Latest legislative updates
Kurt Janson, Director of the Tourism Alliance, gives a monthly update on the latest regulatory changes affecting the hospitality industry.
Last updated 7th December 2017
Disclaimer: Whilst every effort has been made to ensure the accuracy of the information contained in the Pink Book of Legislation, we regret that we cannot be responsible for any errors. This guide is not intended to be a definitive statement of the law in England. If you require precise or detailed information on the legislation mentioned in this guide, or on the legal implications for you in particular, you should consult a professional legal adviser.
At a glance:
Changes to Primary Authority
- Trade Associations are now able to sign Primary Authority agreements on behalf of their members, standardising regulatory requirements.
Prepare now for changes to Data Protection Regulations
- The General Data Protection Regulation (GDPR) comes into force on 25th May 2018, replacing the Data Protection Act (DPA).
The end of credit and debit card charges
- New legislation from January 2018 means you cannot charge customers for paying by credit or debit card.
Guest books and data protection
- Does having a guest book in your property breach the Data Protection Act?
Changes to copyright licences for showing films
- You may now need an additional licence if you play TV channels that show films in public areas.
Using surveillance equipment on your premises
- If you have CCTV at your business, you need to comply with the Protection of Freedoms Act and the Data Protection Act.
Changes to Primary Authority
Councils interpret and enforce regulations in different ways, which can create confusion and additional work for businesses, especially those that operate multiple premises across the country. For example, if you operated a budget hotel chain you would need to ensure that the standard fire protection system you designed would comply with the requirements of every local Fire Safety Officer.
This problem led the Government to introduce the concept of Primary Authority in 2009. Primary Authority is a legal process designed to improve regulatory enforcement and a way to resolve the challenge of inconsistency in approach by different Local Authorities and enforcement bodies.
Primary Authority allows multiple-authority companies (such as a budget hotel chain) to sign a Primary Authority agreement with a chosen Local Authority, which agrees standard risk assessments and inspection plans for specific regulatory areas (e.g. fire or food safety). This agreement would then override any additional requirements by another Local Authority and provide a standard set of requirements to be followed across the country.
The Government has now expanded the scope of Primary Authority so that Trade Associations are able to sign Primary Authority agreements with Local Authorities on behalf of their members. So if you are a member of a Trade Association, they will now be able to develop and implement a Primary Authority on your behalf.
For example, the British Hospitality Association (BHA) has recently created a partnership with Cornwall Council, which is a Primary Authority for the catering sector. This means that all BHA member businesses who opt in can be assured they will be held to one consistent hygiene standard.
For more information, read the Primary Authority information page on the Gov.uk website.
Prepare now for changes to Data Protection Regulations
The General Data Protection Regulation (GDPR) comes into force on 25th May 2018, replacing the Data Protection Act (DPA).
Generally, the requirements of the GDPR are much the same as the requirements of the DPA. This means that if you are complying with the DPA at the moment, then you probably do not need to change your current system of collecting, handling and storing customer data. You will need to concentrate on the additional requirements and modify your system accordingly.
The main changes are:
1.The Right to be Forgotten
This is the main change. A customer can, at any time, request that you remove all their personal data from your system. If the customer has previously agreed that you could provide their data to a third party, you must also stop doing this if you receive a Right to be Forgotten request. However, it is important to note that any Right to be Forgotten request does not override requirements to hold information under other legislation. For example, you are required by law to keep financial records for seven years, therefore a customer cannot request that you delete records of any financial transactions they undertook in the last seven years.
2. Improving Consent and Withdrawal of Consent
The conditions for consent have been strengthened so that you must be clear and upfront with customers about what exactly they are consenting to when they sign-up. This is to stop companies hiding the details in their terms and conditions. So, if you are planning to pass their information on to a third party and to email them a newsletter, you must tell them in simple and clear language next to the box they are ticking.
Importantly, it must be as easy for customers to withdraw consent as it is to give consent. So if you have a simple tick-box online where customers give consent, then there should also be a simple tick-box online to withdraw consent.
3. Right to Access
The GDPR also expands the rights of customers to access the information that you hold on them. This has two parts – first, on request from the customer, you are required to inform them if personal data concerning them is being processed, where and for what purpose. Second, if requested, you must provide a copy of all the personal data you hold on the person electronically and free of charge. This includes any information you have made on the person’s file so if you have added notes such as, “likes the Sunday Times”, “owns a Spaniel called Arthur” or “never leaves a tip”, you also need to provide this information.
4. Notification of Data Breaches
The GDPR will require you to notify the Information Commissioners’ Office within 72 hours of first having become aware of the breach where that breach is likely to “result in a risk for the rights and freedoms of individuals”. For any breach, you are required to notify the customers “without undue delay” after first becoming aware of a data breach.
Although May 2018 is still some time away, it is worth thinking about the impact of these changes on your business now to schedule any amendments that you need to make into your website maintenance and company policy manual update programmes.
The end of credit and debit card charges
Following a public consultation, the Government has recently announced that it intends to introduce legislation that will ban businesses from adding payment charges for paying by credit or debit card from 13th January 2018.
This new legislation is the result of the EU Payment Services Directive II, building on the 2015 EU Directive of the same name that limited the charges to the actual costs imposed by the card company.
Following the introduction of this ‘cost-recovery only’ legislation, consumer rights organisations argued that it is very difficult for customers to know whether they are being charged the right amount and, because the charge only comes at the end of the transaction process, it is hard to compare prices from different providers. This arguably left customers feeling that they have been trapped into making the purchase which they wouldn’t have undertaken if they knew the full cost up-front.
To resolve this issue, the EU has introduced the new Directive to prevent companies making any additional charge for using credit or debit cards. The UK Government has expanded on this requirement by also making it illegal to make any additional charge where payments are made using charge cards such as American Express and electronic forms of payment such as PayPal.
In essence this means that from 13th January 2018 the price you advertise a product for has to be the price that they customer pays at the end of the booking process. It is a good idea to start looking at your website now and start making any necessary changes to ensure that your booking process is compliant in time. However, you are allowed to increase the headline cost of your product to compensate for not being able to charge the card fees if you wish.
If you are an agency, there is a small loophole in that you are still able to charge a booking fee to the customer as you are an intermediary. However, if you decide to charge a booking fee, this must be applied uniformly to all customers no matter what method of payment is used. Please note that you need to be a true accommodation agency to charge a booking fee - simply telling a customer that you are your own booking agent in order to do so would contravene the legislation.
Guest books and the Data Protection Act
As a general rule, when it comes to interpreting legislation it is better to err on the side of caution rather than to risk causing harm or be deemed to have broken the law. While the precautionary approach can be a very good way to mitigate risks, there are instances where this can unnecessarily affect your business operation.
I recently had contact with a self-catering property owner whose agent had advised them to remove their guest book from the property, on the basis that having one would contravene the Data Protection Act (DPA). The rationale for this was that other guests, visitors, contractors or staff could access the book and gain the personal data of the people who had left comments.
It is correct that a guest book does indeed contain data, so the DPA does apply. However, that in itself is not a problem.
There is only the potential for a problem under the Act if the data is “personal data”. To be personal data, the data must enable a person to identify the individual. So, if you had just first names or even if guests wrote ‘Bob and Sue Smith’ with no address, then it would be difficult to say that it is personal data. It would only potentially be problematic if guests leave information that would make them identifiable, such as an address or email.
And even then, this would only be a problem if Bob and Sue were requested by the owner to provide this information. Now, it could be argued that having a column in the guest book called “Address” could constitute a request for information by which the guest could be identified and contacted. However, there are two issues.
The first is that “Address”, by itself, does not mean that the guest is being required to provide information by which they could be identified – i.e., the guest is perfectly able to leave that column blank or just write their country or town. There is no compulsion or requirement on them to give their full postal address.
It also has to be remembered that the purpose of the DPA is to ensure personal data is used only for the purpose for which it was supplied and to protect against unconsented access and use of personal information.
As such, because the guest is not required to write in the guest book, but does so voluntarily knowing that other guests will read it (this being the purpose of a guest book), then this could be deemed to be implied consent. Therefore it would be very hard for a guest to argue that, having put personal data in a guest book, they didn’t expect other visitors to read it.
Although this particular example demonstrates the issues with taking a very literal approach to the interpretation of legislation, business owners are advised to seek professional legal advice if they have any queries regarding how regulations affect their business.
Changes to copyright for showing films
Copyright licensing for playing music and films on TVs in hospitality businesses can be something of a minefield for small operators, with the need to get up to four different licences depending on the range of services that you provide to customers. There is the added complexity of getting the right version of each type of licence you require, which depends upon the size of your establishment and where in the establishment the copyright material is being played.
Up until now there has been exemption for showing films via free-to-air services– e.g., if you have a TV in a lounge or bar that plays films on channels such as BBC or ITV.
However, there has been a requirement on the UK Government to remove that exemption to bring UK copyright law into line with European copyright law. As such, you now need to gain a licence through the Motion Picture Licensing Company (MPLC) to provide this service to your customers. As with PPL and PRS for audio copyright licencing, MPLC is a collection society which licenses rights on behalf of various film companies and independent producers. The fee is set by the size of the public area in the establishment which, in this case, does not include private areas such as bedrooms. A table of the charges is available on the MPLC website.
It is important to note that a MPLC licence is not required for TVs in guests’ bedrooms, or if you have a TV in a public area of your establishment that is locked onto a channel that does not play films (e.g. the BBC News channel or Sky Sports). However, you cannot just say that “we only show the news channel” - the test is that the TV is not able to be switched to film-playing channels.