Latest legislative updates

Kurt JansonKurt Janson, Director of the Tourism Alliance, gives a monthly update on the latest regulatory changes affecting the hospitality industry. 

Last updated 7th December 2017

Disclaimer:  Whilst every effort has been made to ensure the accuracy of the information contained in the Pink Book of Legislation, we regret that we cannot be responsible for any errors. This guide is not intended to be a definitive statement of the law in England. If you require precise or detailed information on the legislation mentioned in this guide, or on the legal implications for you in particular, you should consult a professional legal adviser.

At a glance:

Changes to Primary Authority

  • Trade Associations are now able to sign Primary Authority agreements on behalf of their members, standardising regulatory requirements.

Prepare now for changes to Data Protection Regulations

  •  The General Data Protection Regulation (GDPR) comes into force on 25th May 2018, replacing the Data Protection Act (DPA).

The end of credit and debit card charges

  • New legislation from January 2018 means you cannot charge customers for paying by credit or debit card.

Guest books and data protection

  • Does having a guest book in your property breach the Data Protection Act?

Changes to copyright licences for showing films

  • You may now need an additional licence if you play TV channels that show films in public areas.

Using surveillance equipment on your premises

  • If you have CCTV at your business, you need to comply with the Protection of Freedoms Act and the Data Protection Act.

Changes to Primary Authority

Councils interpret and enforce regulations in different ways, which can create confusion and additional work for businesses, especially those that operate multiple premises across the country. For example, if you operated a budget hotel chain you would need to ensure that the standard fire protection system you designed would comply with the requirements of every local Fire Safety Officer.

This problem led the Government to introduce the concept of Primary Authority in 2009. Primary Authority is a legal process designed to improve regulatory enforcement and a way to resolve the challenge of inconsistency in approach by different Local Authorities and enforcement bodies.

Primary Authority allows multiple-authority companies (such as a budget hotel chain) to sign a Primary Authority agreement with a chosen Local Authority, which agrees standard risk assessments and inspection plans for specific regulatory areas (e.g. fire or food safety). This agreement would then override any additional requirements by another Local Authority and provide a standard set of requirements to be followed across the country.

The Government has now expanded the scope of Primary Authority so that Trade Associations are able to sign Primary Authority agreements with Local Authorities on behalf of their members. So if you are a member of a Trade Association, they will now be able to develop and implement a Primary Authority on your behalf.

For example, the British Hospitality Association (BHA) has recently created a partnership with Cornwall Council, which is a Primary Authority for the catering sector. This means that all BHA member businesses who opt in can be assured they will be held to one consistent hygiene standard.

For more information, read the Primary Authority information page on the website.

Prepare now for changes to Data Protection Regulations

The General Data Protection Regulation (GDPR) comes into force on 25th May 2018, replacing the Data Protection Act (DPA).

Generally, the requirements of the GDPR are much the same as the requirements of the DPA. This means that if you are complying with the DPA at the moment, then you probably do not need to change your current system of collecting, handling and storing customer data. You will need to concentrate on the additional requirements and modify your system accordingly.

The main changes are:

1.The Right to be Forgotten

This is the main change.  A customer can, at any time, request that you remove all their personal data from your system. If the customer has previously agreed that you could provide their data to a third party, you must also stop doing this if you receive a Right to be Forgotten request.  However, it is important to note that any Right to be Forgotten request does not override requirements to hold information under other legislation. For example, you are required by law to keep financial records for seven years, therefore a customer cannot request that you delete records of any financial transactions they undertook in the last seven years.

2. Improving Consent and Withdrawal of Consent

The conditions for consent have been strengthened so that you must be clear and upfront with customers about what exactly they are consenting to when they sign-up. This is to stop companies hiding the details in their terms and conditions. So, if you are planning to pass their information on to a third party and to email them a newsletter, you must tell them in simple and clear language next to the box they are ticking. 

Importantly, it must be as easy for customers to withdraw consent as it is to give consent.​ So if you have a simple tick-box online where customers give consent, then there should also be a simple tick-box online to withdraw consent.

3. Right to Access

The GDPR also expands the rights of customers to access the information that you hold on them. This has two parts – first, on request from the customer, you are required to inform them if personal data concerning them is being processed, where and for what purpose. Second, if requested, you must provide a copy of all the personal data you hold on the person electronically and free of charge. This includes any information you have made on the person’s file so if you have added notes such as, “likes the Sunday Times”, “owns a Spaniel called Arthur” or “never leaves a tip”, you also need to provide this information.

4. Notification of Data Breaches

The GDPR will require you to notify the Information Commissioners’ Office within 72 hours of first having become aware of the breach where that breach is likely to “result in a risk for the rights and freedoms of individuals”. For any breach, you are required to notify the customers “without undue delay” after first becoming aware of a data breach.

Although May 2018 is still some time away, it is worth thinking about the impact of these changes on your business now to schedule any amendments that you need to make into your website maintenance and company policy manual update programmes.

The end of credit and debit card charges

Following a public consultation, the Government has recently announced that it intends to introduce legislation that will ban businesses from adding payment charges for paying by credit or debit card from 13th January 2018.

This new legislation is the result of the EU Payment Services Directive II, building on the 2015 EU Directive of the same name that limited the charges to the actual costs imposed by the card company.

Following the introduction of this ‘cost-recovery only’ legislation, consumer rights organisations argued that it is very difficult for customers to know whether they are being charged the right amount and, because the charge only comes at the end of the transaction process, it is hard to compare prices from different providers. This arguably left customers feeling that they have been trapped into making the purchase which they wouldn’t have undertaken if they knew the full cost up-front.

To resolve this issue, the EU has introduced the new Directive to prevent companies making any additional charge for using credit or debit cards. The UK Government has expanded on this requirement by also making it illegal to make any additional charge where payments are made using charge cards such as American Express and electronic forms of payment such as PayPal.

In essence this means that from 13th January 2018 the price you advertise a product for has to be the price that they customer pays at the end of the booking process. It is a good idea to start looking at your website now and start making any necessary changes to ensure that your booking process is compliant in time. However, you are allowed to increase the headline cost of your product to compensate for not being able to charge the card fees if you wish.

If you are an agency, there is a small loophole in that you are still able to charge a booking fee to the customer as you are an intermediary. However, if you decide to charge a booking fee, this must be applied uniformly to all customers no matter what method of payment is used. Please note that you need to be a true accommodation agency to charge a booking fee - simply telling a customer that you are your own booking agent in order to do so would contravene the legislation.

Guest books and the Data Protection Act

As a general rule, when it comes to interpreting legislation it is better to err on the side of caution rather than to risk causing harm or be deemed to have broken the law. While the precautionary approach can be a very good way to mitigate risks, there are instances where this can unnecessarily affect your business operation.

I recently had contact with a self-catering property owner whose agent had advised them to remove their guest book from the property, on the basis that having one would contravene the Data Protection Act (DPA). The rationale for this was that other guests, visitors, contractors or staff could access the book and gain the personal data of the people who had left comments.

It is correct that a guest book does indeed contain data, so the DPA does apply. However, that in itself is not a problem.

There is only the potential for a problem under the Act if the data is “personal data”. To be personal data, the data must enable a person to identify the individual. So, if you had just first names or even if guests wrote ‘Bob and Sue Smith’ with no address, then it would be difficult to say that it is personal data. It would only potentially be problematic if guests leave information that would make them identifiable, such as an address or email. 

And even then, this would only be a problem if Bob and Sue were requested by the owner to provide this information. Now, it could be argued that having a column in the guest book called “Address” could constitute a request for information by which the guest could be identified and contacted. However, there are two issues.

The first is that “Address”, by itself, does not mean that the guest is being required to provide information by which they could be identified – i.e., the guest is perfectly able to leave that column blank or just write their country or town. There is no compulsion or requirement on them to give their full postal address.

It also has to be remembered that the purpose of the DPA is to ensure personal data is used only for the purpose for which it was supplied and to protect against unconsented access and use of personal information.

As such, because the guest is not required to write in the guest book, but does so voluntarily knowing that other guests will read it (this being the purpose of a guest book), then this could be deemed to be implied consent. Therefore it would be very hard for a guest to argue that, having put personal data in a guest book, they didn’t expect other visitors to read it.

Although this particular example demonstrates the issues with taking a very literal approach to the interpretation of legislation, business owners are advised to seek professional legal advice if they have any queries regarding how regulations affect their business.

Changes to copyright for showing films

Copyright licensing for playing music and films on TVs in hospitality businesses can be something of a minefield for small operators, with the need to get up to four different licences depending on the range of services that you provide to customers. There is the added complexity of getting the right version of each type of licence you require, which depends upon the size of your establishment and where in the establishment the copyright material is being played.

Up until now there has been exemption for showing films via free-to-air services– e.g., if you have a TV in a lounge or bar that plays films on channels such as BBC or ITV.

However, there has been a requirement on the UK Government to remove that exemption to bring UK copyright law into line with European copyright law.  As such, you now need to gain a licence through the Motion Picture Licensing Company (MPLC) to provide this service to your customers. As with PPL and PRS for audio copyright licencing, MPLC is a collection society which licenses rights on behalf of various film companies and independent producers. The fee is set by the size of the public area in the establishment which, in this case, does not include private areas such as bedrooms. A table of the charges is available on the MPLC website.

It is important to note that a MPLC licence is not required for TVs in guests’ bedrooms, or if you have a TV in a public area of your establishment that is locked onto a channel that does not play films (e.g. the BBC News channel or Sky Sports). However, you cannot just say that “we only show the news channel” - the test is that the TV is not able to be switched to film-playing channels.

Using surveillance equipment on your premises

Over recent years the cost of buying and installing surveillance systems has dropped considerably. Their use is now becoming more prevalent in small accommodation businesses who want to safeguard their property and that of their guests.

However, it is very important to get the right balance between justifiable reasons for surveillance and a guests’ right to privacy.

There are two main Acts that cover the use of CCTVs and other surveillance equipment – the Protection of Freedoms Act and the Data Protection Act. The first covers when and where it is justifiable to use CCTV equipment and the second covers the treatment of the data that is gained from its use.

Protection of Freedoms Act

The starting point of the Protection of Freedoms Act is that people have a fundamental right to privacy and this can only be encroached upon if there is a legitimate reason to do so. It is not acceptable to install surveillance equipment simply because you “want to keep an eye on what was going on”.

You must also only use surveillance equipment if there is no other practical way to solve a problem that doesn’t impact on guests’ right to privacy. For example, if there had been thefts from a particular area, ways of restricting access to that area should be considered before you install surveillance equipment.

Surveillance equipment can only be used if the encroachment on people’s right to privacy is proportionate to the purpose for which the equipment is being used. However, there are no hard and fast rules as to what is a proportionate because each circumstance will involve differing levels of both justification and privacy.

For example, protecting customers’ possessions could be a justifiable for installing a CCTV camera in reception where people don’t expect privacy but it would not be justifiable in the guests’ bedroom where they would expect a very high level of privacy.

Conversely, installing a CCTV in a communal lounge would not normally be justifiable, but could become justifiable if there had been a spate on thefts from this area. However, it is important to note that, in this situation, the justification would end once the person committing the thefts was identified or the thefts ended.

Importantly, when you do use surveillance equipment guests should be made aware that they are being monitored, who is undertaking the activity and the purpose for which that information is to be used. Again, the greater the extent that a guest’s privacy is being encroached, the more important it is that they are fully aware on of the surveillance that is being undertaken.

Data Protection Act

Provided that there is justification for using the surveillance equipment was justified, then there is the issue of how use handle and store the data you collect. This comes under both the Privacy Act and the Data Protection Act.

Again, the handling and storage of this data need to be proportionate to the justification for collecting it in the first place. You must have very clear guidelines as to who has access to the monitoring equipment and the stored data. The greater the extent that you are encroaching on guests’ privacy, the greater the restrictions should be on access to the monitoring equipment and the data. 

The length of time that you keep the data should also be proportionate to the justification for using the surveillance equipment. For example, if the equipment is being used to monitor a pool to ensure that there are no accidents, then there would be little justification for storing the data beyond the period that the pool was being used (i.e., it should be deleted at the end of each day as its storage is no longer warranted). However, if the equipment was being used to monitor the guests’ carpark, then it could be justifiable to keep the data for longer in case a customer returned home and later found a dent that they thought happened while at your premises.

To help businesses in their use of surveillance equipment, the Home Office has produced the following 12 point code of practice:

  • 1.Use of a surveillance camera system must always be for a specified purpose which is in pursuit of a legitimate aim and necessary to meet an identified pressing need.
  • 2. The use of a surveillance camera system must take into account its effect on individuals and their privacy, with regular reviews to ensure its use remains justified.
  • 3. There must be as much transparency in the use of a surveillance camera system as possible, including a published contact point for access to information and complaints.
  • 4. There must be clear responsibility and accountability for all surveillance camera system activities including images and information collected, held and used.
  • 5. Clear rules, policies and procedures must be in place before a surveillance camera system is used, and these must be communicated to all who need to comply with them.
  • 6. No more images and information should be stored other than that which is strictly required for the stated purpose of a surveillance camera system, and such images and information should be deleted once their purposes have been discharged.
  • 7. Access to retained images and information should be restricted and there must be clearly defined rules on who can gain access and for what purpose such access is granted; the disclosure of images and information should only take place when it is necessary for such a purpose or for law enforcement purposes.
  • 8. Surveillance camera system operators should consider any approved operational, technical and competency standards relevant to a system and its purpose and work to meet and maintain those standards.
  • 9. Surveillance camera system images and information should be subject to appropriate security measures to safeguard against unauthorised access and use.
  • 10. There should be effective review and audit mechanisms to ensure legal requirements, policies and standards are complied with in practice, and regular reports should be published.
  • 11. When the use of a surveillance camera system is in pursuit of a legitimate aim, and there is a pressing need for its use, it should then be used in the most effective way to support public safety and law enforcement with the aim of processing images and information of evidential value.
  • 12. Any information used to support a surveillance camera system which compares against a reference database for matching purposes should be accurate and kept up to date.

For more information, see the full Surveillance Camera Code of Practice.