1. These Regulations may be cited as the Passenger Name Record Data and Miscellaneous Amendments Regulations 2018 and come into force on 25th May 2018.
2.—(1) In these Regulations—
“the 2008 Order” means the Immigration and Police (Passenger, Crew and Service Information) Order 2008(1);
“API data” means—
in the case of information provided by an air carrier pursuant to a requirement under paragraph 27B(2) of Schedule 2 to the Immigration Act 1971, the information described in paragraph (1)(rr) of Schedule 2 to the 2008 Order;
in the case of information provided by an air carrier pursuant to a requirement under section 32(2) of the Immigration, Asylum and Nationality Act 2006, the information described in paragraph (1)(oo) of Schedule 4 to the 2008 Order;
“the Commissioner” means the Information Commissioner;
“the data protection officer” means the person appointed in accordance with regulation 4(1);
“data subject” means the identified or identifiable living individual to whom PNR data relates;
“European Commission” means the Commission of the European Union;
“Europol” means the European Police Office;
“non-UK competent authority” means an authority of a Member State other than the United Kingdom that is competent for the prevention, detection, investigation or prosecution of terrorist offences or serious crime and that has been notified to the European Commission in accordance with Article 7(3) of the Passenger Name Record Directive;
“non-UK PIU” means an authority of a Member State other than the United Kingdom that has been notified to the European Commission as that Member State’s passenger information unit in accordance with the requirements of Article 4(5) of the Passenger Name Record Directive;
“the Passenger Name Record Directive” means Directive (EU) 2016/681 of the European Parliament and of the Council of 27 April 2016 on the use of passenger name record (PNR) data for the prevention, detection, investigation and prosecution of terrorist offences and serious crime(2);
“personal data” means information relating to an identified or identifiable living individual;
“the PIU” means the authority competent in the prevention, detection, investigation or prosecution of terrorist offences and of serious crime which is designated as the United Kingdom’s passenger information unit under regulation 3(1);
“PNR data” means one or more items of personal data listed in Annex I to the Passenger Name Record Directive;
“processing”, in relation to PNR data, means an operation or set of operations performed on that data including its retrieval, consultation or use;
“third country” means a country or territory other than a Member State;
“UK competent authority” means a United Kingdom authority competent for the prevention, detection, investigation or prosecution of terrorist offences or serious crime that has been notified to the European Commission in accordance with Article 7(3) of the Passenger Name Record Directive.
(2) Any other expression used in these Regulations which is also defined in the Passenger Name Record Directive has the same meaning as in that Directive.
3.—(1) The Home Office is designated as the passenger information unit for the United Kingdom.
(2) The PIU is responsible for—
(a)collecting PNR data from air carriers;
(b)storing and processing PNR data;
(c)where appropriate, transferring PNR data or the result of processing that data to a UK competent authority;
(d)where appropriate, exchanging PNR data and the result of processing that data with—
(i)a non-UK PIU, in accordance with regulations 9 and 10;
(ii)Europol, on receipt of a duly reasoned request made in accordance with Article 10(2) of the Passenger Name Record Directive.
4.—(1) The PIU must appoint a data protection officer responsible for monitoring and implementing safeguards in relation to the processing of PNR data by the PIU.
(2) The PIU must provide the data protection officer with—
(a)the means to perform the duties and tasks described in paragraph (1) effectively and independently, and
(b)access to all data processed by the PIU.
(3) Where the data protection officer considers that the processing of any data by the PIU has not been in accordance with Part 3 of these Regulations, the data protection officer may refer the matter to the Commissioner.
5. This Part applies in respect of the processing of PNR data provided by an air carrier on or after the coming into force of these Regulations and pursuant to a requirement under either of the following provisions—
(a)paragraph 27B(2) of Schedule 2 to the Immigration Act 1971;
(b)section 32(2) of the Immigration, Asylum and Nationality Act 2006.
6.—(1) Where the information provided by an air carrier pursuant to a requirement under either of the provisions set out in regulation 5 includes personal data other than PNR data, the PIU must delete the additional data immediately upon receipt.
(2) The PIU must not process PNR data except for one of the purposes described in paragraph (3).
(3) The purposes are—
(a)carrying out an assessment of passengers prior to their scheduled arrival in, or departure from, the UK to identify persons who require further examination by—
(i)a UK competent authority, or
(ii)Europol
in view of the fact that such persons may be involved in a terrorist offence or serious crime;
(b)responding, on a case by case basis, to a duly reasoned request from a UK competent authority to provide and process PNR in specific cases for the purposes of preventing, detecting, investigating and prosecuting terrorist offences or serious crime and to provide the relevant authority or, where appropriate, Europol with the results of such processing;
(c)analysing PNR data for the purpose of updating or creating new criteria to be used when carrying out the assessment referred to in sub-paragraph (a).
(4) When carrying out an assessment referred to in paragraph (3)(a), the PIU may—
(a)compare PNR data against databases relevant for the purposes of preventing, detecting, investigating and prosecuting terrorist offences and serious crime, including databases on persons or objects sought or under alert;
(b)process PNR data against pre-determined criteria.
(5) The PIU must ensure that the pre-determined criteria referred to in paragraph (4)(b) are—
(a)targeted, proportionate and specific;
(b)set and regularly reviewed in cooperation with the UK competent authorities, and
(c)not based on a person’s race or ethnic origin, political opinions, religion or philosophical beliefs, trade union membership, health, sexual life or sexual orientation.
(6) Paragraph (7) applies where the automated processing of PNR for the purpose described in paragraph (3)(a) results in a positive match.
(7) In order to verify whether action needs to be taken by a UK competent authority, the PIU must subject the positive match to individual review by non-automated means.
(8) Where the PIU determines that a passenger should be subject to further examination by a UK competent authority, the PIU must transfer the PNR data or the result of processing that data to the relevant authority.
(9) The PIU must not transfer PNR data or the result of processing that data to a UK competent authority otherwise than on a case by case basis and, in the case of automated processing of PNR, following individual review by non-automated means.
(10) The processing and analysis of PNR data by the PIU must be carried out exclusively within a secure location within the territory of the United Kingdom.
7.—(1) A UK competent authority must not—
(a)process PNR data or the result of processing that data for purposes other than the prevention, detection, investigation or prosecution of terrorist offences or serious crime, or
(b)take any decision which produces an adverse legal effect on a person or otherwise significantly affects a person—
(i)only by reason of the automated processing of PNR data, or
(ii)on the basis of any of the matters described in regulation 6(5)(c) in relation to that person.
(2) Paragraph (1)(a) is without prejudice to the ability of a UK competent authority to exercise its functions in circumstances where other offences, or indications of such offences, are detected during the course of any enforcement action taken further to the processing of PNR data.
8.—(1) Paragraph (2) applies where—
(a)following the assessment referred to in regulation 6(3)(a), a person is identified by the PIU as requiring further examination, and
(b)the PIU considers it necessary for the prevention, detection, investigation or prosecution of terrorist offences or serious crime for a non-UK PIU to be notified of that fact.
(2) The PIU must transmit to the non-UK PIU such PNR data relating to the person identified as is relevant or the result of processing that PNR data.
(3) Paragraph (4) applies where the PIU receives PNR data or the result of processing PNR data from a non-UK PIU otherwise than following a request.
(4) The PIU must transfer the information received to any such other UK competent authority as may be appropriate in the circumstances for the purposes of taking action in relation to the information received.
9.—(1) Paragraph (2) applies where the PIU receives a request from a non-UK PIU for—
(a)PNR data which has not yet been depersonalised through the masking out of data elements pursuant to regulation 13(2), or
(b)the result of processing that data.
(2) If the PIU is satisfied that the request is duly reasoned, the PIU must provide the requested data as soon as is practicable.
(3) Paragraph (4) applies where the PIU receives a request from a non-UK PIU for PNR data which has been depersonalised through the masking out of data elements pursuant to regulation 13(2).
(4) The PIU must not provide the unmasked PNR data unless the following conditions apply—
(a)it is reasonably believed that the disclosure of the PNR is necessary for the purpose referred to in regulation 6(3)(b), and
(b)the disclosure is approved by the officer referred to in regulation 13(4)(b).
10. Any request made by the PIU to a non-UK PIU for PNR data or the result of processing that data must be—
(a)made solely for the purposes of the prevention, detection, investigation or prosecution of terrorist offences or serious crime;
(b)made in respect of a specific case, and
(c)duly reasoned.
11.—(1) A UK competent authority must channel its requests for PNR data processed by a non-UK PIU through the UK’s PIU.
(2) Where necessary in the case of an emergency and provided the conditions laid down in paragraph (3) are satisfied, a UK competent authority may make a request for PNR data directly to a non-UK PIU.
(3) The conditions are that—
(a)the request is made in accordance with the requirements of regulation 10, and
(b)a copy of the request is sent to the UK’s PIU.
12.—(1) The PIU must not transfer PNR data or the result of processing that data to a third country except where the conditions set out in paragraph (2) are met.
(2) The conditions are that—
(a)the request from the third country is duly reasoned;
(b)the PIU is satisfied that the transfer is necessary for the prevention, investigation, detection or prosecution of terrorist offences and serious crime, and
(c)the third country agrees to transfer the data to another third country only where it is strictly necessary for the purposes described in sub-paragraph (b).
(3) In the case of PNR data that has been depersonalised through the masking out of data elements pursuant to regulation 13(2), the PIU must not transfer the unmasked PNR data except where—
(a)the PIU is satisfied that the disclosure is necessary for the purposes of preventing, detecting, investigating or prosecuting terrorist offences or serious crime in a specific case, and
(b)the disclosure is approved by the officer referred to in regulation 13(4)(b).
(4) The PIU must inform the data protection officer each time PNR data is transferred to a third country.
13.—(1) The PIU must retain PNR data transferred by air carriers pursuant to a requirement imposed under—
(a)paragraph 27B(2) of Schedule 2 to the Immigration Act 1971, or
(b)section 32(2) of the Immigration, Asylum and Nationality Act 2006
for a period of five years beginning with the date of the transfer.
(2) Upon expiry of a period of six months beginning with the date of transfer of the PNR data by an air carrier the PIU must depersonalise the PNR data through masking out of the following data elements—
(a)names, including the names of other passengers on the PNR and number of travellers who are travelling together on the PNR;
(b)address and contact information;
(c)all forms of payment information, including billing address;
(d)frequent flyer information;
(e)general remarks, and
(f)any API data.
(3) Paragraph (2) applies to the extent that the data elements listed in that paragraph could serve to identify directly the passenger to whom the PNR data relates.
(4) Upon expiry of the period referred to in paragraph (2) the PIU must not disclose the unmasked PNR data except where—
(a)the PIU is satisfied that the disclosure is necessary for the purpose referred to in regulation 6(3)(b), and
(b)the disclosure is approved by the most senior officer within the PIU who has been charged with verifying whether the conditions for disclosure of the full PNR are met.
(5) In circumstances where the PIU discloses the unmasked PNR data—
(a)the officer referred to in paragraph (4)(b) must inform the data protection officer, and
(b)the data protection officer must conduct a review of that disclosure.
(6) Any UK competent authority which is storing or otherwise processing PNR data must permanently delete that data upon expiry of the period referred to in paragraph (1).
(7) The obligation in paragraph (6) is without prejudice to cases where PNR data has been transferred to a UK competent authority and is used in the context of specific cases for the purposes of preventing, detecting, investigating or prosecuting terrorist offences or serious crime.
(8) The PIU may retain the result of the processing referred to in regulation 6(3)(a) only for so long as is necessary to inform—
(a)a UK competent authority, or
(b)as the case may be, a non-UK PIU
of a positive match.
(9) Paragraph (10) applies in circumstances where, following the review referred to in regulation 6(7), the result of automated processing proves to be negative.
(10) The PIU is permitted to store that result—
(a)so as to avoid future false positive matches, and
(b)for so long as the underlying data is not deleted pursuant to paragraph (6).
14.—(1) The PIU must not process PNR data revealing a person’s race, ethnic origin, political opinions, philosophical beliefs, trade union membership, health, sexual life or sexual orientation.
(2) The PIU must maintain documentation relating to all processing systems and procedures under its responsibility.
(3) The documentation referred to in paragraph (2) must contain at least—
(a)the name and contact details of the personnel within the PIU entrusted with the processing of the PNR data;
(b)the respective levels of authorisation of those personnel to access PNR data;
(c)details of requests made by non-UK competent authorities and non-UK PIUs, and
(d)details of all requests for transfers of PNR data to a third country.
(4) The PIU must make the documentation referred to in paragraph (2) available to the Commissioner on request.
(5) The PIU must keep records of all processing operations for a period of five years.
15. The Commissioner is to be the supervisory authority in the United Kingdom for the purposes of Article 15 of the Passenger Name Record Directive.
16.—(1) Nothing in this Part has the effect of disapplying the provisions of an enactment described in paragraph (2) to the processing of PNR data by a UK competent authority.
(2) The enactments referred to in paragraph (1) are any enactments governing the processing of personal data by a UK competent authority for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, including the safeguarding against and the prevention of threats to public security.
17. Regulations 18 to 20 amend the 2008 Order.
18. For article 7 substitute—
7.—(1) Paragraph (2) applies where the owner or agent of an aircraft is subject to a requirement under section 32(2) of the 2006 Act to provide any passenger or service information specified by article 6(4).
(2) The owner or agent of the aircraft must provide that information electronically using a secure method which conforms to the data formats and transmission protocols provided for in Article 1 of the Implementing Decision.
(3) In the circumstances described in paragraph (4), the owner or agent of an aircraft may provide the information in an alternative form and manner.
(4) The circumstances are that—
(a)there has been a technical failure meaning that it is not possible for the owner or agent to provide the required information in accordance with paragraph (2);
(b)the alternative form and manner provides an equivalent level of security in relation to the protection of personal data as the method referred to in paragraph (2), and
(c)the intended recipient has consented to the provision of the information in the alternative form and manner.
(5) Where a person other than the owner or agent of an aircraft is subject to a requirement to provide passenger or service information imposed under section 32(2) of the 2006 Act, the person must provide the required information in an electronic form that is compatible with the technology used by the recipient of the information.
(6) Where there has been a technical failure meaning that it is not possible for a person to provide the required information in accordance with paragraph (5), the person may provide the required information in an alternative form and manner with the prior agreement of the recipient of the information.
(7) In this article “the Implementing Decision” means Commission Implementing Decision (EU) 2017/759 of 28 April 2017 on the common protocols and data formats to be used by air carriers when transferring PNR data to Passenger Information Units(3).”.
19. In Schedule 2, in paragraph 1—
(a)omit sub-paragraph (b);
(b)in sub-paragraph (e), for “sex” substitute “gender”;
(c)for sub-paragraph (f) substitute—
“(f)any contact information, including telephone number and email address;”;
(d)omit sub-paragraph (g);
(e)omit sub-paragraph (mm);
(f)in sub-paragraph (pp), at the end, omit “and”;
(g)in sub-paragraph (qq), at the end, add “, and”;
(h)after sub-paragraph (qq) add—
“(rr)any other such information as is collected as part of a Passenger Name Record and is set out in paragraph 2 or 3 of Schedule 1.”.
20. For Schedule 4 substitute—
Article 6(4)
1. The passenger and service information is the following in respect of a passenger or, in so far as it applies (whether expressly or otherwise), in respect of a member of the crew—
(a)name as it appears on the reservation;
(b)issue date of travel document;
(c)address;
(d)gender;
(e)any contact information, including telephone number and email address;
(f)travel status of passenger, which indicates whether reservation is confirmed or provisional and whether the passenger has checked in;
(g)the number of pieces and description of any baggage carried;
(h)any documentation provided to the passenger in respect of the passenger’s baggage;
(i)date of intended travel;
(j)ticket number;
(k)date and place of ticket issue;
(l)seat number allocated;
(m)seat number requested;
(n)check-in time, regardless of method;
(o)date on which reservation was made;
(p)identity of any person who made the reservation;
(q)any travel agent used;
(r)any other name that appears on the passenger’s reservation;
(s)number of passengers on the same reservation;
(t)complete travel itinerary for passengers on the same reservation;
(u)the fact that a reservation in respect of more than one passenger has been divided due to a change in itinerary for one or more, but not all, of the passengers;
(v)Code Share Details(4);
(w)method of payment used to purchase ticket or make a reservation;
(x)details of the method of payment used, including the number of any credit, debit or other card used;
(y)billing address;
(z)booking reference number, Passenger Name Record locator and other data locator used by the carrier to locate the passenger within its information system;
(aa)the class of transport reserved;
(bb)the fact that the reservation is in respect of a one-way journey;
(cc)all historical changes to the reservation;
(dd)General Remarks;
(ee)Other Service Information (OSI);
(ff)System Service Information (SSI) and System Service Request Information (SSR);
(gg)identity of the individual who checked the passenger in for the voyage or flight or international service;
(hh)Outbound Indicator, which identifies where a passenger is to travel on to from the United Kingdom;
(ii)Inbound Connection Indicator, which identifies where a passenger started his journey before he travels onto the United Kingdom;
(jj)the fact that the passenger is travelling as part of a group;
(kk)card number and type of any frequent flyer or similar scheme used;
(ll)Automated Ticket Fare Quote (ATFQ), which indicates the fare quoted and charged;
(mm)the fact that the passenger is under the age of eighteen and unaccompanied;
(nn)where the passenger is a person under the age of eighteen and unaccompanied—
(i)age;
(ii)languages spoken;
(iii)any special instructions provided;
(iv)the name of any departure agent who will receive instructions regarding the care of the passenger;
(v)the name of any transit agent who will receive instructions regarding the care of the passenger;
(vi)the name of any arrival agent who will receive instructions regarding the care of the passenger;
(vii)the following details in respect of the guardian on departure—
(aa)name;
(bb)address;
(cc)any contact telephone number;
(dd)relationship to passenger;
(viii)the following details in respect of the guardian on arrival—
(aa)name;
(bb)address;
(cc)any contact telephone number;
(dd)relationship to passenger, and
(oo)any other such information as is collected as part of a Passenger Name Record and is set out in paragraph 2 or 3 of Schedule 3.”.
Caroline Nokes
Minister of State
Home Office
16th May 2018