Data Protection Management Policy
London Hotel Group Data Protection & Management Policy
This policy is to ensure compliance by London Hotel Group (the “business”) with the requirements of data protection legislation, the General Data Protection Regulation and the Office of the Information Commissioner (ICO).
This policy relates to the gathering and retention by the business of “personal data” defined as information relating to an identified or identifiable individual or natural person. It is designed to be fully compliant with current legislation, regulations and official guidance.
We aim to process personal data lawfully, fairly and in a transparent manner and only for the purpose of providing services to our customers/clients in accordance with the standards we set and for the maintenance of the business.
The business maintains that the gathering of all personal data is necessary for the effective and efficient discharge of providing its services in contract, compliance with the law and its legitimate interests but, wherever possible, will alert personal data subjects of the data that is gathered and seek their specific consent as well as informing them of their rights.
The business recognises  that personal data cannot be held or processed unless there is a legitimate reason for it and/or the data subject has consented  if a data subject so requests then personal data can no longer be processed and  the obligation to keep the individual informed about what the business is doing with their personal data.
All personal data is retained within the UK and European Union.
Nature of data that is kept
When a booking is made through Online Travel Agents (OTA) or wholesalers or third parties (such as Booking.com) the individual personal data of the customer are held by the respective agency and this information is accessed through secure passwords by London Hotel Group via the extranet or from the PMS (property management system software) that has a direct integration with the online channels. The only persons having access to such data are authorised staff with system log-in credentials (reception/ reservations/ managers). When a booking is made in person at Reception either by telephone or being physically present personal data is gathered by the receptionist and will also be accessed by the accounts department in order to ensure that proper payment is made. Those persons referred for accommodation by the local authority will have been identified by the local authority to LHG through their name and contact number: on arrival at LHG their name, contact number and signature will be retained together with the referral letter from the local authority as a manual record.
The personal data of customers/clients consists of the following:
 full name and address including country of the person making the reservation
 date of birth, nationality and passport details
 bank/credit/debit card details through which payment for services will be paid
 previous reservations/engagement with the business
 CCTV/video footage of the customer/client for identification purposes.
This data is held on the hard drive of the relevant PC/server (see Safeguarding Data below) and the gathering of such personal data is necessary for the business to provide accommodation and other services to those customers/clients who contract for them.
Employee, worker and independent contractor information
The personal data of employees, workers and independent contractors consists of the following:
 full name, address and nationality
 date of birth, nationality, passport details and immigration status including the right to work in the UK
 bank account details through which remuneration will be paid
 name and address of the person(s) providing the reference for the employee/contractor.
The gathering of such personal data is necessary for the business to provide employment and to engage other services in the discharge of its functions in a lawful manner.
The application forms and curricula vitae as well as notes of interviews with job applicants contain individual personal data which will be destroyed within 6 months of the application/date of interview unless specific consent has been given by the applicant for its retention with a view to offering any subsequent post.
Invoices and other correspondence with suppliers of goods, materials and services to the business will be stored during the currency of transactions with suppliers and for six years thereafter.
The personal data of suppliers consists of the following:
 name, email address, business address, telephone number(s) of person representing the supplier to the business
 where necessary the private mobile telephone number(s) and address(es).
The gathering of such personal data is necessary for the business to obtain goods and services appurtentant to its function of providing services those customers/clients who contract for them.
During the course of the business, managers and others associated with the business may gather personal data as set out on business cards from potential suppliers/other interested parties. This data will be retained securely until such time as further contact has been made with the data subject(s) or the prospect of any further engagement has ceased.
The gathering of such personal data is necessary for the business to grow and develop its functions and other services to those customers/clients who contract for them.
Personal data is accessed only on a need-to-know basis.
Personal data in manual form is stored in locked filing cabinets to which only those with authorised access to the data have keys which, in turn, are kept in rooms locked when not in use, such keys held only by those who have access to such rooms. There is a policy of clearing desks of all sensitive material locked away before a workstation is vacated.
Personal data in electronic form is stored on personal computers and servers accessed through password security only by those with authorised access to the data. There is a policy to avoid possibility of screens being overlooked. Encryption is used wherever practicable.
Those working in the business will be trained to be vigilant about security of personal data (eg keeping files in locked cabinets, not leaving sensitive data unattended/overnight on desks for public view, access to rooms where data stored, not leaving memory sticks containing data or electronic equipment unattended when switched on and without password protection in force etc).
Responsibility for Data Protection in London Hotels Group: Management of Data
The business does not have a Data Protection Officer. Those who supervise the gathering and processing of data are the Managers in each hotel, senior management and those engaged in Human Resources and will be regarded as Data Controllers.
These are staff or third parties who, on behalf of the business, enter, change and access data eg receptionists taking details of staying customers, payroll staff. The contracts of employment with both Data Controllers and Data Processors make the safe storage and processing of data a fundamental term of those contracts rendering a breach liable to dismissal; the disciplinary procedure itemises loss of data as potentially gross misconduct. All contracts specify that retention of personal data by the employee post-employment is prohibited.
IT Security Policy
As part of the IT policy there are provisions for the regular change of password and secure notification, firewalls, protection software and updating.
There is a duty on the business to report to the ICO certain breaches of safeguarding data without undue delay and, where, feasible, within 72 hours of awareness. If the breach is high risk then the data subjects affected must also be notified without undue delay. Any breaches, whether notified or not, must be recorded in the Log. Such breaches may be access to data by an unauthorised third party eg a contractor on site reading data material not stored away or having access to rooms in which data is stored otherwise unprotected (eg in unlocked cabinets), sending data to the wrong recipient, loss of electronic devices on which data is stored or unshredded data information being discarded.
All decisions relating to breaches of data security will be taken by Data Controllers assisted by Human Resources.
Data Subject Access Request Procedure
If such a request or oral/written correspondence which may be regarded as such a request from a data subject asking for details of the personal data stored or for it to be removed is received by any person acting on behalf of the business then such a request must be  acknowledged by the person receiving it orally/in writing without giving any details of personal data held and  passed immediately to the relevant manager (Data Controller) for processing. Data Controllers must be aware that  there is now no longer any requirement of payment of a fee of £10 for such a request and  a response must be given within one month of receipt. On receipt of the request the Data Controller must ascertain the identity of the person making the request (which may increase the time required to make a response) so that there is confirmation that it has come from a data subject to whom/which the personal data relates. A standard template response will be available to all Data Controllers who will decide if the request is reasonable and whether there are any reasons to refuse it, such as if the effort involved is disproportionate. Data Controllers should check with Human Resources to ensure that they are acting correctly.
Data Retention Policy & destruction of data
General principle: data will be kept for as long as but no longer than the efficient management of the business requires. In most cases this will be no longer than six years (limitation period for a cause of action). Manual records (eg registration cards) will normally be retained for only 3 months. Individual personal data will be destroyed on receipt of a reasonable request by the data subject to do so.
Destruction of individual data will be noted in the Data Protection Log with the date on which and manner in which it is destroyed and the signature of the Data Controller who has authorised it. Electronic data will be removed from all servers and backup and paper data relating to identifiable individuals will be shredded.
Training Programme & Log
There will be a training programme of staff, workers and independent contractors to familiarise them with the need for data protection, the nature of data held by the business (eg what is personal data and what is not) and who has access to it, the safe retention of data, who processes it and how to identify and react to a request for its destruction. The training programme will take account of turnover of those involved in the business and the need to ensure that all receive current information on any changes in data protection.
A log of all training and those in attendance will be kept in the Training Programme & Log.
The Log will also record  the date on which any request for destruction of data is received, identifying the data subject and the means of communication as well as action taken and  any breaches of data security.
Notification of this policy
This policy is part of the Employee Handbook given to all new members of staff and will be given to workers and independent contractors on their commencement of engagement with the business. The requirement to comply with the policy will be a contractual obligation.
The policy will be available for inspection by any customers/clients of the business and will be posted on the business’ website. Privacy notices will be prominently displayed at all hotel receptions and attention will be drawn to the policy and notices in written correspondence with customers/clients.
These are published for customers/clients/guests and placed on the separate hotels’ websites as well as being prominently displayed at reception desks in the hotels; attention will be drawn to them in correspondence and forms completed by them. Privacy notices are also provided to each employee, worker and independent contractor informing them of their rights.