If you allow your customers to run up a tab you may well have their personal details such as name, address and telephone number written down as a record. Have you considered your legal obligations under the Data Protection Act 1998? If they pay by credit card then you will obviously have a record of their details. Indeed, you may be holding information on your customers stemming from previous competitions or promotions.
So how does this affect you? If you are a "data controller" for the purposes of the Act, then you should be aware that you have certain legal obligations. And any individuals who you hold data about also have certain rights.
You need first to consider whether you are holding "personal data" and therefore might be classed as a data controller.
Under the Data Protection Act 1998, personal data means any information which could identify an individual, whether from such data alone or together with other information in the possession of (or likely to come into the possession of) the person controlling the data. This information could include anything mentioned above.
If you are a data controller, you are required to notify the Information Commissioner before you process any data. Failure to do so is a criminal offence. The notification process is a one-off registration that is then subject to an annual renewal fee (currently £35). Registration needs to be carried out through the Information Commissioner's Office, which is the UK's independent public body set up to promote access to official information and to protect personal information. The Information Commissioner controls the public register which lists all data controllers and details of the types of data processing they carry out.
Customers' drinking habits
However, before you start to worry unduly, you should know that the courts have defined "personal data" in a relatively restrictive way. It seems that merely keeping a record of customers' names and addresses will not, in itself, amount to processing personal data. But if you keep details of your customers' drinking habits, likes and dislikes and other truly biographical information about them, then this may well amount to personal data and you may then need to register as a data controller.
If this is the case, before processing any data you should give the individual the opportunity to "opt out" of his/her data being used for the purposes that you intend. This can be achieved, for example, by including a tick box on promotional material stating that the customer does not wish his/her details to be used for other promotional offers. If you are a data controller, then once registered with the Information Commissioner you must process all data in accordance with the data protection principles detailed in the Act, which include the following:
- personal data shall be processed fairly (explaining how you intend to use the information, for example) and lawfully;
- it shall be obtained only for one or more specified and lawful purposes, and shall not be further processed in any manner incompatible with that purpose or those purposes
- it shall be adequate, relevant and not excessive in relation to the purpose or purposes for which they are processed
- it shall be accurate and, where necessary, kept up to date;
- personal data processed for any purpose or purposes shall not be kept for longer than is necessary for that purpose or those purposes
- appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data
- personal data shall not be transferred to a country or territory outside the European Economic Area unless it ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data.
The Act also grants rights to individuals when their personal data is processed. An individual has the right to gain access to that data. To do so, they must submit a written request to you requiring the following information:
- the information held about themselves;
- the purpose for which the information is held; and
- any persons to whom this information is to be supplied.
You are not obliged to respond to such a request unless it has been made in writing and is accompanied by the fee you set (this is currently capped at £10). If these terms are met then you have an obligation to respond to such requests within 40 days. However, please note that this obligation only exists if you hold personal data in the true sense of the word - something which may not always be cut and dried.
Visit the Information Commissioner's Office website at www. ico.gov.uk for further guidance or take appropriate legal advice.