Registration and data protection

Disclaimer:  Whilst every effort has been made to ensure the accuracy of the information contained in the Pink Book of Legislation, we regret that we cannot be responsible for any errors. This guide is not intended to be a definitive statement of the law in England. If you require precise or detailed information on the legislation mentioned in this guide, or on the legal implications for you in particular, you should consult a professional legal adviser.

Key facts

  • All serviced and self-catering accommodation premises must keep a record of all guests over the age of 16. The record should include their full name and nationality.
  • You must keep each guest's details for at least 12 months.
  • If you hold any personal information on guests or any other individuals, including employees (other than on odd scraps of paper), the Data Protection Act applies.
  • The General Data Protection Regulation (GDPR) comes into force on 25th May 2018, replacing the Data Protection Act (DPA).

 

Keeping a register of your guests

Yes: all serviced and self-catering accommodation premises must keep a record of all guests over the age of 16 (Immigration (Hotel Records) Order 1972 (as amended)).

  • Note: The 1972 Order above is considered to be obsolete and is being considered for repeal as part of the Government’s Red Tape Challenge. However, while it is still on the books, it remains a legal requirement.

 

What do I need to record?

To comply with the Immigration (Hotel Records) Order 1972 you need to collect the following information from guests on their arrival:

  • full name
  • nationality.

 

  • Note: you are not legally required to take a guest's home address or contact number.

 

For all who are not British, Irish or Commonwealth guests:

  • passport number and place of issue (or other document which shows their identity and nationality)
  • details of their next destination (including the address, if known) on or before departure.

 

  • Note: diplomats, their family and staff do not have to register.

 

What about the format of the register?

There is no set format for the register. It could be a visitors’ book or an exercise book, but you must keep each guest's details for at least 12 months and have the register available for inspection by a police officer or duly authorised person at all times.

It may be, of course, that you are given the necessary details at the time of booking, but you should check them when the guests arrive and make sure that you have all the information you are required to collect. Even if your local police have traditionally shown no interest in these records, circumstances could change.

 

Data protection

The holding and use of personal information of individuals is currently regulated by the Data Protection Act 1998 (DPA). As the provisions in the Act are extensive, you should read the paragraphs below to see if they apply to you.

  • Note: the paragraphs in this section focus on personal data held on guests, as this is perhaps the most relevant situation for smaller accommodation businesses. However, the Act does apply equally to personal data held on other individuals, including employees, although the specific provisions vary. For further information, contact the Information Commissioner's Office.

 

  • Note: the Government will be introducing the EU's General Data Protection Regulation (GDPR) in the UK from 25 May 2018, the implementation of which will be unaffected by the UK's exit from the EU. 

 

What is the purpose of the Act?

The Act is to protect the privacy of individuals (data subjects) by preventing the misuse or unauthorised use of personal information (personal data) that is held by others (data controllers). The Act achieves this by:

  • regulating the use of personal data held by data controllers, and
  • giving rights to data subjects.

 

Does this Act apply to me?

Yes: if you hold any personal information on guests or any other individuals (including employees, but not organisations) on a computer, any automated system or in a manual filing system (including index cards, files or visitors books, but not odd scraps of paper), even if it is just names and contact details, then the Act applies to you. For the purposes of the Act you are a 'data controller'.

 

I think the Act applies to me. What must I do?

The three basic requirements are set out below. Please note that even if you are exempt from (a), you still need to comply with (b) and (c).

(a) Notify the Information Commissioner

No: if you hold personal data on a manual filing system only, you do not need to notify.

Yes: if you hold personal data on a computer (or any other automated system), you must notify the Information Commissioner unless you fall within one of the exemptions below.

Exemptions: you do not need to notify if you are only holding personal data for one or more of the following core business purposes:

  • advertising, marketing and public relations provided that:
    • you hold only the data necessary, on the people necessary for you to do yourown advertising
    • you do not disclose the information to any third party not involved with your advertising without the consent of the person whose data it is
    • you only keep the personal information as long as it is necessary to do the advertising
  • staff administration (subject to similar conditions as advertising)
  • accounts and financial records (subject to similar conditions as advertising).

 

How do I notify?

You notify the Commissioner using a standard form provided by the Information Commissioner's Office (see Further guidance below). The notification may also be done online. The details you need to provide include:

  • you or your business' name and address
  • a description of the purposes for which the data is being held, e.g. consultancy and advisory services
  • a description of the data subjects on whom data is being held, e.g. customers and clients
  • a description of the type of data being held, e.g. personal details
  • a description of any person or organisation to whom you might disclose the data, e.g. employees

 

There is an annual fee of £35.

The Information Commissioner's Office (ICO) has a helpful online data protection self assessment toolkit, which enables you to assess your compliance with the Data Protection Act and find out what you need to do in order to comply.

 

(b) Follow the data protection principles

All data controllers, whether their records are computerised, automated or manual and whether they have to notify or not, must comply with the eight data protection principles set out in the Act. In brief, personal data should be:

  • obtained and processed fairly and lawfully, and should not be held or used unless the data subject has given their consent, or it is necessary in performance of a contract to which the data subject is a party, or it is necessary for any other reason specified in the Act (see the 'Direct marketing' section)
  • obtained only for specified and lawful purposes
  • adequate, relevant and not excessive in relation to the purposes for which they are being held or used
  • accurate and, where necessary, kept up to date
  • kept no longer than necessary for the purposes concerned
  • processed in accordance with the rights of data subjects (see (c) below)
  • subject to appropriate technical and organisational measures against unauthorised or unlawful processing, and against accidental loss or destruction
  • not transferred to a country or territory outside the European Economic Area, unless that country or territory ensures adequate level of protection for the rights and freedoms of data subjects in relation to processing personal data.

 

Consent

Normally if you are going to hold information on a guest for any purpose other than handling the booking, such as later marketing, you need to obtain consent.

The Act does not specify what form this consent has to be in, it may be an informal, spoken 'yes', but you should give guests enough information for them to make an informed decision (e.g., what personal information you intend to hold and why).

Guests can give their consent on booking, when they check in or when they check out. You should keep all consents on record.

You may want to produce a simple form that can be used either over the telephone, on emails or in writing, which:

  • explains to guests the personal information on them that you want to hold and why
  • asks guests for their consent
  • has a space to record whether or not consent was given.

 

If you intend to keep ' sensitive personal information ', you must have the guest's explicit consent to hold and use their personal data for the purposes specified. Sensitive personal information includes the following:

  • race, ethnic origins
  • religion
  • political opinions
  • physical or mental health (e.g. disability)
  • sexual orientation
  • criminal convictions or allegations.

 

(c) Complying with the rights of data subjects

All data controllers must comply with the rights given to individuals by the Act in relation to the personal information held on them. The Act gives eight distinct rights, of which the most applicable are as follows:

  • Right of access: individuals have a right to know what information on them you are holding and why you are holding it, although you are allowed to charge up to £10 to provide the person with this information. If you receive a written request from an individual for this information (with any relevant fee), you must respond within 40 days stating:
    • whether you hold any personal data on them
    • what the data is, the reason you are holding it and those to whom it has/may be disclosed, along with an intelligible copy of the information and details of the manner in which it was collected.
  • Right to prevent processing for the purposes of direct marketing: if you receive a written request from an individual to cease using the personal data you hold on them for direct marketing, you must do so.
  • Right to prevent processing likely to cause damage or distress: if you receive a written request from an individual to cease using the personal data you hold on them, because it is causing or likely to cause substantial damage or distress to them or another, you must do so.
  • Right to compensation: any individual who suffers damage or distress as a result of a contravention of the Act by you is entitled to seek compensation from you if you did not take reasonable care to comply.

 

  • Note: You have the right to require reasonable proof of identity from a person asking to exercise these rights. You should be satisfied that the person asking is the person concerned, but you must not use excessive identity checking as a way to deliberately make access to the data difficult.

Caution! If you are buying in any mailing lists, you should ensure that the provider has the consent of the individuals listed to pass on the individual's details to third parties.

The General Data Protection Regulation (GDPR)

The General Data Protection Regulation (GDPR) comes into force on 25th May 2018, replacing the Data Protection Act (DPA).

Generally, the requirements of the GDPR are much the same as the requirements of the DPA. This means that if you are complying with the DPA at the moment, then you probably do not need to change your current system of collecting, handling and storing customer data. You will need to concentrate on the additional requirements and modify your system accordingly.

The main changes are:

1.The Right to be Forgotten

This is the main change.  A customer can, at any time, request that you remove all their personal data from your system. If the customer has previously agreed that you could provide their data to a third party, you must also stop doing this if you receive a Right to be Forgotten request.  However, it is important to note that any Right to be Forgotten request does not override requirements to hold information under other legislation. For example, you are required by law to keep financial records for seven years, therefore a customer cannot request that you delete records of any financial transactions they undertook in the last seven years.

2. Improving Consent and Withdrawal of Consent

The conditions for consent have been strengthened so that you must be clear and upfront with customers about what exactly they are consenting to when they sign-up. This is to stop companies hiding the details in their terms and conditions. So, if you are planning to pass their information on to a third party and to email them a newsletter, you must tell them in simple and clear language next to the box they are ticking. 

Importantly, it must be as easy for customers to withdraw consent as it is to give consent.​ So if you have a simple tick-box online where customers give consent, then there should also be a simple tick-box online to withdraw consent.

3. Right to Access

The GDPR also expands the rights of customers to access the information that you hold on them. This has two parts – first, on request from the customer, you are required to inform them if personal data concerning them is being processed, where and for what purpose. Second, if requested, you must provide a copy of all the personal data you hold on the person electronically and free of charge. This includes any information you have made on the person’s file so if you have added notes such as, “likes the Sunday Times”, “owns a Spaniel called Arthur” or “never leaves a tip”, you also need to provide this information.

4. Notification of Data Breaches

The GDPR will require you to notify the Information Commissioners’ Office within 72 hours of first having become aware of the breach where that breach is likely to “result in a risk for the rights and freedoms of individuals”. For any breach, you are required to notify the customers “without undue delay” after first becoming aware of a data breach.

Although May 2018 is still some time away, it is worth thinking about the impact of these changes on your business now to schedule any amendments that you need to make into your website maintenance and company policy manual update programmes.

The Information Commissioner's Office (ICO) has produced several resources to help businesses prepare for the move to GDPR:

  • small business toolkit to help you check your compliance

  • A guide to the 12 steps to take ahead of the change

  • A support helpline aimed at people running small businesses or charities, designed to provide additional, personal advice. As well as advice on preparing for the GDPR, callers can also ask questions about current data protection rules and other legislation regulated by the ICO including electronic marketing and Freedom of Information. People from small organisations should dial the ICO helpline on 0303 123 1113 and select option 4 to be diverted to staff who can offer support.

Data security and credit cards

The Data Protection Act 1998 says that ‘appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.’

If you never receive a customer’s card number (i.e. you use a third party to deal with transactions) you probably have little to worry about other than to ensure that the third party is a reputable organisation with a good knowledge of data security issues (e.g. Paypal or Worldpay).

If you do receive customers’ data, you should follow the standards of the Payment Card Industry Security Standards Council. This Council is a global consortium of all the main card payment companies, including Mastercard and Visa. Its function is to promote standards of data security so as to make it harder for criminals to steal data. These standards are quite demanding, but compliance is mandatory for retailers who accept card payments. The requirements of the Payment Card Industry Data Security Standard are contractual rather than the law of the land but, if you follow them, you will also be meeting the legal requirement.

If you do handle card data you need to be sure that you know and follow those rules that are applicable to your circumstances. There are twelve requirements, some of which are of limited relevance to small businesses:

  • Install and maintain a firewall. Your computer operating system probably has this built in, e.g. Windows Firewall.
  • Do not use default passwords. If your password is “password”, change it. Passwords should not be obvious.
  • Protect stored cardholder data. Do not leave personal data on your laptop and then travel with it, due to the risk of losing it. Keep it secure at all times.
  • Encrypt internet transmission of cardholder data. Never use ordinary e-mail to send credit card information.
  • Use and regularly update anti-virus software. This really is essential for everyone – set it to update automatically if you can.
  • Develop and maintain secure systems and applications. Likely to apply only to larger businesses developing their own systems.
  • Restrict access to cardholder data on a need-to-know basis. Ensure card data is not available to all your visitors, staff etc.
  • Assign a unique ID to each person with computer access. Do not share identities or passwords or run a database of past clients shared between several people with the same login.
  • Restrict physical access to cardholder data. Don’t leave a print-out of data in an unlocked location (or a file of manual card data records).
  • Track and monitor all access to network resources and cardholder data. This is relevant to businesses with larger systems, but all businesses should record who has access to card data.
  • Test security systems and processes regularly. At the least, check that your security measures are being adhered to.
  • Maintain a policy that addresses information security. For small businesses the key point is that you give this topic some serious thought, rather than writing a formal policy.

 

For small accommodation providers, the above list can be summarised as making sure that access to card data, both on paper and electronically, is very well controlled, restricted to people who really need it, and that any computer on which you store it has proper defences such as a firewall and anti-virus software.

Although not a legal requirement, your acquirer may also require you to complete a PCI DSS Self-Assessment Questionnaire (SAQ) in order to validate your compliance to the standards. 

 

Further guidance