On a Monday, some weeks ago in March, I travelled to Mangochi. Upon arrival in the evening, I went straight to the reception desk of one of the lodges to inquire about accommodation. A receptionist welcomed me alongside another guest who was already waiting at the reception area. My room was duly secured, and when it came time to pay for the night, I was handed a guest register and signed on the second row. The first row had been filled by the previous guest, with all personal details left fully visible. This meant that every subsequent guest checking in after me would have unrestricted access to those details: name, room number, contact information, personal address, origin and next destination, and number of nights.
Curious to test the system, I asked the receptionist to assure me that my details would be kept safe, then flipped through earlier pages to see whether I would be stopped. You can guess what happened. Although the moment passed as a light conversation, what it revealed is anything but trivial. Below, I examine what that scenario truly means and the serious implications it carries.
Are Tourism Enterprises Not Obliged to Safeguard Guest Information?
Under Malawian law and regulatory frameworks, businesses that collect personal information are expected to protect it from unauthorised access, disclosure, or misuse. Four key pillars establish this obligation. The Constitution of the Republic of Malawi guarantees the right to privacy. Section 21 protects individuals from interference with their private communications and personal information. Businesses and individuals collecting personal data must therefore handle it in a manner that respects this constitutional right. The Electronic Transactions and Cyber Security Act provides a legal framework for the protection of personal data in electronic and digital environments. The Act requires entities that process personal data to collect data lawfully and for legitimate purposes, ensure the confidentiality and security of that data, and prevent unauthorised access or disclosure.
The Malawi Tourism Act places tourism enterprises under licensing and regulatory oversight. Enterprises operating under this Act are expected to comply with professional hospitality standards, which typically require the maintenance of guest registers, identification details, payment information, and travel records, all handled with appropriate care. Globally accepted hospitality standards further require tourism service providers to keep guest records confidential, protect identification documents, booking details, and payment information, and limit access to guest data strictly to authorised staff.
How Should Tourism Enterprises Handle Guest Information?
Tourism enterprises in Malawi routinely collect personal information during booking and check-in processes and these include names, identification numbers, contacts, payment details, and travel records. Since this information constitutes personal data, enterprises must take reasonable measures to secure it. Failure to do so, such as leaving guest registers publicly accessible, disclosing guest details without consent (as in the scenario described above), or failing to protect electronic booking systems, may amount to a violation of a guest’s constitutional right to privacy, a breach of obligations under the Electronic Transactions and Cyber Security Act, non-compliance with the Malawi Tourism Act, and non-conformity with internationally accepted best industry practices. All these frameworks collectively impose a duty on tourism enterprises and individuals to protect guest information.
What Must Tourism Enterprises Do?
All tourism enterprises in Malawi are required, by both legal frameworks and industry standards, to actively safeguard their guests’ personal information. Practical steps include replacing open-format guest registers with secure, access-controlled alternatives; training staff on data handling and confidentiality obligations; ensuring that no guest’s details are visible to another; and reviewing both physical and digital record-keeping systems for vulnerabilities.
Failure to uphold these obligations does not merely represent a lapse in hospitality, it can expose an enterprise to legal liability, regulatory sanctions, and significant reputational damage. More importantly, it is a violation of the trust that guests place in the establishments that host them. Guest privacy is not a bureaucratic formality. It is a right, a legal duty, and the hallmark of a truly professional tourism and hospitality enterprise.