People are the lifeblood of the hotel industry – from guests to employees the hotel business relies heavily on its relationships with people. This inevitably involves hotels obtaining and dealing with personal data.
While personal data is a powerful marketing tool and key to a hotel’s relationship with its employees and guests, hotels must carefully manage how they deal with the personal information they collect and maintain to ensure compliance with the Data Protection Act 1998 and related legislation and codes of conduct (the “DPA”). Hotels should also be sensitive to their guests’ and employees’ expectations that their data will be kept confidential and secure.
Records of personal information are kept in many forms from credit card receipts, to home addresses of guests to CCTV footage; any information like this, if it identifies a living individual or together with other data can identify a living individual, is protected in the UK by the DPA.
Recent reports of businesses not disposing of personal data securely, together with the rise in identity theft highlights how sensitive this issue has become, and how a hotel’s reputation (and consequently its brand) can be negatively affected if it does not carefully manage and protect the personal data that it holds.
This article deals with the process from obtaining to disposing of personal data, with tips on how to both maximise the use of personal data obtained, while ensuring that it is dealt with according to the DPA.
Who is responsible for DPA compliance – owner or manager?
Under the DPA a data controller is the party that, on its own or together with others, determines the purpose and manner in which personal data is ‘processed’ (e.g. obtained, held, used or disposed of). The data controller is responsible for compliance with the DPA.
In many circumstances the owner and/or manager of a hotel will be a ‘data controller’ under the DPA depending on their relationship to the data, e.g. who owns the guest lists, are the employees employed by the manager or the owner, who has access and control of data and who determines the purpose(s) for which it is used etc.
Where a hotel owner is a data controller and uses a management company to act on its behalf, the owner remains responsible for compliance with the DPA. The owner must choose a company they are sure will obtain the data properly and keep the data secure. Importantly, the owner must also have a written contract in place with the manager as its data processor to ensure that the manager:
- only acts under the hotel owner’s instructions when it processes the data; and
- keeps the information secure.
The same will apply where the owner or management company employs a third party to process personal data, even on disposal of the data. The Information Commissioner may issue fines and there may also be civil and criminal liabilities for failure to comply with the DPA.
Obtaining Personal Data
Guest data may be obtained either directly by a hotel or indirectly via an affiliate or booking agency. Under the fair processing principle of the DPA, a data controller must ensure that at the time the data is first collected the individual has consented to their personal data being processed in the manner described, or that the processing falls under one of the other relevant exemptions or conditions to processing.
Consent may be obtained from the guest once they have first provided their data to make a reservation, or, provided processing which has not been approved by the guest has not started yet, consent may be obtained upon arrival of the guest at the hotel.
Guest registration cards and online tick boxes are an ideal way of both actively obtaining consent to processing, and finding out more information about a guest in order to personalise the service provided. Guests’ preferences for smoking or non-smoking rooms, favourite newspaper, feather or foam pillows or high or low floors is information which will in most cases be freely provided by individuals if they feel it will provide them with personalised services.
Continued Processing of Personal Data
Tailored personal data is also valuable information for hotels, and can be used to improve and personalise services, and also crucially for marketing purposes.
Hotels must ensure that the appropriate consents for the type of marketing envisioned have been obtained – particularly where there will be email marketing or where data will be transferred outside the EEA. For example if the information is to be held by a parent company or processed by a third party for marketing purposes, all of this information should be provided to the guest when obtaining their consent to process. Some countries outside of the EEA are approved countries to provide data to – a list of these can be found on the European Commission’s website at www.europa.eu.int.
A data controller must also take measures to prevent unauthorised processing, accidental loss, destruction or damage to personal data it holds. When considering security, hotel owners and managers should take into account the type of information held, the harm that might result from the misuse of that information, the procedures used and the technology available to secure the information.
Proper Disposal of Personal Data
In addition to being personal data, some information, like credit card slips, may also be confidential information. In this instance the hotel will have duties of confidentiality to a guest, and unauthorised disclosure (even if inadvertently) could amount to a breach of confidence, potentially breach of the DPA and negligence if the hotel had a duty of care to its guests. In addition to legal obligations, there are also reputation issues relating to disposal of personal data - guests will be concerned that their confidential information does not fall into the hands of fraudsters and may take action against the hotel for any distress or damage suffered.
Where a conventional waste or recycling company is used, the data controller should have contractual provisions in place to ensure that confidential information like personal data or credit card slips are shredded and disposed of in opaque sacks that do not draw attention to the contents. Personal data can also be held in electronic form so care must be taken when disposing of IT equipment and computer disks. Where possible, a designated individual should be responsible for safe disposal and information should not be left unsecured or accessible by the public.
This article first appeared in the March edition of Hotel Report.
