Regardless of one’s position on guest accommodation registration, establishing quality standards is undeniably beneficial to Barbados’ economy. The challenge, however, lies in how those standards are enforced. When first introduced in early 2024, the draft Tourism Accommodation Bill sparked concerns by requiring hotels and guesthouses not only to capture guest details, such as names, addresses, and payment information, but also to scan and submit passports to the Ministry of Tourism monthly.
The bill has since cleared the House of Assembly and now moves to the Senate for further debate before it can be signed into law by the President. This is therefore a critical moment to reflect on how the bill has evolved — and to ask: do those reporting requirements still stand, or has the legislation taken a different course?
What emerges is a clear shift. Operators are still required to collect and securely maintain guest information in line with operational standards, but the controversial requirement to transmit personally identifiable information to the ministry each month has been removed. Reporting obligations now centre on business and operational compliance — such as licensing, inspections and adherence to classification standards — without creating a central government database of guest data.
While the removal of monthly guest data reporting is clearly a relief for government — easing both administrative burden and cybersecurity risk — it is worth reflecting on why such a requirement might have been proposed in the first place. The justification for its removal is particularly strong when viewed against the region’s cybersecurity landscape. According to Positive Technologies’ Latin America and Caribbean 2023–2024 Report, government institutions (21 per cent) and financial organisations (13 per cent) experienced the highest number of cyberattacks, precisely because they store valuable information and operate critical processes.
Had the provision remained, the Ministry of Tourism would have become the central custodian of vast amounts of tourist personal data, creating a highly attractive target for cybercriminals. Yet from the state’s perspective, centralised reporting promised timely insights into tourism flows, room occupancy, and visitor demographics — information valuable for economic planning, sector monitoring, and shaping national tourism strategy. From a security standpoint, access to detailed guest records could also have been seen as a tool for immigration control or crime prevention.
However, under the principles of the Data Protection Act 2019, the collection of personal data must always be grounded in a clear legal basis and a demonstrable necessity. In the absence of such justification, the principle of “data minimisation” dictates that information should not be gathered simply for convenience but only for a legitimate interest. By removing the monthly reporting requirement, lawmakers have aligned the bill more closely with these principles.
What this means for operators
While this may be a win for government, the spotlight still shines brightly on how the accommodation sector collects, stores, and processes guests’ personal data. The compliance obligations for hotels and guest houses remain unchanged. Operators remain squarely responsible for the personal information they collect and must align their practices with the requirements of the Data Protection Act (2019). In practical terms, three areas deserve close attention:
Record-keeping and reporting
Hotels must still maintain detailed operational records and submit monthly occupancy reports. While these no longer extend to sensitive identity documents, they may still involve personal identifiers drawn from booking platforms, reservation logs, or even accounting systems. Ensuring that such information is processed lawfully, stored securely, and retained only for as long as necessary remains a core compliance obligation.
Confidentiality obligations
The act places statutory confidentiality duties on operators and staff, operating alongside the requirements of the DPA. This makes it essential to enforce “need to know” access to guest information, strengthen contractual confidentiality clauses, and ensure that third-party providers such as booking engines and payment processors meet the same standard of protection.
Inspections and lawful disclosure
Government inspectors are empowered to review operational records. When those records contain personal data, disclosure must be lawful, proportionate and well-documented. Hotels should therefore maintain clear audit trails and policies governing what can be shared, under what legal basis, and with what safeguards.
Together, these obligations highlight an important reality: while government has stepped back from monthly PII collection, operators remain the frontline custodians of guest data. Compliance with the Tourism Accommodation Act can only be achieved in tandem with adherence to the DPA — making strong internal governance, security controls, and staff training more critical than ever.
A Path forward for the sector
The act may have stepped back from mandatory PII reporting, but hotels and guesthouses cannot afford to treat data privacy as a box-ticking exercise. Instead, operators should view compliance as part of their broader duty of care to guests, regulators, and their own reputations. A sensible starting path forward includes:
Engaging expert guidance
Bringing in a qualified data privacy consultant ensures that compliance strategies are aligned with the Barbados Data Protection Act (2019) and international standards such as Europe’s General Data Protection Regulations (GDPR) and the UK’s DPA. This helps operators avoid costly missteps while building a culture of accountability.
Developing a privacy programme
Every hotel should have a structured privacy framework that sets out how guest data is collected, stored, accessed, and disposed of. This should cover both digital systems and physical records, with policies that can be explained to staff and defended to regulators.
Training and awareness
Staff are often the first and last line of defence. Regular training in confidentiality, secure handling of guest information, and recognising risks like phishing or social engineering strengthens compliance and builds guest trust.
Embedding security controls
Practical safeguards such as encryption, access controls, audit trails and secure disposal of records should be implemented proportionately to the risks faced by each operator.
By taking these steps, hotels can demonstrate that they are not only compliant with the Tourism Accommodation Act and the DPA, but also proactive in protecting the personal information of the guests on whom they depend.
The Tourism Accommodation Bill’s passage through the House signals a wiser balance: government has stepped back from collecting sensitive guest data, but operators remain fully responsible under the Data Protection Act for how that information is gathered, stored and disclosed. The reporting burden may have eased, yet the compliance spotlight still rests firmly on the sector — making governance, staff training and expert guidance essential if hotels are to protect guest trust and maintain Barbados’ reputation as a secure, world-class destination.
steven@dataprivacy.bb
The post From centralised risk to distributed duty: How the Tourism Accommodation Bill evolved to protect guest privacy appeared first on Barbados Today.
