- Latest available (Revised)
- Original (As made)
This is the original version (as it was originally made).
13.—(1) The PIU must retain PNR data transferred by air carriers pursuant to a requirement imposed under—
(a)paragraph 27B(2) of Schedule 2 to the Immigration Act 1971, or
(b)section 32(2) of the Immigration, Asylum and Nationality Act 2006
for a period of five years beginning with the date of the transfer.
(2) Upon expiry of a period of six months beginning with the date of transfer of the PNR data by an air carrier the PIU must depersonalise the PNR data through masking out of the following data elements—
(a)names, including the names of other passengers on the PNR and number of travellers who are travelling together on the PNR;
(b)address and contact information;
(c)all forms of payment information, including billing address;
(d)frequent flyer information;
(e)general remarks, and
(f)any API data.
(3) Paragraph (2) applies to the extent that the data elements listed in that paragraph could serve to identify directly the passenger to whom the PNR data relates.
(4) Upon expiry of the period referred to in paragraph (2) the PIU must not disclose the unmasked PNR data except where—
(a)the PIU is satisfied that the disclosure is necessary for the purpose referred to in regulation 6(3)(b), and
(b)the disclosure is approved by the most senior officer within the PIU who has been charged with verifying whether the conditions for disclosure of the full PNR are met.
(5) In circumstances where the PIU discloses the unmasked PNR data—
(a)the officer referred to in paragraph (4)(b) must inform the data protection officer, and
(b)the data protection officer must conduct a review of that disclosure.
(6) Any UK competent authority which is storing or otherwise processing PNR data must permanently delete that data upon expiry of the period referred to in paragraph (1).
(7) The obligation in paragraph (6) is without prejudice to cases where PNR data has been transferred to a UK competent authority and is used in the context of specific cases for the purposes of preventing, detecting, investigating or prosecuting terrorist offences or serious crime.
(8) The PIU may retain the result of the processing referred to in regulation 6(3)(a) only for so long as is necessary to inform—
(a)a UK competent authority, or
(b)as the case may be, a non-UK PIU
of a positive match.
(9) Paragraph (10) applies in circumstances where, following the review referred to in regulation 6(7), the result of automated processing proves to be negative.
(10) The PIU is permitted to store that result—
(a)so as to avoid future false positive matches, and
(b)for so long as the underlying data is not deleted pursuant to paragraph (6).
Latest Available (revised):The latest available updated version of the legislation incorporating changes made by subsequent legislation and applied by our editorial team. Changes we have not yet applied to the text, can be found in the ‘Changes to Legislation’ area.
Original (As Enacted or Made): The original version of the legislation as it stood when it was enacted or made. No changes have been applied to the text.
Explanatory Memorandum sets out a brief statement of the purpose of a Statutory Instrument and provides information about its policy objective and policy implications. They aim to make the Statutory Instrument accessible to readers who are not legally qualified and accompany any Statutory Instrument or Draft Statutory Instrument laid before Parliament from June 2004 onwards.
Access essential accompanying documents and information for this legislation item from this tab. Dependent on the legislation item being viewed this may include:
Use this menu to access essential accompanying documents and information for this legislation item. Dependent on the legislation item being viewed this may include:
Click 'View More' or select 'More Resources' tab for additional information including: