PART 1 U.K.General

Citation and commencementU.K.

1.  These Regulations may be cited as the Passenger Name Record Data and Miscellaneous Amendments Regulations 2018 and come into force on 25th May 2018.

InterpretationU.K.

2.—(1) In these Regulations—

“the 2008 Order” means the Immigration and Police (Passenger, Crew and Service Information) Order 2008 M7;

[F1“the Agreement” means the Trade and Cooperation Agreement between the European Union and the European Atomic Energy Community, of the one part, and the United Kingdom of Great Britain and Northern Ireland, of the other part, as it has effect on the relevant day (as amended or supplemented from time to time on or before its coming into force);]

[F1“air carrier” means the owner or agent of an aircraft operating passenger services to or from the United Kingdom;]

“API data” means—

“the Commissioner” means the Information Commissioner;

[F1“the data protection legislation” has the same meaning as in the Data Protection Act 2018 (see section 3 of that Act);]

“the data protection officer” means the person appointed in accordance with regulation 4(1);

F2...

F3...

F4...

[F1“designated independent authority” means the person for the time being designated under regulation 4A by a direction given by the Secretary of State;]

[F1“EU PIU” means an authority based in a member State which has been notified to the United Kingdom under the Agreement as the passenger information unit for that member State;]

[F1“EU PNR data” means PNR data—

[F1“EU PNR information” means EU PNR data, the result of processing EU PNR data or analytical information containing EU PNR data;]

[F1“Eurojust” means the European Union Agency for Criminal Justice Cooperation as established by Regulation (EU) 2018/1727 of the European Parliament and of the Council of 14 November 2018 on the European Union Agency for Criminal Justice Cooperation (Eurojust) and replacing and repealing Council Decision 2002/187/JHA (as it has effect in EU law as amended from time to time);]

[F1“European Commission” means the Commission of the European Union;]

[F1“Europol” means the European Union Agency for Law Enforcement Cooperation as established by Regulation (EU) 2016/794 of the European Parliament and of the Council of 11 May 2016 on the European Union Agency for Law Enforcement Cooperation (Europol) and replacing and repealing Council Decisions 2009/371/JHA, 2009/934/JHA, 2009/935/JHA, 2009/936/JHA and 2009/968/JHA (as it has effect in EU law as amended from time to time);]

F2...

F5...

F2...

“personal data” means information relating to an identified or identifiable living individual;

“the PIU” means the authority competent in the prevention, detection, investigation or prosecution of terrorist offences and of serious crime which is designated as the United Kingdom's passenger information unit under regulation 3(1);

“PNR data” means one or more items of personal data listed in [F6Schedules 2 or 4 to the 2008 Order];

[F1“PNR information” means PNR data, the result of processing PNR data or analytical information containing PNR data;]

“processing”, in relation to [F7PNR information], means an operation or set of operations performed on [F8that information] including its retrieval, consultation or use;

[F1“relevant day”, in relation to the Agreement or any aspect of it, means—

[F9“serious crime” means conduct which constitutes an offence in any part of the United Kingdom for which the maximum term of imprisonment (in the case of a person aged 21 or over) is at least 3 years (or would constitute such an offence in any part of the United Kingdom if committed there);]

[F10“terrorist offences” means the offences listed in [F11Annex 45] to the Agreement;]

“third country” means a country or territory other than [F12—]

[F1“third country competent authority” means an authority based in a third country that is competent for—

“UK competent authority” means a United Kingdom authority competent for [F15—]

[F18(1A) References in these Regulations to protecting the vital interests of persons include protecting persons—

(a)who are, or may be, at risk of death or serious injury, or

(b)from significant threats to public health.]

F19(2) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

PART 2U.K.The Passenger Information Unit

Designation of passenger information unitU.K.

3.—(1) The Home Office is designated as the passenger information unit F20....

(2) The PIU is responsible for—

(a)collecting PNR data from air carriers;

(b)storing and processing PNR data;

(c)where appropriate, transferring [F21PNR information] to a UK competent authority [F22, Europol or Eurojust];

[F23(ca)where appropriate, exchanging PNR information with an EU PIU;]

[F24(d)where appropriate, exchanging [F25PNR information] with a [F26third country] competent authority]

[F27(3) The Secretary of State may by regulations amend paragraph (1) so as to designate a different authority as the PIU.

(4) The power in paragraph (3) is exercisable by statutory instrument and includes power—

(a)to designate different authorities for different purposes or in relation to different areas;

(b)to make supplementary, incidental, consequential, transitional, transitory or saving provision.

(5) Where regulations under paragraph (3) designate more than one authority as the PIU, the provision that may be made by virtue of paragraph (4)(b) includes, in particular, provision amending these Regulations to make provision for the transfer of PNR information from one authority so designated to another.

(6) A statutory instrument containing regulations under paragraph (3) is subject to annulment in pursuance of a resolution of either House of Parliament.]

Data protection officer in the PIUU.K.

4.—(1) The PIU must appoint a data protection officer responsible for monitoring and implementing safeguards in relation to the processing of PNR data by the PIU.

(2) The PIU must provide the data protection officer with—

(a)the means to perform the duties and tasks described in paragraph (1) effectively and independently, and

(b)access to all data processed by the PIU.

(3) Where the data protection officer considers that the processing of any data by the PIU has not been in accordance with Part 3 of these Regulations, the data protection officer may refer the matter to the Commissioner.

[F28Designated independent authorityU.K.

4A—(1) The Secretary of State must by direction designate a person as the designated independent authority in relation to the PIU.

(2) The person for the time being designated must be a person in relation to whom the Secretary of State is satisfied that the requirements of paragraph (3) are met.

(3) Those requirements are that the person—

(a)does not carry out relevant PNR data processing,

(b)acts independently of any person carrying out relevant PNR data processing, and

(c)has sufficient expertise and knowledge and has had appropriate training to exercise the functions of the designated independent authority under these Regulations.

(4) In paragraph (3), relevant PNR data processing is processing of PNR data otherwise than in exercise of the functions of the designated independent authority under these Regulations.

(5) The PIU must make EU PNR data available to the designated independent authority for the purposes of the authority's functions under these Regulations.

(6) The designated independent authority may process EU PNR data for the purposes of exercising the authority's functions under these Regulations.]

PART 3U.K.Processing of PNR data and protection of personal data

ScopeU.K.

5.—[F29(1)] This Part applies in respect of the processing of PNR data provided by an air carrier on or after the coming into force of these Regulations and pursuant to a requirement under either of the following provisions—

(a)paragraph 27B(2) of Schedule 2 to the Immigration Act 1971;

(b)section 32(2) of the Immigration, Asylum and Nationality Act 2006.

[F30(2) This Part also applies in respect of PNR information provided to the PIU by an EU PIU or a third country competent authority.]

Processing of PNR data by the PIUU.K.

6.—(1) Where the information provided by an air carrier pursuant to a requirement under either of the provisions set out in regulation [F315(1)] includes F32... data other than PNR data, the PIU must delete the additional data F33... upon receipt.

(2) The PIU must not process PNR data except for one of the purposes described in paragraph (3) [F34, subject to regulation 4A(6)].

[F35(3) The purposes are—

(a)preventing, detecting, investigating and prosecuting terrorist offences or serious crime, and

(b)protecting the vital interests of persons.

(4) Where the PIU compares PNR data against a database, the PIU must ensure that the database is—

(a)reliable and up to date, and

(b)used for a purpose described in paragraph (3).]

(5) [F36Where the PIU processes PNR data against pre-determined criteria,] the PIU must ensure that the pre-determined criteria F37... are—

(a)[F38reliable,] targeted, proportionate and specific;

(b)set and regularly reviewed in cooperation with the UK competent authorities, and

(c)not based on a person's race or ethnic origin, political opinions, religion or philosophical beliefs, trade union membership, health, sexual life or sexual orientation.

[F39(5A) The PIU must not take any decision which produces an adverse legal effect on a person or otherwise significantly affects a person—

(a)only by reason of the automated processing of PNR data, or

(b)on the basis of any of the matters described in paragraph (5)(c) in relation to that person.]

F40(6) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

F40(7) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

F40(8) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

(9) The PIU must not transfer [F41PNR information] to a UK competent authority [F42except where it does so on a case by case basis where it is satisfied that—

(a)it is necessary to transfer that PNR information for a purpose described in paragraph (3); and

(b)the UK competent authority has arrangements in place for the protection of personal data that are equivalent to the arrangements for the protection of personal data required of the PIU under these Regulations.]

(10) The processing and analysis of PNR data by the PIU must be carried out exclusively within a secure location within the territory of the United Kingdom.

Processing of PNR data by a UK competent authorityU.K.

7.—(1) A UK competent authority must not—

(a)process [F43PNR information] for purposes other than [F44a purpose described in regulation 6(3)], or

(b)take any decision which produces an adverse legal effect on a person or otherwise significantly affects a person—

(i)only by reason of the automated processing of PNR data, or

(ii)on the basis of any of the matters described in regulation 6(5)(c) in relation to that person.

(2) Paragraph (1)(a) is without prejudice to the ability of a UK competent authority to exercise its functions [F45—

(a)] in circumstances where other offences, or indications of such offences, are detected during the course of any enforcement action taken further to the processing of PNR data[F46, or

(b)in relation to public health.]

[F47(3) Where the PIU transfers PNR information under regulation 6(9), the UK competent authority must not transfer the PNR information to another person without the consent of the PIU.]

Exchange of PNR data between Member StatesU.K.

F488.  . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Requests for PNR data made to the PIU by a non-UK PIUU.K.

F489.  . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Requests for PNR data made by the PIUU.K.

F4810.  . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

[F49Requests for PNR data made by the PIUU.K.

10—(1) Any request made by the PIU to an EU PIU for PNR information must be—

(a)made only for the purpose described in regulation 6(3)(a),

(b)made in respect of a specific case, and

(c)duly reasoned.

(2) Any request made by the PIU to a third country competent authority for PNR information must be—

(a)made only for a purpose described in regulation 6(3),

(b)made in respect of a specific case, and

(c)duly reasoned.]

Requests for PNR data made by a UK competent authority F50...U.K.

11.—(1) A UK competent authority must channel its requests for [F51PNR information] processed by [F52an EU PIU or a third country competent authority] through the F53... PIU.

(2) Where necessary in the case of an emergency and provided the conditions laid down in paragraph (3) are satisfied, a UK competent authority may make a request for [F54PNR information] directly to a [F55[F56third country] competent authority].

[F57(3) The conditions are that—

(a)the request is made solely for the purposes of the prevention, detection, investigation or prosecution of terrorist offences or serious crime;

(b)the request is made in respect of a specific case;

(c)the request is duly reasoned, and

(d)a copy of the request is sent to the PIU.]

[F58Transfers of PNR data to an EU PIUU.K.

11A—(1) The PIU must transfer PNR information to an EU PIU in a specific case, as soon as possible, where—

(a)the EU PIU has made a duly reasoned request for the PNR information, and

(b)the PIU is satisfied that it is necessary to transfer that PNR information for the purpose described in regulation 6(3)(a).

(2) The PIU must transfer analytical information containing PNR data to an EU PIU in a specific case, as soon as possible, where the PIU considers that it is necessary to transfer that analytical information for the purpose described in regulation 6(3)(a).

Transfers of PNR data to Europol and EurojustU.K.

11B—(1) The PIU must transfer PNR information to Europol or Eurojust in a specific case, as soon as possible, where—

(a)Europol or Eurojust has made a duly reasoned request for the PNR information, and

(b)the PIU is satisfied that it is necessary to transfer that PNR information for the purpose described in regulation 6(3)(a).

(2) The PIU must transfer analytical information containing PNR data to Europol or Eurojust in a specific case, as soon as possible, where the PIU considers that it is necessary to transfer that analytical information for the purpose described in regulation 6(3)(a).]

Transfers of PNR [F59data] to [F60[F61third country] competent authorities]U.K.

12.—[F62[F63(1) Paragraphs (1A) to (2A) apply to PNR information that is not EU PNR information.

(1A) The PIU must not transfer that PNR information to a third country competent authority except where it does so on a case by case basis where paragraph (2) or (2A) applies.]

(2) [F64This paragraph applies where]—

(a)the request from the non-UK competent authority is duly reasoned;

(b)the PIU is satisfied that the transfer is necessary for [F65a purpose described in regulation 6(3)], and

(c)the [F66third country] competent authority agrees to transfer [F67the information] to another [F66third country] competent authority only where it is strictly necessary for the purposes described in sub-paragraph (b).

(2A) [F68This paragraph applies where]—

F69(a). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

(b)the PIU considers it necessary for [F70a purpose described in regulation 6(3)].]

[F71(2B) The PIU must not transfer EU PNR information to a third country competent authority except where it does so on a case by case basis where—

(a)paragraph (2C) applies and the PIU is satisfied that it is necessary to transfer the EU PNR information for a purpose described in regulation 6(3), or

(b)paragraph (2D) applies.

(2C) This paragraph applies where—

(a)there is an agreement in force between the third country and the EU that provides for a level of protection of personal data that is equivalent to the level of protection required under the Agreement, or

(b)the European Commission has decided that the third country ensures an adequate level of protection of personal data, and that decision has not been repealed or suspended, or amended in a way that demonstrates that the Commission no longer considers there to be an adequate level of protection of personal data.

(2D) This paragraph applies where—

(a)the PIU considers that it is necessary to transfer the EU PNR information—

(i)for the prevention or investigation of an immediate and serious threat to public security, or

(ii)to protect the vital interests of persons, and

(b)the third country competent authority provides a written confirmation to the PIU that the EU PNR information will be subject to a level of protection that is equivalent to the level of protection under these Regulations and the data protection legislation.

(2E) Where the PIU transfers EU PNR information that it received from an EU PIU to a third country competent authority under this regulation, the PIU must notify that EU PIU as soon as possible.

(2F) Where, under this regulation, the PIU transfers to a third country competent authority EU PNR data that originated in a member State, and was provided by an air carrier, the PIU must notify the EU PIU for that member State as soon as possible.]

(3) In the case of PNR data that has been depersonalised through the masking out of data elements pursuant to regulation 13(2), the PIU must not transfer the unmasked PNR data except where—

(a)the PIU is satisfied that the disclosure is necessary for [F72a purpose described in regulation 6(3)], and

(b)the disclosure is approved by the officer referred to in regulation 13(4)(b).

(4) The PIU must inform the data protection officer each time [F73PNR information] is transferred to a [F74[F75third country] competent authority].

Period of data retention and depersonalisationU.K.

13.—[F76(1) Paragraphs (1A) and (1B) apply to PNR data transferred to the PIU—

(a)by air carriers pursuant to a requirement imposed under—

(i)paragraph 27B(2) of Schedule 2 to the Immigration Act 1971, or

(ii)section 32(2) of the Immigration, Asylum and Nationality Act 2006, or

(b)by an EU PIU.]

for a period of five years beginning with the date of the transfer.

[F77(1A) In the case of EU PNR data, the PIU must permanently delete the data before the end of the period of five years beginning with the date of the transfer, subject to regulation 13B if the data is restricted EU PNR data within the meaning of that regulation.

(1B) In any other case, the PIU must—

(a)retain the PNR data for a period of five years beginning with the date of the transfer, and

(b)permanently delete that data upon expiry of that period.

(1C) Paragraphs (1A) and (1B) do not affect the power of the PIU to retain PNR data where it is used in the context of specific cases for a purpose described in regulation 6(3).]

(2) Upon expiry of a period of six months beginning with the date of transfer of the PNR data by an air carrier [F78or an EU PIU] the PIU must depersonalise the PNR data through masking out of the following data elements—

(a)names, including the names of other passengers on the PNR and number of travellers who are travelling together on the PNR;

(b)address and contact information;

(c)all forms of payment information, including billing address;

(d)frequent flyer information;

(e)general remarks, F79...

(f)any API data.

[F80(g)Other Service Information (OSI), and

(h)System Service Information (SSI) and System Service Request information (SSR).]

(3) Paragraph (2) applies to the extent that the data elements listed in that paragraph could serve to identify directly the [F81person] to whom the PNR data relates.

[F82(3A) The PIU must ensure that unmasked PNR data is only accessible by persons specifically authorised by the PIU to access such data and must limit the number of persons authorised to the minimum number practicable.]

(4) Upon expiry of the period referred to in paragraph (2) the PIU must not disclose the unmasked PNR data except where—

(a)the PIU is satisfied that the disclosure is necessary for [F83a purpose described in regulation 6(3)], and

(b)the disclosure is approved by the most senior officer within the PIU who has been charged with verifying whether the conditions for disclosure of the full PNR are met.

(5) In circumstances where the PIU discloses the unmasked PNR data—

(a)the officer referred to in paragraph (4)(b) must inform the data protection officer, and

(b)the data protection officer must conduct a review of that disclosure.

(6) Any UK competent authority which is storing or otherwise processing PNR data must permanently delete that data [F84when that data is no longer required in the context of the specific case for which it was transferred to the UK competent authority].

F85(7) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

F85(8) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

F85(9) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

F85(10) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

[F86Use and transfer of EU PNR data by the PIU: further provisionU.K.

13A—(1) The PIU may not use or transfer EU PNR data unless paragraph (2), (3), (4) or (5) applies.

(2) This paragraph applies where the PIU processes the EU PNR data for the purposes of security and border control checks.

(3) This paragraph applies if the designated independent authority has given consent for the use or transfer of the EU PNR data.

(4) This paragraph applies if the PIU considers that the use or transfer of the EU PNR data is necessary in an urgent case.

(5) This paragraph applies if the PIU considers that the use of the EU PNR data is necessary for the purpose of developing, or verifying the accuracy of, the pre-determined criteria referred to in regulation 6(5).

(6) Where the PIU—

(a)uses EU PNR data as mentioned in paragraph (3) or (4), or

(b)transfers EU PNR data to an EU PIU, Europol, Eurojust or a third country competent authority,

the PIU must notify the person to whom the data relates, so far as it is reasonably practicable to do so.

(7) Where the PIU transfers EU PNR data to a UK competent authority, the UK competent authority must notify the person to whom the data relates, so far as it is reasonably practicable to do so.

(8) A notification under paragraph (6) or (7) must—

(a)be in writing,

(b)be made within a reasonable period, and

(c)provide information about the procedures available for seeking redress of any grievance relating to the use or transfer.

(9) A notification need not be made under paragraph (6) or (7) during any period when the PIU or the UK competent authority (as the case may be) considers that notifying the person would, or would be likely to, prejudice any ongoing investigations.

(10) Nothing in paragraphs (2) to (5) affects the operation of regulation 6(2).]

[F87Restricted EU PNR data: further provisionU.K.

13B—(1) For the purposes of this regulation, EU PNR data is “restricted EU PNR data” if it relates to a person arriving in the United Kingdom who—

(a)is not a UK national, and

(b)resides outside the United Kingdom.

(2) For the purposes of this regulation, restricted EU PNR data relating to a person is subject to deletion if—

(a)the PIU, acting as such, knows that the person has left the United Kingdom, or

(b)the period for which the person is permitted to stay in the United Kingdom has expired.

(3) But restricted EU PNR data is not subject to deletion—

(a)if, on the basis of a risk assessment based on objectively established criteria, the PIU considers that retention of the restricted EU PNR data is necessary for the purpose described in regulation 6(3)(a), or

(b)where the restricted EU PNR data is used in the context of specific cases for a purpose described in regulation 6(3).

(4) The PIU must permanently delete restricted EU PNR data that is subject to deletion as soon as possible.

(5) The PIU must ensure that the operation of paragraph (3)(a) is reviewed annually by the designated independent authority.

(6) In this regulation, “UK national” means—

(a)a British citizen,

(b)a person who is a British subject by virtue of Part 4 of the British Nationality Act 1981 and who has a right of abode in the United Kingdom, or

(c)a person who is a British overseas territories citizen by virtue of a connection to Gibraltar.]

Protection of personal dataU.K.

14.—(1) The PIU must not process PNR data revealing a person's race, ethnic origin, political opinions, philosophical beliefs, trade union membership, health, sexual life or sexual orientation.

[F88(1A) The PIU must permanently delete any PNR data referred to in paragraph (1).]

(2) The PIU must maintain documentation relating to all processing systems and procedures under its responsibility.

(3) The documentation referred to in paragraph (2) must contain at least—

(a)the name and contact details of the personnel within the PIU entrusted with the processing of the PNR data;

(b)the respective levels of authorisation of those personnel to access PNR data;

(c)details of requests made by [F89EU PIUs, Europol or Eurojust] F90..., and

(d)details of all requests for transfers of PNR data to a third country.

(4) The PIU must make the documentation referred to in paragraph (2) available to the Commissioner on request.

(5) The PIU must keep records of all processing operations for a period of five years.

Supervisory authorityU.K.

F9115.  . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Application of other data protection enactmentsU.K.

16.—(1) Nothing in this Part has the effect of disapplying the provisions of an enactment described in paragraph (2) to the processing of PNR data by a UK competent authority.

(2) The enactments referred to in paragraph (1) are any enactments governing the processing of personal data by a UK competent authority for the purposes of [F92—

(a)] the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, including the safeguarding against and the prevention of threats to public security[F93, or

(b)the protection of the public against threats to public health.]

PART 4 U.K.Passenger and Service Information

Amendments to the Immigration and Police (Passenger, Crew and Service Information) Order 2008U.K.

17.  Regulations 18 to 20 amend the 2008 Order.

Substitution of article 7 (form and manner in which passenger and service information to be provided: police)U.K.

18.  For article 7 substitute—

“Form and manner in which passenger and service information to be provided: police

7.—(1) Paragraph (2) applies where the owner or agent of an aircraft is subject to a requirement under section 32(2) of the 2006 Act to provide any passenger or service information specified by article 6(4).

(2) The owner or agent of the aircraft must provide that information electronically using a secure method which conforms to the data formats and transmission protocols provided for in Article 1 of the Implementing Decision.

(3) In the circumstances described in paragraph (4), the owner or agent of an aircraft may provide the information in an alternative form and manner.

(4) The circumstances are that—

(a)there has been a technical failure meaning that it is not possible for the owner or agent to provide the required information in accordance with paragraph (2);

(b)the alternative form and manner provides an equivalent level of security in relation to the protection of personal data as the method referred to in paragraph (2), and

(c)the intended recipient has consented to the provision of the information in the alternative form and manner.

(5) Where a person other than the owner or agent of an aircraft is subject to a requirement to provide passenger or service information imposed under section 32(2) of the 2006 Act, the person must provide the required information in an electronic form that is compatible with the technology used by the recipient of the information.

(6) Where there has been a technical failure meaning that it is not possible for a person to provide the required information in accordance with paragraph (5), the person may provide the required information in an alternative form and manner with the prior agreement of the recipient of the information.

(7) In this article “the Implementing Decision” means Commission Implementing Decision (EU) 2017/759 of 28 April 2017 on the common protocols and data formats to be used by air carriers when transferring PNR data to Passenger Information Units M8.”.

Amendments to Schedule 2 (information specified to extent known by carrier: immigration)U.K.

19.  In Schedule 2, in paragraph 1—

(a)omit sub-paragraph (b);

(b)in sub-paragraph (e), for “sex” substitute “ gender ”;

(c)for sub-paragraph (f) substitute—

“(f)any contact information, including telephone number and email address;”;

(d)omit sub-paragraph (g);

(e)omit sub-paragraph (mm);

(f)in sub-paragraph (pp), at the end, omit “and”;

(g)in sub-paragraph (qq), at the end, add “ , and ”;

(h)after sub-paragraph (qq) add—

“(rr)any other such information as is collected as part of a Passenger Name Record and is set out in paragraph 2 or 3 of Schedule 1.”.

Substitution of Schedule 4 (information specified to extent known by carrier: police)U.K.

20.  For Schedule 4 substitute—

Article 6(4)

“SCHEDULE 4U.K.Information specified to extent known by carrier: police

1.  The passenger and service information is the following in respect of a passenger or, in so far as it applies (whether expressly or otherwise), in respect of a member of the crew—

(a)name as it appears on the reservation;

(b)issue date of travel document;

(c)address;

(d)gender;

(e)any contact information, including telephone number and email address;

(f)travel status of passenger, which indicates whether reservation is confirmed or provisional and whether the passenger has checked in;

(g)the number of pieces and description of any baggage carried;

(h)any documentation provided to the passenger in respect of the passenger's baggage;

(i)date of intended travel;

(j)ticket number;

(k)date and place of ticket issue;

(l)seat number allocated;

(m)seat number requested;

(n)check-in time, regardless of method;

(o)date on which reservation was made;

(p)identity of any person who made the reservation;

(q)any travel agent used;

(r)any other name that appears on the passenger's reservation;

(s)number of passengers on the same reservation;

(t)complete travel itinerary for passengers on the same reservation;

(u)the fact that a reservation in respect of more than one passenger has been divided due to a change in itinerary for one or more, but not all, of the passengers;

(v)Code Share Details M9;

(w)method of payment used to purchase ticket or make a reservation;

(x)details of the method of payment used, including the number of any credit, debit or other card used;

(y)billing address;

(z)booking reference number, Passenger Name Record locator and other data locator used by the carrier to locate the passenger within its information system;

(aa)the class of transport reserved;

(bb)the fact that the reservation is in respect of a one-way journey;

(cc)all historical changes to the reservation;

(dd)General Remarks;

(ee)Other Service Information (OSI);

(ff)System Service Information (SSI) and System Service Request Information (SSR);

(gg)identity of the individual who checked the passenger in for the voyage or flight or international service;

(hh)Outbound Indicator, which identifies where a passenger is to travel on to from the United Kingdom;

(ii)Inbound Connection Indicator, which identifies where a passenger started his journey before he travels onto the United Kingdom;

(jj)the fact that the passenger is travelling as part of a group;

(kk)card number and type of any frequent flyer or similar scheme used;

(ll)Automated Ticket Fare Quote (ATFQ), which indicates the fare quoted and charged;

(mm)the fact that the passenger is under the age of eighteen and unaccompanied;

(nn)where the passenger is a person under the age of eighteen and unaccompanied—

(i)age;

(ii)languages spoken;

(iii)any special instructions provided;

(iv)the name of any departure agent who will receive instructions regarding the care of the passenger;

(v)the name of any transit agent who will receive instructions regarding the care of the passenger;

(vi)the name of any arrival agent who will receive instructions regarding the care of the passenger;

(vii)the following details in respect of the guardian on departure—

(aa)name;

(bb)address;

(cc)any contact telephone number;

(dd)relationship to passenger;

(viii)the following details in respect of the guardian on arrival—

(aa)name;

(bb)address;

(cc)any contact telephone number;

(dd)relationship to passenger, and

(oo)any other such information as is collected as part of a Passenger Name Record and is set out in paragraph 2 or 3 of Schedule 3.”.

Explanatory Note

(This note is not part of the Regulations)