Hospitality Law | Office Skills | Spreadsheets | Survey | About me | Contact

Home Page
Hospitality Law Index

Data Protection and our Guests

As hoteliers we constantly maintain information about our guests. These vary from guest profiles, that include personal information we require at check in (some of which we are required to keep in accordance with local legislation), as well as information on our guests' credit worthiness. Some hotels, mostly luxury or traditional hotels, also maintain guest history files (not necessarily on computers) that include a clients' special requests as well as details on a clients' consumption characteristics (eg. whether he prefers spirits to beers etc, whether a guest uses minibar facilities or not).

With the advent of Information Technology it is now possible for the hotelier to maintain a guest history file without much effort for an indefinite period of time. There is great potential in using this data, and not in just in anticipating our guest's needs the second time round. In future (perhaps already) this data will allow the hotelier to apply yield management techniques to decide whether to accept a booking from repeat guest Mr X or Mr & Mrs Y based not only on the yield of their respective room rate but also on potential for further spending (extra revenue) at one's establishment.

To what extent is it possible to maintain information about one's clients?

First and foremost data used for marketing statistics is normally exempt from both legal and ethical consideration. Knowing, for instance, that 45% of the businessman staying in our hotel opt to watch an adult movie at least once throughout their stay does not reveal anything about individual business persons visiting our establishment. This statistic cannot be traced to individual persons. The very day we sell our database of "adult movie watchers" to an adult channel, we have effectively breached the informational privacy we owe to our guests - both ethically and (in most countries) legally.

What do we mean by "privacy"?

Privacy is not easy to define. The most common definition equates privacy to a right rather than a concept. "Privacy is the right to be left alone" (Warren and Brandeis), and therefore is immediately personal and depends on one's wishes. Privacy is subjective and also may also be related to culture. An example of this is our attitude to "identity cards". The Maltese have come to accept this means of identification, but a measure to introduce this means of identification in the United Kingdom, for instance, would be seen as an attempt to breach the individual's privacy.

Informational Privacy is about respecting a person's right to informational self-determination. This fundamental right means that a person has a right to decide whether or not another person (which can be an individual or body) can keep records on him/her. This right to privacy is also protected by the European Convention of Human Rights, to which Malta is a signatory. Article 8 clearly states that:

Everyone has the right to respect for his private and family life, his home and his personal correspondence.

What is our situation vis a vis the Law?

One must here refer to the relevant European directives in this regard. We do not have Data Protection Legislation in Malta as yet, but when enacted this is more than likely to be in reaction to Directive 95/46 of the European Commission. What are the features of this Directive?

First and foremost it determines that a controller (such as the hotelier) may only process and hold information on individuals as long as the processing falls within at least one of seven criteria, amongst which are situations where the processing is

(i) 'necessary for the performance of a contract' (such is the letting of a room) or where it is
(ii) necessary in the 'legitimate interests' of the controller. In other circumstances it is the data subject (in our case the guest) who must give his unambiguous consent for the processing of such data.

What rights does the data subject (our guest) have?

A data subject must be given certain information about any processing of his personal data, either at the time of collection (Article 10), or if the data is not provided by the subject, at a subsequent point (Article 11). The data subject also has a right of access to data (Article 12) as well as a right to object to certain categories of processing (Article 14). A general right not to be subject to decisions 'based solely on automated processing of data' (Article 15) is also in the Directive.

Data Protection has brought with it the establishment of national supervisory authorities who oversee the processing of data within their own territories. The data controller is required to register his intention to process personal data with the authority in his territory. At a time when data can cross borders without difficulty (the Internet has made information readily accessible worldwide), national territory obligations are easily circumvented, and it is easy for a controller to transfer data to countries which do not have an adequate level of protection (such as Malta). The Directive aims at introducing controls in this regard. This effectively means that a hotel chain with a hotel in Paris cannot, without authorisation, relay personal data to Head Office in London without first referring the matter to a supervisory authority.

One hopes nonetheless that this Directive, when put into effect in local legislation does not stifle the data controller to the extent that is unfeasible to even hold automated data in one's computer system.

More importantly, rather than protecting individuals from unscrupulous companies, governments should seek to control us from the misuse of data by government itself! Nonetheless, the hotelier would do well in considering the implications of processing personal data of his guests.