Data protection

- Last updated on GMT

Related tags: Data protection act, Data protection act 1998

The increased use of customer loyalty schemes and direct marketing programmes means that licensees must be aware of the implications of gathering and...

The increased use of customer loyalty schemes and direct marketing programmes means that licensees must be aware of the implications of gathering and using data about their customers.

As long as there have been pubs, publicans have been gathering information about their customers. A simple greeting to a regular entering the bar along the lines of "Evening Bob. Usual? How's the wife?" shows that the man behind the bar has done his job by establishing the customer's name, preferred drink, and marital status.

As long as this information stays in the licensee's head, there is no problem. However, if you hold personal information on any customers, ex-customers or potential customers anywhere else, you need to be aware of the Data Protection Act 1998, which came into effect in March 2000.

As more pubs realise the advantages of direct marketing programmes, customer loyalty schemes, and similar initiatives, the implications of gathering and using data about customers become more relevant.

The act

The Data Protection Act 1998 regulates the use of personal data. It ensures that UK law observes the European Directive on Data Protection.

The act is concerned with "personal data", which is information about living, identifiable individuals. This need not be particularly sensitive information and can be as little as a name and address.

The act works in two ways. It gives individuals, or data subjects, certain rights, and requires those who record and use personal information, or data controllers, to be open about their use of that information and to follow sound and proper practices, which are known as the Data Protection Principles. These require anyone processing data to comply with eight principles of good practice. Data must be:

  • fairly and lawfully processed
  • processed for limited purposes
  • adequate, relevant and not excessive
  • accurate
  • not kept longer than necessary
  • processed in accordance with the data subject's
  • secure
  • not transferred to countries without adequate

Who monitors the act?

The Government has created the post of Information Commissioner, an independent official reporting directly to Parliament. The commissioner is responsible for administering and enforcing the Data Protection Act and the Freedom of Information Act.

Are you a data controller?

Data controllers are those who control the purpose and manner in which personal data is processed. This can be any type of company or organisation. A data controller can also be a sole trader, partnership, or an individual.

Even if you do not keep customer records on a computer, there are ways in which your pub might be collecting data, including:

  • customer names and phone numbers from
    restaurant bookings
  • details of function room bookings
  • customers booking children's parties or using a
    play area
  • customers taking part in competitions, promotions, or quizzes
  • employee records and personnel information.

Paper or PC?

Although computers have made it much easier for information about individuals to be stored and used, the scope of the Data Protection Act is not limited to files held electronically.

The act covers information which is recorded as part of a "relevant filing system", either by name or other criteria, so that "specific information relating to a particular individual is readily accessible". This includes manual, or paper, files.

Under a transitional arrangement, manual records held before October 24, 1988 are exempt from the full scope of the Act until 2007. However, from October 24, 2001 individuals will have the right to see such manual records and ask for any incorrect information to be corrected.

What should you do?

Obviously, the burden of complying with data protection legislation is likely to fall much more heavily on a small business such as a pub than on a larger organisation which can afford to employ someone to take responsibility for managing data use and compliance.

As with many other pieces of legislation, despite the Government's claim that it is committed to reducing the red tape burden, the act makes no particular allowance for the existence of small businesses and contains no special provisions for those who run them.

Under the act, the size of your business is actually immaterial. What is important is the personal information you hold in relation to your business activities.

The maximum penalty for failing to notify the Information Commissioner of your processing is currently a £5,000 fine plus costs in the magistrates' courts, or an unlimited fine in the higher courts.

If you hold personal information about individuals you may well need to notify the Information Commissioner under the Data Protection Act. The annual notification fee is £35.

You can complete the notification form on-line, Print it and send the form to the commissioner's office with the notification fee or your direct debit instruction. You can telephone the notification helpline at 01625 545745 to be sent the form. The helpline can also advise if you are unsure whether you need to register.


There are some exemptions from notification under the requirements of the act for individuals and organisations which make only limited use of personal data.

  • Mailing lists - Personal data held only for the
    purpose of distributing articles or information to
    individuals is exempt from the requirement to
    register. This covers a basic mailing list, but nevertheless all of the individuals must be asked
    whether they object to the personal data relating
    to them being held by the data user. The mailing list exemption would normally only apply to
    names and addresses.
  • Accounts - There is an exemption from the
    requirement to register for payroll, pensions and
    accounts purposes. This only applies to very
    basic accounting purposes, for the production of
    invoices and PAYE returns.
  • Social clubs and similar organisiations -
    Personal data held by an unincorporated members club, and relating only to members is
    exempt so long as members are asked if they
    object to the data relating to them being held.
  • Word processing - A person does not become a
    data user merely by writing a letter or document
    which contains basic personal data. However, if
    the documents are held on computer as a store
    of data then this exemption does not apply.


The act allows individuals to find out what information is held about themselves on computer and some paper records. This is known as the right to subject access. Individuals can ask a data controller to stop processing information in a number of circumstances.

This includes the right to insist that information is not used for direct marketing purposes, and the right to correct, block or destroy any personal details that are incorrect.

This feature is intended as a guide to the Data Protection Act only, and does not cover all its provisions. Publicans should consult their legal adviser for specific information.

Further information

Enquiries to the Information Commissioners office: 01625 545745 Web site:

Related topics: Legislation

Follow us

Pub Trade Guides

View more