The Passenger Name Record Data and Miscellaneous Amendments Regulations 2018

PART 3U.K.Processing of PNR data and protection of personal data

ScopeU.K.

5.—[F1(1)] This Part applies in respect of the processing of PNR data provided by an air carrier on or after the coming into force of these Regulations and pursuant to a requirement under either of the following provisions—

(a)paragraph 27B(2) of Schedule 2 to the Immigration Act 1971;

(b)section 32(2) of the Immigration, Asylum and Nationality Act 2006.

[F2(2) This Part also applies in respect of PNR information provided to the PIU by an EU PIU or a third country competent authority.]

Processing of PNR data by the PIUU.K.

6.—(1) Where the information provided by an air carrier pursuant to a requirement under either of the provisions set out in regulation [F35(1)] includes F4... data other than PNR data, the PIU must delete the additional data F5... upon receipt.

(2) The PIU must not process PNR data except for one of the purposes described in paragraph (3) [F6, subject to regulation 4A(6)].

[F7(3) The purposes are—

(a)preventing, detecting, investigating and prosecuting terrorist offences or serious crime, and

(b)protecting the vital interests of persons.

(4) Where the PIU compares PNR data against a database, the PIU must ensure that the database is—

(a)reliable and up to date, and

(b)used for a purpose described in paragraph (3).]

(5) [F8Where the PIU processes PNR data against pre-determined criteria,] the PIU must ensure that the pre-determined criteria F9... are—

(a)[F10reliable,] targeted, proportionate and specific;

(b)set and regularly reviewed in cooperation with the UK competent authorities, and

(c)not based on a person's race or ethnic origin, political opinions, religion or philosophical beliefs, trade union membership, health, sexual life or sexual orientation.

[F11(5A) The PIU must not take any decision which produces an adverse legal effect on a person or otherwise significantly affects a person—

(a)only by reason of the automated processing of PNR data, or

(b)on the basis of any of the matters described in paragraph (5)(c) in relation to that person.]

F12(6) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

F12(7) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

F12(8) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

(9) The PIU must not transfer [F13PNR information] to a UK competent authority [F14except where it does so on a case by case basis where it is satisfied that—

(a)it is necessary to transfer that PNR information for a purpose described in paragraph (3); and

(b)the UK competent authority has arrangements in place for the protection of personal data that are equivalent to the arrangements for the protection of personal data required of the PIU under these Regulations.]

(10) The processing and analysis of PNR data by the PIU must be carried out exclusively within a secure location within the territory of the United Kingdom.

Processing of PNR data by a UK competent authorityU.K.

7.—(1) A UK competent authority must not—

(a)process [F15PNR information] for purposes other than [F16a purpose described in regulation 6(3)], or

(b)take any decision which produces an adverse legal effect on a person or otherwise significantly affects a person—

(i)only by reason of the automated processing of PNR data, or

(ii)on the basis of any of the matters described in regulation 6(5)(c) in relation to that person.

(2) Paragraph (1)(a) is without prejudice to the ability of a UK competent authority to exercise its functions [F17—

(a)] in circumstances where other offences, or indications of such offences, are detected during the course of any enforcement action taken further to the processing of PNR data[F18, or

(b)in relation to public health.]

[F19(3) Where the PIU transfers PNR information under regulation 6(9), the UK competent authority must not transfer the PNR information to another person without the consent of the PIU.]

Exchange of PNR data between Member StatesU.K.

F208.  . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Requests for PNR data made to the PIU by a non-UK PIUU.K.

F209.  . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Requests for PNR data made by the PIUU.K.

F2010.  . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

[F21Requests for PNR data made by the PIUU.K.

10—(1) Any request made by the PIU to an EU PIU for PNR information must be—

(a)made only for the purpose described in regulation 6(3)(a),

(b)made in respect of a specific case, and

(c)duly reasoned.

(2) Any request made by the PIU to a third country competent authority for PNR information must be—

(a)made only for a purpose described in regulation 6(3),

(b)made in respect of a specific case, and

(c)duly reasoned.]

Requests for PNR data made by a UK competent authority F22...U.K.

11.—(1) A UK competent authority must channel its requests for [F23PNR information] processed by [F24an EU PIU or a third country competent authority] through the F25... PIU.

(2) Where necessary in the case of an emergency and provided the conditions laid down in paragraph (3) are satisfied, a UK competent authority may make a request for [F26PNR information] directly to a [F27[F28third country] competent authority].

[F29(3) The conditions are that—

(a)the request is made solely for the purposes of the prevention, detection, investigation or prosecution of terrorist offences or serious crime;

(b)the request is made in respect of a specific case;

(c)the request is duly reasoned, and

(d)a copy of the request is sent to the PIU.]

[F30Transfers of PNR data to an EU PIUU.K.

11A—(1) The PIU must transfer PNR information to an EU PIU in a specific case, as soon as possible, where—

(a)the EU PIU has made a duly reasoned request for the PNR information, and

(b)the PIU is satisfied that it is necessary to transfer that PNR information for the purpose described in regulation 6(3)(a).

(2) The PIU must transfer analytical information containing PNR data to an EU PIU in a specific case, as soon as possible, where the PIU considers that it is necessary to transfer that analytical information for the purpose described in regulation 6(3)(a).

Transfers of PNR data to Europol and EurojustU.K.

11B—(1) The PIU must transfer PNR information to Europol or Eurojust in a specific case, as soon as possible, where—

(a)Europol or Eurojust has made a duly reasoned request for the PNR information, and

(b)the PIU is satisfied that it is necessary to transfer that PNR information for the purpose described in regulation 6(3)(a).

(2) The PIU must transfer analytical information containing PNR data to Europol or Eurojust in a specific case, as soon as possible, where the PIU considers that it is necessary to transfer that analytical information for the purpose described in regulation 6(3)(a).]

Transfers of PNR [F31data] to [F32[F33third country] competent authorities]U.K.

12.—[F34[F35(1) Paragraphs (1A) to (2A) apply to PNR information that is not EU PNR information.

(1A) The PIU must not transfer that PNR information to a third country competent authority except where it does so on a case by case basis where paragraph (2) or (2A) applies.]

(2) [F36This paragraph applies where]—

(a)the request from the non-UK competent authority is duly reasoned;

(b)the PIU is satisfied that the transfer is necessary for [F37a purpose described in regulation 6(3)], and

(c)the [F38third country] competent authority agrees to transfer [F39the information] to another [F38third country] competent authority only where it is strictly necessary for the purposes described in sub-paragraph (b).

(2A) [F40This paragraph applies where]—

F41(a). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

(b)the PIU considers it necessary for [F42a purpose described in regulation 6(3)].]

[F43(2B) The PIU must not transfer EU PNR information to a third country competent authority except where it does so on a case by case basis where—

(a)paragraph (2C) applies and the PIU is satisfied that it is necessary to transfer the EU PNR information for a purpose described in regulation 6(3), or

(b)paragraph (2D) applies.

(2C) This paragraph applies where—

(a)there is an agreement in force between the third country and the EU that provides for a level of protection of personal data that is equivalent to the level of protection required under the Agreement, or

(b)the European Commission has decided that the third country ensures an adequate level of protection of personal data, and that decision has not been repealed or suspended, or amended in a way that demonstrates that the Commission no longer considers there to be an adequate level of protection of personal data.

(2D) This paragraph applies where—

(a)the PIU considers that it is necessary to transfer the EU PNR information—

(i)for the prevention or investigation of an immediate and serious threat to public security, or

(ii)to protect the vital interests of persons, and

(b)the third country competent authority provides a written confirmation to the PIU that the EU PNR information will be subject to a level of protection that is equivalent to the level of protection under these Regulations and the data protection legislation.

(2E) Where the PIU transfers EU PNR information that it received from an EU PIU to a third country competent authority under this regulation, the PIU must notify that EU PIU as soon as possible.

(2F) Where, under this regulation, the PIU transfers to a third country competent authority EU PNR data that originated in a member State, and was provided by an air carrier, the PIU must notify the EU PIU for that member State as soon as possible.]

(3) In the case of PNR data that has been depersonalised through the masking out of data elements pursuant to regulation 13(2), the PIU must not transfer the unmasked PNR data except where—

(a)the PIU is satisfied that the disclosure is necessary for [F44a purpose described in regulation 6(3)], and

(b)the disclosure is approved by the officer referred to in regulation 13(4)(b).

(4) The PIU must inform the data protection officer each time [F45PNR information] is transferred to a [F46[F47third country] competent authority].

Period of data retention and depersonalisationU.K.

13.—[F48(1) Paragraphs (1A) and (1B) apply to PNR data transferred to the PIU—

(a)by air carriers pursuant to a requirement imposed under—

(i)paragraph 27B(2) of Schedule 2 to the Immigration Act 1971, or

(ii)section 32(2) of the Immigration, Asylum and Nationality Act 2006, or

(b)by an EU PIU.]

for a period of five years beginning with the date of the transfer.

[F49(1A) In the case of EU PNR data, the PIU must permanently delete the data before the end of the period of five years beginning with the date of the transfer, subject to regulation 13B if the data is restricted EU PNR data within the meaning of that regulation.

(1B) In any other case, the PIU must—

(a)retain the PNR data for a period of five years beginning with the date of the transfer, and

(b)permanently delete that data upon expiry of that period.

(1C) Paragraphs (1A) and (1B) do not affect the power of the PIU to retain PNR data where it is used in the context of specific cases for a purpose described in regulation 6(3).]

(2) Upon expiry of a period of six months beginning with the date of transfer of the PNR data by an air carrier [F50or an EU PIU] the PIU must depersonalise the PNR data through masking out of the following data elements—

(a)names, including the names of other passengers on the PNR and number of travellers who are travelling together on the PNR;

(b)address and contact information;

(c)all forms of payment information, including billing address;

(d)frequent flyer information;

(e)general remarks, F51...

(f)any API data.

[F52(g)Other Service Information (OSI), and

(h)System Service Information (SSI) and System Service Request information (SSR).]

(3) Paragraph (2) applies to the extent that the data elements listed in that paragraph could serve to identify directly the [F53person] to whom the PNR data relates.

[F54(3A) The PIU must ensure that unmasked PNR data is only accessible by persons specifically authorised by the PIU to access such data and must limit the number of persons authorised to the minimum number practicable.]

(4) Upon expiry of the period referred to in paragraph (2) the PIU must not disclose the unmasked PNR data except where—

(a)the PIU is satisfied that the disclosure is necessary for [F55a purpose described in regulation 6(3)], and

(b)the disclosure is approved by the most senior officer within the PIU who has been charged with verifying whether the conditions for disclosure of the full PNR are met.

(5) In circumstances where the PIU discloses the unmasked PNR data—

(a)the officer referred to in paragraph (4)(b) must inform the data protection officer, and

(b)the data protection officer must conduct a review of that disclosure.

(6) Any UK competent authority which is storing or otherwise processing PNR data must permanently delete that data [F56when that data is no longer required in the context of the specific case for which it was transferred to the UK competent authority].

F57(7) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

F57(8) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

F57(9) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

F57(10) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

[F58Use and transfer of EU PNR data by the PIU: further provisionU.K.

13A—(1) The PIU may not use or transfer EU PNR data unless paragraph (2), (3), (4) or (5) applies.

(2) This paragraph applies where the PIU processes the EU PNR data for the purposes of security and border control checks.

(3) This paragraph applies if the designated independent authority has given consent for the use or transfer of the EU PNR data.

(4) This paragraph applies if the PIU considers that the use or transfer of the EU PNR data is necessary in an urgent case.

(5) This paragraph applies if the PIU considers that the use of the EU PNR data is necessary for the purpose of developing, or verifying the accuracy of, the pre-determined criteria referred to in regulation 6(5).

(6) Where the PIU—

(a)uses EU PNR data as mentioned in paragraph (3) or (4), or

(b)transfers EU PNR data to an EU PIU, Europol, Eurojust or a third country competent authority,

the PIU must notify the person to whom the data relates, so far as it is reasonably practicable to do so.

(7) Where the PIU transfers EU PNR data to a UK competent authority, the UK competent authority must notify the person to whom the data relates, so far as it is reasonably practicable to do so.

(8) A notification under paragraph (6) or (7) must—

(a)be in writing,

(b)be made within a reasonable period, and

(c)provide information about the procedures available for seeking redress of any grievance relating to the use or transfer.

(9) A notification need not be made under paragraph (6) or (7) during any period when the PIU or the UK competent authority (as the case may be) considers that notifying the person would, or would be likely to, prejudice any ongoing investigations.

(10) Nothing in paragraphs (2) to (5) affects the operation of regulation 6(2).]

[F59Restricted EU PNR data: further provisionU.K.

13B—(1) For the purposes of this regulation, EU PNR data is “restricted EU PNR data” if it relates to a person arriving in the United Kingdom who—

(a)is not a UK national, and

(b)resides outside the United Kingdom.

(2) For the purposes of this regulation, restricted EU PNR data relating to a person is subject to deletion if—

(a)the PIU, acting as such, knows that the person has left the United Kingdom, or

(b)the period for which the person is permitted to stay in the United Kingdom has expired.

(3) But restricted EU PNR data is not subject to deletion—

(a)if, on the basis of a risk assessment based on objectively established criteria, the PIU considers that retention of the restricted EU PNR data is necessary for the purpose described in regulation 6(3)(a), or

(b)where the restricted EU PNR data is used in the context of specific cases for a purpose described in regulation 6(3).

(4) The PIU must permanently delete restricted EU PNR data that is subject to deletion as soon as possible.

(5) The PIU must ensure that the operation of paragraph (3)(a) is reviewed annually by the designated independent authority.

(6) In this regulation, “UK national” means—

(a)a British citizen,

(b)a person who is a British subject by virtue of Part 4 of the British Nationality Act 1981 and who has a right of abode in the United Kingdom, or

(c)a person who is a British overseas territories citizen by virtue of a connection to Gibraltar.]

Protection of personal dataU.K.

14.—(1) The PIU must not process PNR data revealing a person's race, ethnic origin, political opinions, philosophical beliefs, trade union membership, health, sexual life or sexual orientation.

[F60(1A) The PIU must permanently delete any PNR data referred to in paragraph (1).]

(2) The PIU must maintain documentation relating to all processing systems and procedures under its responsibility.

(3) The documentation referred to in paragraph (2) must contain at least—

(a)the name and contact details of the personnel within the PIU entrusted with the processing of the PNR data;

(b)the respective levels of authorisation of those personnel to access PNR data;

(c)details of requests made by [F61EU PIUs, Europol or Eurojust] F62..., and

(d)details of all requests for transfers of PNR data to a third country.

(4) The PIU must make the documentation referred to in paragraph (2) available to the Commissioner on request.

(5) The PIU must keep records of all processing operations for a period of five years.

Supervisory authorityU.K.

F6315.  . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Application of other data protection enactmentsU.K.

16.—(1) Nothing in this Part has the effect of disapplying the provisions of an enactment described in paragraph (2) to the processing of PNR data by a UK competent authority.

(2) The enactments referred to in paragraph (1) are any enactments governing the processing of personal data by a UK competent authority for the purposes of [F64—

(a)] the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, including the safeguarding against and the prevention of threats to public security[F65, or

(b)the protection of the public against threats to public health.]