The Passenger Name Record Data and Miscellaneous Amendments Regulations 2018

PART 3Processing of PNR data and protection of personal data

Scope

5.  This Part applies in respect of the processing of PNR data provided by an air carrier on or after the coming into force of these Regulations and pursuant to a requirement under either of the following provisions—

(a)paragraph 27B(2) of Schedule 2 to the Immigration Act 1971;

(b)section 32(2) of the Immigration, Asylum and Nationality Act 2006.

Processing of PNR data by the PIU

6.—(1) Where the information provided by an air carrier pursuant to a requirement under either of the provisions set out in regulation 5 includes personal data other than PNR data, the PIU must delete the additional data immediately upon receipt.

(2) The PIU must not process PNR data except for one of the purposes described in paragraph (3).

(3) The purposes are—

(a)carrying out an assessment of passengers prior to their scheduled arrival in, or departure from, the UK to identify persons who require further examination by—

(i)a UK competent authority, or

(ii)Europol

in view of the fact that such persons may be involved in a terrorist offence or serious crime;

(b)responding, on a case by case basis, to a duly reasoned request from a UK competent authority to provide and process PNR in specific cases for the purposes of preventing, detecting, investigating and prosecuting terrorist offences or serious crime and to provide the relevant authority or, where appropriate, Europol with the results of such processing;

(c)analysing PNR data for the purpose of updating or creating new criteria to be used when carrying out the assessment referred to in sub-paragraph (a).

(4) When carrying out an assessment referred to in paragraph (3)(a), the PIU may—

(a)compare PNR data against databases relevant for the purposes of preventing, detecting, investigating and prosecuting terrorist offences and serious crime, including databases on persons or objects sought or under alert;

(b)process PNR data against pre-determined criteria.

(5) The PIU must ensure that the pre-determined criteria referred to in paragraph (4)(b) are—

(a)targeted, proportionate and specific;

(b)set and regularly reviewed in cooperation with the UK competent authorities, and

(c)not based on a person’s race or ethnic origin, political opinions, religion or philosophical beliefs, trade union membership, health, sexual life or sexual orientation.

(6) Paragraph (7) applies where the automated processing of PNR for the purpose described in paragraph (3)(a) results in a positive match.

(7) In order to verify whether action needs to be taken by a UK competent authority, the PIU must subject the positive match to individual review by non-automated means.

(8) Where the PIU determines that a passenger should be subject to further examination by a UK competent authority, the PIU must transfer the PNR data or the result of processing that data to the relevant authority.

(9) The PIU must not transfer PNR data or the result of processing that data to a UK competent authority otherwise than on a case by case basis and, in the case of automated processing of PNR, following individual review by non-automated means.

(10) The processing and analysis of PNR data by the PIU must be carried out exclusively within a secure location within the territory of the United Kingdom.

Processing of PNR data by a UK competent authority

7.—(1) A UK competent authority must not—

(a)process PNR data or the result of processing that data for purposes other than the prevention, detection, investigation or prosecution of terrorist offences or serious crime, or

(b)take any decision which produces an adverse legal effect on a person or otherwise significantly affects a person—

(i)only by reason of the automated processing of PNR data, or

(ii)on the basis of any of the matters described in regulation 6(5)(c) in relation to that person.

(2) Paragraph (1)(a) is without prejudice to the ability of a UK competent authority to exercise its functions in circumstances where other offences, or indications of such offences, are detected during the course of any enforcement action taken further to the processing of PNR data.

Exchange of PNR data between Member States

8.—(1) Paragraph (2) applies where—

(a)following the assessment referred to in regulation 6(3)(a), a person is identified by the PIU as requiring further examination, and

(b)the PIU considers it necessary for the prevention, detection, investigation or prosecution of terrorist offences or serious crime for a non-UK PIU to be notified of that fact.

(2) The PIU must transmit to the non-UK PIU such PNR data relating to the person identified as is relevant or the result of processing that PNR data.

(3) Paragraph (4) applies where the PIU receives PNR data or the result of processing PNR data from a non-UK PIU otherwise than following a request.

(4) The PIU must transfer the information received to any such other UK competent authority as may be appropriate in the circumstances for the purposes of taking action in relation to the information received.

Requests for PNR data made to the PIU by a non-UK PIU

9.—(1) Paragraph (2) applies where the PIU receives a request from a non-UK PIU for—

(a)PNR data which has not yet been depersonalised through the masking out of data elements pursuant to regulation 13(2), or

(b)the result of processing that data.

(2) If the PIU is satisfied that the request is duly reasoned, the PIU must provide the requested data as soon as is practicable.

(3) Paragraph (4) applies where the PIU receives a request from a non-UK PIU for PNR data which has been depersonalised through the masking out of data elements pursuant to regulation 13(2).

(4) The PIU must not provide the unmasked PNR data unless the following conditions apply—

(a)it is reasonably believed that the disclosure of the PNR is necessary for the purpose referred to in regulation 6(3)(b), and

(b)the disclosure is approved by the officer referred to in regulation 13(4)(b).

Requests for PNR data made by the PIU to a non-UK PIU

10.  Any request made by the PIU to a non-UK PIU for PNR data or the result of processing that data must be—

(a)made solely for the purposes of the prevention, detection, investigation or prosecution of terrorist offences or serious crime;

(b)made in respect of a specific case, and

(c)duly reasoned.

Requests for PNR data made by a UK competent authority to another Member State

11.—(1) A UK competent authority must channel its requests for PNR data processed by a non-UK PIU through the UK’s PIU.

(2) Where necessary in the case of an emergency and provided the conditions laid down in paragraph (3) are satisfied, a UK competent authority may make a request for PNR data directly to a non-UK PIU.

(3) The conditions are that—

(a)the request is made in accordance with the requirements of regulation 10, and

(b)a copy of the request is sent to the UK’s PIU.

Transfers of PNR to third countries

12.—(1) The PIU must not transfer PNR data or the result of processing that data to a third country except where the conditions set out in paragraph (2) are met.

(2) The conditions are that—

(a)the request from the third country is duly reasoned;

(b)the PIU is satisfied that the transfer is necessary for the prevention, investigation, detection or prosecution of terrorist offences and serious crime, and

(c)the third country agrees to transfer the data to another third country only where it is strictly necessary for the purposes described in sub-paragraph (b).

(3) In the case of PNR data that has been depersonalised through the masking out of data elements pursuant to regulation 13(2), the PIU must not transfer the unmasked PNR data except where—

(a)the PIU is satisfied that the disclosure is necessary for the purposes of preventing, detecting, investigating or prosecuting terrorist offences or serious crime in a specific case, and

(b)the disclosure is approved by the officer referred to in regulation 13(4)(b).

(4) The PIU must inform the data protection officer each time PNR data is transferred to a third country.

Period of data retention and depersonalisation

13.—(1) The PIU must retain PNR data transferred by air carriers pursuant to a requirement imposed under—

(a)paragraph 27B(2) of Schedule 2 to the Immigration Act 1971, or

(b)section 32(2) of the Immigration, Asylum and Nationality Act 2006

for a period of five years beginning with the date of the transfer.

(2) Upon expiry of a period of six months beginning with the date of transfer of the PNR data by an air carrier the PIU must depersonalise the PNR data through masking out of the following data elements—

(a)names, including the names of other passengers on the PNR and number of travellers who are travelling together on the PNR;

(b)address and contact information;

(c)all forms of payment information, including billing address;

(d)frequent flyer information;

(e)general remarks, and

(f)any API data.

(3) Paragraph (2) applies to the extent that the data elements listed in that paragraph could serve to identify directly the passenger to whom the PNR data relates.

(4) Upon expiry of the period referred to in paragraph (2) the PIU must not disclose the unmasked PNR data except where—

(a)the PIU is satisfied that the disclosure is necessary for the purpose referred to in regulation 6(3)(b), and

(b)the disclosure is approved by the most senior officer within the PIU who has been charged with verifying whether the conditions for disclosure of the full PNR are met.

(5) In circumstances where the PIU discloses the unmasked PNR data—

(a)the officer referred to in paragraph (4)(b) must inform the data protection officer, and

(b)the data protection officer must conduct a review of that disclosure.

(6) Any UK competent authority which is storing or otherwise processing PNR data must permanently delete that data upon expiry of the period referred to in paragraph (1).

(7) The obligation in paragraph (6) is without prejudice to cases where PNR data has been transferred to a UK competent authority and is used in the context of specific cases for the purposes of preventing, detecting, investigating or prosecuting terrorist offences or serious crime.

(8) The PIU may retain the result of the processing referred to in regulation 6(3)(a) only for so long as is necessary to inform—

(a)a UK competent authority, or

(b)as the case may be, a non-UK PIU

of a positive match.

(9) Paragraph (10) applies in circumstances where, following the review referred to in regulation 6(7), the result of automated processing proves to be negative.

(10) The PIU is permitted to store that result—

(a)so as to avoid future false positive matches, and

(b)for so long as the underlying data is not deleted pursuant to paragraph (6).

Protection of personal data

14.—(1) The PIU must not process PNR data revealing a person’s race, ethnic origin, political opinions, philosophical beliefs, trade union membership, health, sexual life or sexual orientation.

(2) The PIU must maintain documentation relating to all processing systems and procedures under its responsibility.

(3) The documentation referred to in paragraph (2) must contain at least—

(a)the name and contact details of the personnel within the PIU entrusted with the processing of the PNR data;

(b)the respective levels of authorisation of those personnel to access PNR data;

(c)details of requests made by non-UK competent authorities and non-UK PIUs, and

(d)details of all requests for transfers of PNR data to a third country.

(4) The PIU must make the documentation referred to in paragraph (2) available to the Commissioner on request.

(5) The PIU must keep records of all processing operations for a period of five years.

Supervisory authority

15.  The Commissioner is to be the supervisory authority in the United Kingdom for the purposes of Article 15 of the Passenger Name Record Directive.

Application of other data protection enactments

16.—(1) Nothing in this Part has the effect of disapplying the provisions of an enactment described in paragraph (2) to the processing of PNR data by a UK competent authority.

(2) The enactments referred to in paragraph (1) are any enactments governing the processing of personal data by a UK competent authority for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, including the safeguarding against and the prevention of threats to public security.