details of past or present customers or suppliers)
- your own advertising, marketing and public relations (the information must be restricted to just what is necessary for your advertising, marketing and public relations) and your advertising, marketing and public relations are not undertaken by a third party
- you are using the personal data for not-for-profit purposes
- you are maintaining a public register.
It is important to note that if you use CCTV on your premises for crime prevention purposes (i.e. security reasons), then you are required to notify the ICO and pay the Annual Data Protection Fee.
Under the Data Protection (Charges and Information) Regulations 2018, individuals and organisations that process personal data need to pay a data protection fee to the ICO. There is an annual fee of £40 if you have a turnover of less than £632,000 or fewer than 10 staff and £60 for businesses with a turnover of up to £36m or up to 250 staff.
Charities, regardless of their size, are only required to pay an annual fee of £40.
The Information Commissioner's Office has an online assessment tool for determining whether you have to pay the Annual Data Protection Fee.
(b) Follow the data protection principles
All data controllers, whether their records are computerised, automated or manual and whether they have to notify or not, must comply with the eight data protection principles set out in the DPA. In brief, personal data should be:
- obtained and processed fairly and lawfully, and should not be held or used unless the data subject has given their consent, or it is necessary in performance of a contract to which the data subject is a party, or it is necessary for any other reason specified in the Act (see the Direct marketing section)
- obtained only for specified and lawful purposes
- adequate, relevant and not excessive in relation to the purposes for which they are being held or used
- accurate and, where necessary, kept up to date
- kept no longer than necessary for the purposes concerned
- processed in accordance with the rights of data subjects (see (c) below)
- subject to appropriate technical and organisational measures against unauthorised or unlawful processing, and against accidental loss or destruction
- not transferred to a country or territory outside the European Economic Area, unless that country or territory ensures adequate level of protection for the rights and freedoms of data subjects in relation to processing personal data.
If you are going to hold information on a customer for any purpose other than handling their current booking or purchase (e.g. you would like to send them marketing material in future), you need to obtain their consent.
The Act does not specify what form this consent has to be in. It may be an informal, spoken 'yes', but you should give customers enough information for them to make an informed decision (e.g. what personal information you intend to hold and why).
Customers can give their consent at any time - on booking, on entry or check-in or when they leave. You should keep all consents on record in case a customer disputes that they granted permission.
You may want to produce a simple form that can be used either over the telephone, on emails or in writing, which:
- explains to customers the personal information on them that you want to hold and why
- asks customers for their consent
- has a space, such as a tick box, to record whether or not consent was given.
If you intend to keep 'sensitive personal information', you must have the customer’s explicit consent to hold and use their personal data for the purposes specified. Sensitive personal information includes the following:
- race, ethnic origins
- political opinions
- physical or mental health (e.g. disability)
- sexual orientation
- criminal convictions or allegations.
(c) Complying with the rights of data subjects
All data controllers must comply with the rights given to individuals by the Act in relation to the personal information held on them. The Act gives eight distinct rights, of which the most applicable are as follows:
Right of access: individuals have a right to know what information on them you are holding and why you are holding it (called a Subject Access Request). If you receive a written request from an individual for this information, you must respond within 30 days stating:
- whether you hold any personal data on them
- what the data is, the reason you are holding it and those to whom it has/may be disclosed, along with an intelligible copy of the information and details of the manner in which it was collected.
Right to prevent processing for the purposes of direct marketing: if you receive a request from an individual to cease using the personal data you hold on them for direct marketing, you must do so.
Right to prevent processing likely to cause damage or distress: if you receive a request from an individual to cease using the personal data you hold on them because it is causing, or likely to cause, substantial damage or distress to them or another, you must do so.
Right to compensation: any individual who suffers damage or distress as a result of a contravention of the Act by you is entitled to seek compensation from you if you did not take reasonable care to comply.
Note: you have the right to require reasonable proof of identity from a person asking to exercise these rights. You should be satisfied that the person asking is the person concerned, but you must not use excessive identity checking as a way to deliberately make access to the data difficult.
Caution! If you are buying-in any mailing lists, you should ensure that the provider has the consent of the individuals listed to pass on the individual's details to third parties.
The Information Commissioner's Office has produced a helpful online assessment tool that you can use to determine whether you are complying with the Data Protection Act: ico.org.uk/for-organisations/business/assessment-for-small-business-owners-and-sole-traders.
The General Data Protection Regulation (GDPR)
The General Data Protection Regulation (GDPR) came into force on 25th May 2018. The main additional requirements from the GDPR are:
1.The Right to be Forgotten
A customer can, at any time, request that you remove all their personal data from your system. If the customer has previously agreed that you could provide their data to a third party, you must also stop doing this if you receive a Right to be Forgotten request. However, it is important to note that any Right to be Forgotten request does not override requirements to hold information under other legislation. For example, you are required by law to keep financial records for seven years, therefore a customer cannot request that you delete records of any financial transactions they undertook within the last seven years.
2. Improving Consent and Withdrawal of Consent
The conditions for consent have been strengthened so that you must be clear and upfront with customers about what exactly they are consenting to when they sign-up. This is to stop companies hiding the details in their terms and conditions. So, if you are planning to pass their information on to a third party and to email them a newsletter, you must tell them in simple and clear language next to the box they are ticking.
Importantly, it must be as easy for customers to withdraw consent as it is to give consent. So, if you have a simple tick-box online where customers give consent, then there should also be a simple tick-box online to withdraw consent.
3. Right to Access
The GDPR also expands the rights of customers to access the information that you hold on them. This has two parts – first, on request from the customer, you are required to inform them if personal data concerning them is being processed, where and for what purpose. Second, if requested, you must provide a copy of all the personal data you hold on the person electronically and free of charge. This includes any information you have made on the person’s file, so if you have added notes such as, ‘likes the Sunday Times’, ‘owns a Spaniel called Arthur’ or ‘gave a donation’, you also need to provide this information. You need to provide this information within 30 days.
4. Notification of Data Breaches
The GDPR will require you to notify the Information Commissioners’ Office within 72 hours of first having become aware of the breach where that breach is likely to 'result in a risk for the rights and freedoms of individuals'. For any breach, you are required to notify the customers 'without undue delay' after first becoming aware of a data breach.
The Information Commissioner's Office (ICO) has produced several resources to help businesses comply with GDPR on their website:
- a Guide to the General Data Protection Regulation (GDPR)
- a small business toolkit to help you check your compliance
- a support helpline aimed at people running small businesses or charities, designed to provide additional, personal advice. As well as advice on GDPR, callers can also ask questions about other legislation regulated by the ICO, including electronic marketing and Freedom of Information. People from small organisations should dial the ICO helpline on 0303 123 1113 and select option 4 to be diverted to staff who can offer support.
Transferring personal data to and from the EU/EEA
If you transfer personal data with other European countries, (for example, you take bookings from an EU based tour operator) the EU-UK Trade and Cooperation Agreement contains a bridging mechanism that allows the continued free flow of personal data between the UK and EU/EEA countries for up to 6 months from 1 January 2021 while new arrangements are negotiated.
As a sensible precaution during the bridging mechanism, it is recommended that you work with EU/EEA organisations who transfer personal data to you to put in place alternative transfer mechanisms to safeguard against any interruption to the free flow of personal data.
More information on this is available as part of the UK Government’s Brexit guidance for businesses.
Data security and credit cards
The Data Protection Act 2018 says that ‘appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data’.
If you never receive a customer’s card number (i.e. you use a third party to deal with transactions) you probably have little to worry about other than to ensure that the third party is a reputable organisation with a good knowledge of data security issues (e.g. Paypal or Worldpay).
If you do receive customers’ data, you should follow the standards of the Payment Card Industry Security Standards Council. This Council is a global consortium of all the main card payment companies, including Mastercard and Visa. Its function is to promote standards of data security so as to make it harder for criminals to steal data. These standards are quite demanding, but compliance is mandatory for retailers who accept card payments. The requirements of the Payment Card Industry Data Security Standard are contractual rather than the law of the land but, if you follow them, you will also be meeting the legal requirement.
If you do handle card data you need to be sure that you know and follow those rules that are applicable to your circumstances. There are twelve requirements, some of which are of limited relevance to small businesses:
- Install and maintain a firewall. Your computer operating system probably has this built in, e.g. Windows Firewall.
- Do not use default passwords. If your password is “password”, change it. Passwords should not be obvious.
- Protect stored cardholder data. Do not leave personal data on your laptop and then travel with it, due to the risk of losing it. Keep it secure at all times.
- Encrypt internet transmission of cardholder data. Never use ordinary e-mail to send credit card information.
- Use and regularly update anti-virus software. This really is essential for everyone – set it to update automatically if you can.
- Develop and maintain secure systems and applications. Likely to apply only to larger businesses developing their own systems.
- Restrict access to cardholder data on a need-to-know basis. Ensure card data is not available to all your visitors, staff etc.
- Assign a unique ID to each person with computer access. Do not share identities or passwords or run a database of past clients shared between several people with the same login.
- Restrict physical access to cardholder data. Don’t leave a print-out of data in an unlocked location (or a file of manual card data records).
- Track and monitor all access to network resources and cardholder data. This is relevant to businesses with larger systems, but all businesses should record who has access to card data.
- Test security systems and processes regularly. At the very least, check that your security measures are being adhered to.
- Maintain a policy that addresses information security. For small businesses the key point is that you give this topic some serious thought, rather than writing a formal policy.
For small accommodation providers, the above list can be summarised as making sure that access to card data, both on paper and electronically, is very well controlled, restricted to people who really need it, and that any computer on which you store it has proper defences such as a firewall and anti-virus software.
Although not a legal requirement, your acquirer may also require you to complete a PCI DSS Self-Assessment Questionnaire (SAQ) in order to validate your compliance to the standards.
Accommodation: keeping a register of your guests
Does this Act apply to me?
Yes: under the Immigration (Hotel Records) Order 1972, all serviced and self-catering accommodation premises must keep a record of all guests over the age of 16.
What do I need to record?
To comply with the Immigration (Hotel Records) Order 1972 you need to collect the following information from guests on their arrival:
- full name
- Note: you are not legally required to take a guest's home address or contact number.
For all who are not British, Irish or Commonwealth guests:
- passport number and place of issue (or other document which shows their identity and nationality)
- details of their next destination (including the address, if known) on or before departure
- Note: diplomats, their family and staff do not have to register.
What about the format of the register?
There is no set format for the register. It could be a visitors’ book or an exercise book, but you must keep each guest's details for at least 12 months and have the register available for inspection by a police officer or duly authorised person at all times.
It may be, of course, that you are given the necessary details at the time of booking, but you should check them when the guests arrive and make sure that you have all the information you are required to collect. Even if your local police have traditionally shown no interest in these records, circumstances could change.
Using surveillance equipment on your premises
Over recent years the cost of buying and installing surveillance systems has dropped considerably. Their use is now becoming more prevalent in small businesses who want to safeguard their property and their customers.
However, it is very important to get the right balance between justifiable reasons for surveillance and a customer’s right to privacy.
There are two main Acts that cover the use of CCTVs and other surveillance equipment – the Protection of Freedoms Act and the Data Protection Act. The first covers when and where it is justifiable to use CCTV equipment and the second covers the treatment of the data that is gained from its use.
Protection of Freedoms Act
The starting point of the Protection of Freedoms Act is that people have a fundamental right to privacy and this can only be encroached upon if there is a legitimate reason to do so. It is not acceptable to install surveillance equipment simply because you 'want to keep an eye on what was going on'.
You must also only use surveillance equipment if there is no other practical way to solve a problem that doesn’t impact on customers’ right to privacy. For example, if there had been thefts from a particular area, ways of restricting access to that area should be considered before you install surveillance equipment.
Surveillance equipment can only be used if the encroachment on people’s right to privacy is proportionate to the purpose for which the equipment is being used. However, there are no hard and fast rules as to what is proportionate because each circumstance will involve differing levels of both justification and privacy.
For example, installing CCTV cameras to protect possessions in a museum or to monitor customers’ safety in an animal park would be justifiable but it would not be justifiable to put CCTV in guest bedrooms or in changing rooms where customers would expect a very high level of privacy.
Conversely, installing a CCTV in a communal lounge would not normally be justifiable, but could become justifiable if there had been a spate of thefts in this area. However, it is important to note that in this situation the justification would end once the person committing the thefts was identified or the thefts ended.
Importantly, when you do use surveillance equipment, customers should be made aware that they are being monitored, who is undertaking the activity and the purpose for which that information is to be used. Again, the greater the extent that a customer’s privacy is being encroached, the more important it is that they are fully aware of the surveillance that is being undertaken.
Data Protection Act
Provided that the use of surveillance equipment is justified, there is then the issue of how to use, handle and store the data you collect. This comes under both the Privacy Act and the Data Protection Act.
Again, the handling and storage of this data need to be proportionate to the justification for collecting it in the first place. You must have very clear guidelines as to who has access to the monitoring equipment and the stored data. The greater the extent that you are encroaching on customers’ privacy, the greater the restrictions should be on access to the monitoring equipment and the data.
The length of time that you keep the data should also be proportionate to the justification for using the surveillance equipment. For example, if the equipment is being used to monitor a pool to ensure that there are no accidents, then there would be little justification for storing the data beyond the period that the pool was being used (i.e., it should be deleted at the end of each day as its storage is no longer warranted). However, if the equipment was being used to monitor the carpark, then it could be justifiable to keep the data for longer in case a customer returned home and later found a dent that they thought happened while at your premises.
To help businesses in their use of surveillance equipment, the Home Office has produced the following 12 point code of practice:
1.Use of a surveillance camera system must always be for a specified purpose which is in pursuit of a legitimate aim and necessary to meet an identified pressing need.
2. The use of a surveillance camera system must take into account its effect on individuals and their privacy, with regular reviews to ensure its use remains justified.
3. There must be as much transparency in the use of a surveillance camera system as possible, including a published contact point for access to information and complaints.
4. There must be clear responsibility and accountability for all surveillance camera system activities including images and information collected, held and used.
5. Clear rules, policies and procedures must be in place before a surveillance camera system is used, and these must be communicated to all who need to comply with them.
6. No more images and information should be stored other than that which is strictly required for the stated purpose of a surveillance camera system, and such images and information should be deleted once their purposes have been discharged.
7. Access to retained images and information should be restricted and there must be clearly defined rules on who can gain access and for what purpose such access is granted; the disclosure of images and information should only take place when it is necessary for such a purpose or for law enforcement purposes.
8. Surveillance camera system operators should consider any approved operational, technical and competency standards relevant to a system and its purpose and work to meet and maintain those standards.
9. Surveillance camera system images and information should be subject to appropriate security measures to safeguard against unauthorised access and use.
10. There should be effective review and audit mechanisms to ensure legal requirements, policies and standards are complied with in practice, and regular reports should be published.
11. When the use of a surveillance camera system is in pursuit of a legitimate aim, and there is a pressing need for its use, it should then be used in the most effective way to support public safety and law enforcement with the aim of processing images and information of evidential value.
12. Any information used to support a surveillance camera system which compares against a reference database for matching purposes should be accurate and kept up to date.
For more information, see the Surveillance Camera Code of Practice on Gov.uk.
Information Commissioner’s Office (ICO)
The ICO provides extensive information on data protection, including a free toolkit for businesses to check their GDPR compliance. The ICO helpline is 0303 123 1113.
Credit card data
Information on complying with data protection for credit card data can be found on the Payment Card Security Standards Council website.
Information on surveillance cameras can be found in the full surveillance Camera Code of Practice.