An extract from The International Hotel Law Review, 1st Edition

Data and hotel tech

i Overview of data protection

In recent years, data protection has become one of the most widely discussed topics among businesses in Singapore. Individuals are becoming increasingly aware of their data privacy rights and the Personal Data Protection Commission (PDPC), which is the Singapore data protection regulator, has taken a relatively strict approach in monitoring and regulating personal data breaches. For example, the PDPC handed out a combined financial penalty of S$1 million to the Singapore public healthcare provider and its technology vendor for a serious breach involving the personal data of about 1.5 million patients, which is the largest financial penalty imposed by the PDPC to date.

With the increasing digitisation (e.g., replacing legacy IT infrastructure with cloud solutions) and greater adoption of technology (e.g., 'smart rooms', automated self-check-in, etc.) in the hotel sector, it is crucial that industry players place stronger focus on its data protection practices and policies to ensure the security of personal data in its possession.

ii Data protection in the hospitality sector

The overarching data protection legislation in Singapore is the Personal Data Protection Act 2012 (PDPA). Under the PDPA, organisations are generally required to notify individuals of the purposes of and obtain their consent before collecting, using or disclosing their personal data in Singapore. In a hotel franchise model where the responsibility for collecting personal data or databases may be shared between the franchisor and franchisee, providing proper notice and obtaining consent might become tricky. For example, a franchisor may be in breach of the PDPA if it uses any personal data that was improperly collected by the franchisee (e.g., without notice and consent). Therefore, such data-sharing arrangements should be carefully considered by the parties beforehand and reflected in the relevant franchise agreements and policies accordingly.

Branding is a vital asset to hotel franchises and any publicised cases of data breach incidents or negative data handling practices would likely result in damage to a franchise's brand reputation. Therefore, it is important that hotel franchises put in place appropriate safeguards to ensure data security. Such safeguards should include both technical as well as organisational measures such as implementing proper employee policies and training. Apart from ensuring data security, it is also equally important for an organisation to ensure that it handles any data breach incidents carefully and promptly, as not doing so might similarly result in a public relations nightmare for the franchise. Therefore, hotel franchises should ensure that it has put in place a proper data breach incident response plan and that its employees are properly trained in handling such data incidents.

The large-scale global operations of major hotel chains would also inevitably entail a heavy flow of international transfers of personal data between intra-group entities. This creates additional challenges for hotel businesses as they would be required to ensure that such international transfers do not violate the data transfer or localisation requirements of the jurisdictions involved, especially where such requirements are overlapping or conflicting. Overcoming such legal restrictions would require a proper analysis of the data transfers to be made and ensuring that the necessary legal mechanisms and safeguards are put in place.

With careful planning and consideration of the potential issues, hotel businesses can fully reap the benefits that digital business has to offer while minimising the data protection risks that come along with it.