Industry Guides

Data Protection for Hotels and Hospitality

Guidance for Jamaican hotels, guest houses, villas, and restaurants on handling guest data, ID at check-in, bookings, and CCTV.

Intermediate 16 min
This module is general information, not legal advice, and is being reviewed by our legal team. For your specific situation, consult the official Data Protection Act, 2020 or seek professional advice.

What you will learn

  • The guest data hospitality businesses hold
  • Handling ID and passport details at check-in
  • Working with booking platforms and processors
  • Practical steps for guests, staff, and CCTV

Overview

Hotels, guest houses, villas, and restaurants collect a steady stream of personal data: bookings, identity documents, payment details, preferences, and CCTV. With many international guests, getting this right matters for reputation as well as compliance. This guide explains how.

Why this matters

Guests hand over sensitive details, sometimes including passport or ID information, and expect them to be protected. A leak or careless handling can harm guests and your property's reputation, especially with overseas visitors who compare you to international standards.

The data you hold

  • Guests: names, contact details, identity or passport data, payment information, stay history, and preferences.
  • Bookings: data from your own site and from third-party platforms.
  • On-site: CCTV footage and, for restaurants, reservation records.
  • Staff: employment and payroll records.

Identity documents at check-in

Collecting ID at check-in is common, but collect only what you actually need, store it securely, and do not keep copies longer than necessary.

Watch out. A drawer or shared folder full of passport scans is a high-value target. Limit what you collect, protect it, and dispose of it on a schedule.

Booking platforms and processors

When you take bookings through a third-party platform, that platform usually acts as a processor, handling data on your instructions. You remain the controller for the guest data you collect and use (see Who is a Data Controller?). Make sure those relationships are backed by proper terms.

CCTV

Cameras in lobbies and common areas record personal data. Use clear signage, limit who can view footage, set a retention period, and handle requests for footage carefully. Avoid cameras in private areas such as rooms.

Common scenarios

  • International guests. Be transparent about what you collect and why, and protect it to a standard they would expect.
  • Marketing to past guests. Rely on clear consent and offer an easy opt-out.
  • A guest asks what you hold. Treat it as an access request.

Common mistakes

  • Keeping passport copies indefinitely.
  • Emailing offers to every past guest without consent.
  • CCTV without signage, retention limits, or access controls.

Best practices

  • Give guests a clear privacy notice at or before check-in.
  • Minimise and securely store identity data.
  • Confirm your booking platforms and payment providers are reputable and properly contracted.

Put this into practice

Create a guest-facing privacy notice tailored to your hotel, guest house, or restaurant.

Generate a privacy notice for your property

Frequently asked questions

Collect identity data only where you genuinely need it, keep the minimum, store it securely, and delete it when it is no longer needed. Avoid keeping copies longer than necessary.

Key takeaways

  • Hospitality businesses hold guest identity, payment, booking, and stay data.
  • ID and passport details collected at check-in need careful, limited handling.
  • Booking platforms are usually processors, but you remain the controller.
  • Clear notices, secure storage, and sensible retention cover most obligations.

Related

Ask the Privacy Assistant

Beta