The Passenger Name Record Data and Miscellaneous Amendments Regulations 2018

Period of data retention and depersonalisation

13.—(1) The PIU must retain PNR data transferred by air carriers pursuant to a requirement imposed under—

(a)paragraph 27B(2) of Schedule 2 to the Immigration Act 1971, or

(b)section 32(2) of the Immigration, Asylum and Nationality Act 2006

for a period of five years beginning with the date of the transfer.

(2) Upon expiry of a period of six months beginning with the date of transfer of the PNR data by an air carrier the PIU must depersonalise the PNR data through masking out of the following data elements—

(a)names, including the names of other passengers on the PNR and number of travellers who are travelling together on the PNR;

(b)address and contact information;

(c)all forms of payment information, including billing address;

(d)frequent flyer information;

(e)general remarks, and

(f)any API data.

(3) Paragraph (2) applies to the extent that the data elements listed in that paragraph could serve to identify directly the passenger to whom the PNR data relates.

(4) Upon expiry of the period referred to in paragraph (2) the PIU must not disclose the unmasked PNR data except where—

(a)the PIU is satisfied that the disclosure is necessary for the purpose referred to in regulation 6(3)(b), and

(b)the disclosure is approved by the most senior officer within the PIU who has been charged with verifying whether the conditions for disclosure of the full PNR are met.

(5) In circumstances where the PIU discloses the unmasked PNR data—

(a)the officer referred to in paragraph (4)(b) must inform the data protection officer, and

(b)the data protection officer must conduct a review of that disclosure.

(6) Any UK competent authority which is storing or otherwise processing PNR data must permanently delete that data upon expiry of the period referred to in paragraph (1).

(7) The obligation in paragraph (6) is without prejudice to cases where PNR data has been transferred to a UK competent authority and is used in the context of specific cases for the purposes of preventing, detecting, investigating or prosecuting terrorist offences or serious crime.

(8) The PIU may retain the result of the processing referred to in regulation 6(3)(a) only for so long as is necessary to inform—

(a)a UK competent authority, or

(b)as the case may be, a non-UK PIU

of a positive match.

(9) Paragraph (10) applies in circumstances where, following the review referred to in regulation 6(7), the result of automated processing proves to be negative.

(10) The PIU is permitted to store that result—

(a)so as to avoid future false positive matches, and

(b)for so long as the underlying data is not deleted pursuant to paragraph (6).