Compliance with international PNR data standards
Updated 12 September 2024
Passenger Name Record (PNR) data is information collected by airlines and other passenger service operators as part of their normal course of business and includes information required to complete and process a booking.
The International Civil Aviation Organization (ICAO) has developed Standards and Recommended Practices (SARPs) for the collection, use, processing and protection of PNR data. These SARPs are published in Chapter 9 of Annex 9 to the Convention on International Civil Aviation.
The numbered paragraphs below are taken from Chapter 9 of Annex 9. Each Standard and Recommended Practice is accompanied by a statement of how the UK meets it by reference to legislation, guidance, and practices:
9.1 Contracting States requiring the exchange of Advance Passenger Information (API)/interactive API (iAPI) and/or Passenger Name Record (PNR) data from aircraft operators shall create a Passenger Data Single Window facility for each data category, or both data categories combined, that allows parties involved to lodge standardized information with a common data transmission entry point to fulfil all related passenger and crew data requirements for that jurisdiction.
The United Kingdom respects the principle of the Passenger Data Single Window. The API and PNR data transferred to the UK systems operated by the Home Office is made available to all UK competent authorities. No aircraft operator is required by law to provide the same information to multiple authorities.
9.1.1 Recommended Practice: Contracting States requiring the exchange of passenger and crew data from aircraft operators should consider creating a Passenger Data Single Window facility for both data categories combined.
The United Kingdom has a Passenger Data Single Window for passenger and crew data (API).
9.2 Recommended Practice: Contracting States and aircraft operators should provide the appropriate level, on a 24/7 (continuous) basis, of operational and technical support to analyse and respond to any system outage or failure in order to return to standard operations as soon as practicable.
The United Kingdom Passenger Information Unit (the National Border Targeting Centre) operates a Carrier Support Desk, 24 hours a day and 365 days a year, to respond to carriers’ requests for operational or technical support. The Carrier Support Desk maintains points of contact with each operator for operational and technical issues.
9.3 Recommended Practice: Contracting States and aircraft operators should establish and implement appropriate notification and recovery procedures for both scheduled maintenance of information systems and non-scheduled system outages or failures.
The United Kingdom has established and implemented appropriate notification, contingency and recovery processes in the event of scheduled maintenance and non-scheduled system outages of the UK’s passenger data processing systems.
9.4 Recommended Practice: Contracting States and aircraft operators should provide the appropriate level (where practicable, a 24/7 arrangement) of contact support.
See 9.2.
9.5 Contracting States shall not require aircraft operators to provide non-standard data elements as part of API, iAPI and/or PNR provisions.
The United Kingdom does not require non-standard data elements.
9.6 Contracting States shall, when considering requiring elements that deviate from the standard, submit a request to the WCO/IATA/ICAO Contact Committee in conjunction with the WCO’s Data Maintenance Request (DMR) process via a review and endorsement process for inclusion of the data element in the guidelines.
Should the United Kingdom have a need to require a non-standard data element it would not do so without also submitting a DMR to the WCO/IATA/ICAO Contact Committee.
9.24 Each Contracting State shall:
(a) develop a capability to collect, use, process and protect Passenger Name Record (PNR) data for flights to and from its territory supported by appropriate legal and administrative framework (such as, inter alia, legislation, regulation or decree), and be consistent with all Standards contained in Section D, Chapter 9, Annex 9;
The UK acquires and processes PNR data in accordance with appropriate national legislation, including:
- Schedule 2 to the Immigration Act 1971
- the Immigration and Police (Passenger, Crew and Service Information) Order 2008 (‘the 2008 Order’)
- the Passenger Name Record Data and Miscellaneous Amendments Regulations 2018 (‘the 2018 Regulations’)
- the Data Protection Act 2018 (‘the 2018 Act’)
- the Immigration (Form and Manner of Passenger Information) Direction 2023 (‘the 2023 Direction’).
(b) align its PNR data requirements and its handling of such data with the guidelines contained in ICAO Doc 9944, Guidelines on Passenger Name Record (PNR) Data, and in PNRGOV message implementation guidance materials published and updated by the WCO and endorsed by ICAO and IATA; and
The UK’s PNR data requirements and handling of PNR data aligns with ICAO Doc 9944 and with the PNRGOV message implementation guidance materials, as set out in this compliance statement outlining how the UK complies with the ICAO standards.
(c) adopt and implement the PNRGOV message for airline-to-government PNR data transferal to ensure global interoperability.
The 2023 Direction specifies that airlines must provide PNR data using the PNRGOV EDIFACT PNRGOV message type (version 11.1 or later).
The UK’s Generic Carrier Interface Control Document (‘the Generic ICD’) outlines that:
The UK will notify Carriers that are required to provide passenger name record (PNR) information, as held in the Carrier’s reservation system GDS, including the [Service Information] data, using PNRGOV format. PNRGOV data relates to passenger reservation data only. Each passenger’s reservation information must be provided to the full extent to which it is known to the Carrier. This PNR data must be pushed (transmitted) in relation to the Carrier’s scheduled departure time and at the times as specified in the relevant UK legislation. The following section covers information exchange for those aviation Carriers that have been required to provide PNRGOV data to the UK. PNRGOV data submissions are required from Carriers for all international journeys outbound from and inbound to the UK as outlined in the relevant written requirement. The UK system supports Acknowledgement Response (ACKRES format) messages, confirming the successful receipt of a PNRGOV push.
9.25 Contracting States shall, with full respect for human rights and fundamental freedoms:
(a) clearly identify in their legal and administrative framework the PNR data to be used in their operations;
PNR data is specified in Schedule 4 to the 2008 Order. In the 2018 Regulations PNR data means one or more items of personal data listed in in Schedules 4 to the 2008 Order.
Paragraph 1 of Schedule 4 to the 2008 Order reads:
The passenger and service information is the following in respect of a passenger or, in so far as it applies (whether expressly or otherwise), in respect of a member of the crew
(a) name as it appears on the reservation;
(b) issue date of travel document;
(c) address;
(d) gender;
(e) any contact information, including telephone number and email address;
(f) travel status of passenger, which indicates whether reservation is confirmed or provisional and whether the passenger has checked in;
(g) the number of pieces and description of any baggage carried;
(h) any documentation provided to the passenger in respect of the passenger’s baggage;
(i) date of intended travel;
(j) ticket number;
(k) date and place of ticket issue;
(l) seat number allocated;
(m) seat number requested;
(n) check-in time, regardless of method;
(o) date on which reservation was made;
(p) identity of any person who made the reservation;
(q) any travel agent used;
(r) any other name that appears on the passenger’s reservation;
(s) number of passengers on the same reservation;
(t) complete travel itinerary for passengers on the same reservation;
(u) the fact that a reservation in respect of more than one passenger has been divided due to a change in itinerary for one or more, but not all, of the passengers;
(v) Code Share Details;
(w) method of payment used to purchase ticket or make a reservation;
(x) details of the method of payment used, including the number of any credit, debit or other card used;
(y) billing address;
(z) booking reference number, Passenger Name Record locator and other data locator used by the carrier to locate the passenger within its information system;
(aa) the class of transport reserved;
(bb) the fact that the reservation is in respect of a one-way journey;
(cc) all historical changes to the reservation;
(dd) General Remarks;
(ee) Other Service Information (OSI);
(ff) System Service Information (SSI) and System Service Request Information (SSR);
(gg) identity of the individual who checked the passenger in for the voyage or flight or international service;
(hh) Outbound Indicator, which identifies where a passenger is to travel on to from the United Kingdom;
(ii) Inbound Connection Indicator, which identifies where a passenger started his journey before he travels onto the United Kingdom;
(jj) the fact that the passenger is travelling as part of a group;
(kk) card number and type of any frequent flyer or similar scheme used;
(ll) Automated Ticket Fare Quote (ATFQ), which indicates the fare quoted and charged;
(mm) the fact that the passenger is under the age of eighteen and unaccompanied;
(nn) where the passenger is a person under the age of eighteen and unaccompanied—
(i) age;
(ii) languages spoken;
(iii) any special instructions provided;
(iv) the name of any departure agent who will receive instructions regarding the care of the passenger;
(v) the name of any transit agent who will receive instructions regarding the care of the passenger;
(vi) the name of any arrival agent who will receive instructions regarding the care of the passenger;
(vii) the following details in respect of the guardian on departure—
(aa) name;
(bb) address;
(cc) any contact telephone number;
(dd) relationship to passenger;
(viii) the following details in respect of the guardian on arrival—
(aa) name;
(bb) address;
(cc) any contact telephone number;
(dd) relationship to passenger;
(oo) any other such information as is collected as part of a Passenger Name Record and is set out in paragraph 2 or 3` of Schedule 1.
(pp) any other information as is collected in respect of any travel document held by the passenger in addition to the one to which paragraph 2(a) of Schedule 1 refers; and
(qq) any other biographic information as is collected in machine readable form from the passenger’s travel document or documents.
Paragraph 2 of Schedule 1 to the 2008 Order reads:
Information which relates to passengers
2. The information is—
(a) the following information as provided on the passenger’s travel document—
(i) full name;
(ii) gender;
(iii) date of birth;
(iv) nationality;
(v) type of travel document held;
(vi) number of travel document held;
(vii) expiry date of travel document held; and
(viii) issuing State of travel document held;
(b) where a travel document is not held, the following information—
(i) full name;
(ii) gender;
(iii) date of birth;
(iv) nationality;
(v) type of identification relied upon;
(vi) number of identification relied upon;
(vii) expiry date of identification relied upon; and
(viii) issuing State of identification relied upon;
Paragraph 3 of Schedule 1 to the 2008 Order reads:
Information which relates to a voyage or flight or international service
3. The information is—
(a) flight number, ship name, train service number or carrier running number;
(b) name of carrier;
(c) nationality of ship;
(d) scheduled departure date;
(e) scheduled departure time;
(f) scheduled arrival date;
(g) scheduled arrival time;
(ga) actual departure date, where different from the scheduled departure date;
(gb) actual departure time, where different from the scheduled departure time;
(gc) notice of any cancellation of the flight, voyage or international service;
(h) place and country from which the voyage or flight or international service departed immediately prior to arrival into the United Kingdom;
(i) place in the United Kingdom into which the voyage or flight or international service first arrives from overseas;
(j) any place in the United Kingdom to which a voyage or flight or international service which has arrived into the United Kingdom from overseas will subsequently go; and
(k) number of passengers.
(b) clearly set the purposes for which PNR data may be used by the authorities which should be no wider than what is necessary in view of the aims to be achieved, in particular for border security purposes to fight terrorism and serious crime; and
The 2018 Regulations provide that PNR data must not be processed except for the purposes of preventing, detecting, investigating and prosecuting terrorist offences or serious crime and protecting the vital interests of persons (which includes protecting persons who are, or may be, at risk of death or serious injury, or from significant threats to public health) (Regulation 6).
(c) limit the disclosure of PNR data to other authorities in the same State or in other Contracting States that exercise functions related to the purpose for which PNR data are processed, including in particular border security purposes, and ensure comparable protections as those afforded by the disclosing authority.
The 2018 Regulations place conditions on the disclosure of PNR data, the results of processing PNR data or analytical information containing PNR data, which may be disclosed only to:
-
UK authorities competent for the purposes of the prevention, detection, investigation and prosecution of terrorist offences or serious crime or protecting the vital interests of persons (Regulation 7);
-
the Passenger Information Unit (PIU) of an EU Member State where necessary for the purposes of preventing, detecting, investigating or prosecuting terrorist offences or serious crime (Regulation 11A);
-
Europol and Eurojust where necessary for the purposes of preventing, detecting, investigating or prosecuting terrorist offences or serious crime (Regulation 11B), and
-
authorities in third countries competent for the prevention, detection, investigation and prosecution or terrorist offences and serious crime or protecting the vital interests of persons (Regulation 12).
9.26 Contracting States shall:
(a) prevent unauthorised access, disclosure and use of PNR data and their legal and administrative framework shall provide penalties for misuse, unauthorised access, and unauthorised disclosure;
prevent unauthorised access, disclosure and use of PNR data
The sixth data protection principle, section 40 of the 2018 Act, sets out:
that personal data processed for any of the law enforcement purposes must be so processed in a manner that ensures appropriate security of the personal data, using appropriate technical or organisational measures (and, in this principle, “appropriate security” includes protection against unauthorised or unlawful processing and against accidental loss, destruction or damage).
their legal and administrative framework shall provide for penalties for misuse, unauthorised access and unauthorised disclosure
Any data breach such as unauthorised access to personal data, unauthorised disclosure or use of data is liable to penalised by the Information Commissioner. Data controllers are subject to an obligation in law to report any data breaches.
Section 170 of the 2018 Act provides for a specific offence of unlawfully obtaining, disclosing, procuring or retaining personal data.
(b) ensure the safeguards applied to their collection, use, processing and protection of PNR data apply to all individuals without unlawful differentiation;
Section 29(6) of the Equality Act 2010 requires that
A person must not, in the exercise of a public function that is not the provision of a service to the public or a section of the public, do anything that constitutes discrimination, harassment or victimisation.
The Act also provides for circumstances in which discrimination may be lawful.
(c) take measures to ensure individuals are informed about the collection, use, processing and protection of PNR data and related privacy standards employed;
Section 44 of the 2018 Act sets out the general duties of data controllers which includes information they must make public, such as: identity and contact details of the controller; the purposes for which the controller processes personal data; the existence of the rights of data subjects to request access to data, rectification of data, erasure of data or restriction of processing, as well as information about the legal basis for processing the data and about data retention.
The UK Government has published information about the collection, use, processing and protection of PNR data and about PNR data subjects’ rights under the 2018 Act on the www.gov.uk website
(d) take measures to ensure that aircraft operators inform their customers about the transfer of PNR data;
Article 13 of the UK General Data Protection Regulation (UK GDPR) places obligations on airlines to provide passengers with information on the processing of their personal data:
Where personal data relating to a data subject are collected from the data subject, the controller shall, at the time when personal data are obtained, provide the data subject with all of the following information:
(a) the identity and the contact details of the controller ..;
(b) the contact details of the data protection officer, where applicable;
(c) the purposes of the processing for which the personal data are intended as well as the legal basis for the processing;
(d) where the processing is based on … the legitimate interests pursued by the controller or by a third party;
(e) the recipients or categories of recipients of the personal data, if any;
(f) where applicable, the fact that the controller intends to transfer personal data to a third country or international organisation and the existence or absence of relevant adequacy regulations …, or in the case of transfers [subject to safeguards], reference to the appropriate or suitable safeguards and the means by which to obtain a copy of them or where they have been made available.
(e) provide for administrative and judicial redress mechanisms to enable individuals to seek a remedy for the unlawful processing of their PNR data by public authorities; and
Section 167 of the 2018 Act provides if
a court is satisfied that there has been an [unlawful] infringement of the data subject’s rights … a court may make an order for the purposes of securing compliance with the data protection legislation which requires the controller in respect of the processing, or a processor acting on behalf of that controller—(a)to take steps specified in the order, or (b)to refrain from taking steps specified in the order.
Article 82 of UK GDPR and section 169 of the 2018 Act provide individuals with rights to compensation for any damage suffered because of actions of the data controller or the data processor.
(f) provide for appropriate mechanisms, established by their legal and administrative framework, for individuals to obtain access to their PNR data and to request, if necessary, corrections, deletions or notations.
Right of access by the data subject is set out in section 45 of the 2018 Act. A data subject is entitled to
obtain from the controller— (a)confirmation as to whether or not personal data concerning him or her is being processed, and (b) where that is the case, access to the personal data and the [following] information:
(a) the purposes of and legal basis for the processing;
(b) the categories of personal data concerned;
(c) the recipients or categories of recipients to whom the personal data has been disclosed (including recipients or categories of recipients in third countries or international organisations);
(d) the period for which it is envisaged that the personal data will be stored or, where that is not possible, the criteria used to determine that period;
(e) the existence of the data subject’s rights to request from the controller—(i) rectification of personal data (section 46), and (ii) erasure of personal data or the restriction of its processing (section 47);
(f) the existence of the data subject’s right to lodge a complaint with the Commissioner and the contact details of the Commissioner;
(g) communication of the personal data undergoing processing and of any available information as to its origin
The Information Commissioner has published guidance for individuals about their personal data rights and on mechanisms for data subjects to exercise their rights.
9.27 Recommended Practice: Subject to necessary and proportionate restrictions, Contracting States should notify individuals of the processing of their PNR data and inform them about the rights and means of redress afforded to them as defined in their legal and administrative framework.
In addition to data subjects’ right of access under the 2018 Act, there is a specific notification provision relating to EU PNR data only.
Regulation 13A of the 2018 Regulations provides that where the UK PIU uses EU PNR data or transfers EU PNR data to an EU PIU, Europol, Eurojust or a third country competent authority (or where the UK PIU transfers EU PNR data to a UK competent authority), the UK PIU (or the UK competent authority) must notify the person to whom the data relates – so far as it is reasonably practicable to do so.
Notification need not be made when the UK PIU or the UK competent authority considers that notifying the person would, or would be likely to, prejudice any ongoing investigations.
9.28 Contracting States shall:
(a) base the automated processing of PNR data on objective, precise and reliable criteria that effectively indicate the existence of a risk, without leading to unlawful differentiation; and
Regulation 6(5) of the 2018 Regulations set conditions on the processing of PNR data by the Passenger Information Unit (PIU). These include carrying out assessment of passengers by processing PNR data against pre-determined criteria:
Where the PIU processes PNR data against pre-determined criteria, the PIU must ensure that the pre-determined criteria … are—(a) reliable, targeted, proportionate and specific; (b) set and regularly reviewed in cooperation with the UK competent authorities, and (c) not based on a person’s race or ethnic origin, political opinions, religion or philosophical beliefs, trade union membership, health, sexual life or sexual orientation
The Equality Act 2010 makes provision for circumstances in which differentiation (discrimination) may be lawful.
(b) not make decisions that produce significant adverse actions affecting the legal interests of individuals based solely on the automated processing of PNR data.
Regulation 6(5A) of the 2018 Regulations provide that no decisions shall be made concerning data subjects based on automated decisions:
The PIU must not take any decision which produces an adverse legal effect on a person or otherwise significantly impacts a person (a) only by reason of the automated processing of PNR data;
Regulation 7 of the 2018 Regulations specifies that
a UK competent authority must not … take any decision which produces an adverse legal effect on a person or otherwise significantly affects a person … only by reason of the automated processing of PNR data.
9.29 Contracting States shall designate one (or more) competent domestic authority(ies) as defined in their legal and administrative framework with the power to conduct independent oversight of the protection of PNR data and determine whether PNR data are being collected, used, processed and protected with full respect for human rights and fundamental freedoms.
The Information Commissioner is the appropriate competent data protection supervisory authority for the UK, and is responsible for monitoring the application of the 2018 Act in relation to law enforcement processing, in order to protect the fundamental rights and freedoms of individuals in relation to processing by a competent authority for any of the law enforcement purposes (as defined in Part 3 of the 2018 Act) and to facilitate the free flow of personal data.
By law, the Information Commissioner and their staff are independent of Government. Schedule 12 of the 2018 Act provides that
the Commissioner and the Commissioner’s officers and staff are not to be regarded as servants or agents of the Crown.
9.30 Contracting States shall:
(a) not require aircraft operators to collect PNR data that is not required as part of their normal business operating procedures nor to filter the data prior to transmission; and
The 2008 Order provides that PNR data can be specified only
to the extent to which it is known to the owner or agent of a ship or aircraft or to the person operating an international [train] service or his agent.
(b) not use PNR data revealing an individual’s racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership or data concerning their health, sexual life or sexual orientation other than in exceptional and immediate circumstances to protect the vital interests of the data subject or of another natural person. In circumstances where such information is transferred, Contracting States shall delete such data as soon as practicable.
Regulation 14(1) of the 2018 Regulations provides that:
The PIU must not process PNR data revealing a person’s race, ethnic origin, political opinions, philosophical beliefs, trade union membership, health, sexual life or sexual orientation.
9.31 Contracting States shall:
(a) retain PNR data for a set period as defined in their legal and administrative framework which shall be that period necessary and proportionate for the purposes for which the PNR data is used;
Regulation 13 of the 2018 Regulations provides that the PIU must retain PNR for five years from the data of transfer and permanently deleted that data upon expiry of that period, except EU PNR data which must be permanently deleted within five years of transfer.
Regulation 13AA places conditions on the retention of certain EU PNR data which, if it relates to a person who has left the UK, may be retained on the basis of a risk assessment based on objectively established criteria.
These retention provisions are without prejudice to cases where PNR data has been transferred to a UK competent authority and is used in the context of specific cases for the purposes of preventing, detecting, investigating or prosecuting terrorist offences or serious crime.
(b) depersonalise retained PNR data, which enable direct identification of the data subject, after set periods, which do not exceed what is necessary as defined in their national laws and policies, except when used in connection with an identifiable ongoing case, threat or risk related to the purposes identified in 9.25(b);
Regulation 13 of the 2018 Regulations also requires that PNR data is depersonalised after 6 months:
Upon expiry of a period of six months beginning with the date of transfer of the PNR data by an air carrier or an EU PIU, the PIU must depersonalise the PNR data through masking out of the following data elements— (a) names, including the names of other passengers on the PNR and number of travellers who are travelling together on the PNR; (b) address and contact information; (c) all forms of payment information, including billing address; (d) frequent flyer information; (e) general remarks, (f) any API data, (g) Other Service Information (OSI), and (h) System Service Information (SSI) and System Service Request Information (SSR).
(c) only re-personalise or unmask PNR data when used in connection with an identifiable case, threat or risk for the purposes identified in 9.25 (b); and
Regulation 13(4) of the 2018 Regulations provides that:
Upon expiry of the [depersonalisation period] the PIU must not disclose the unmasked PNR data except where— (a)the PIU is satisfied that the disclosure is necessary for [a prescribed purpose], and (b)the disclosure is approved by the most senior officer within the PIU who has been charged with verifying whether the conditions for disclosure of the full PNR are met.
(d) delete or anonymise PNR data at the end of the retention period except when used in connection with an identifiable ongoing case, threat or risk purposes identified in 9.25 (b).
See 9.31(a) above.
9.32 Recommended Practice: Contracting States should retain PNR data for a maximum period of five years after the transfer of PNR data, except when required in the course of an investigation, prosecution, or court proceeding.
See 9.31(a) above.
9.33 Recommended Practice: Contracting States should depersonalise PNR data within six months of and no later than two years after the transfer of PNR data.
See 9.31(b) above.
9.34 Contracting States shall:
(a) as a rule acquire PNR data using the ‘push’ method, in order to protect the personal data that is contained in the operators’ systems and that operators remain in control of their systems;
The UK Generic ICD states that:
This PNR data must be pushed (transmitted) in relation to the Carrier’s scheduled departure time and at the times as specified in the relevant UK legislation.
Push is defined in the ICD as:
Messages transmitted by the carrier system/service provider to the UK system.
(b) seek, to the greatest extent possible, to limit the operational and administrative burdens on aircraft operators, while enhancing passenger facilitation;
seek … to limit the operational and administrative burdens on aircraft operators
The PNR data required of carriers is information already collected as part of their business operation. No burden is imposed in relation to collection of the data.
while enhancing passenger facilitation
In order to make the processing and protection of PNR data accessible and transparent to the public, the UK has published on its website information outlining: how PNR data is processed and used, what legislation authorises collection, data subjects’ rights under the Data Protection Act 2018, and where to contact to make a complaint.
(c) not impose fines and penalties on aircraft operators for any unavoidable errors caused by a systems failure which may have resulted in the transmission of no, or corrupted, PNR data; and
Regulations 3(6) and 4(3) of the Passenger, Crew and Service Information (Civil Penalties) Regulations 2015 (‘the 2015 Regulations’) 14 provide that:
the Secretary of State may not require a person to pay a penalty under this regulation if … the person shows that there was a reasonable excuse for the failure.
(d) minimise the number of times the same PNR data is transmitted for a specific flight.
Written requirements placed on operators under UK law specify when they are required to transfer PNR data relative to scheduled time of departure. There is no requirement to provide the same data repeatedly.
9.35 Contracting States shall:
(a) not inhibit or prevent the transfer of PNR data by an aircraft operator or other relevant party, nor sanction, impose penalties or create unreasonable obstacles on aircraft operators or other relevant parties that transfer PNR data to another Contracting State provided that Contracting State’s PNR data system is compliant with the Standards contained in Section D, Chapter 9 of Annex 9; and
Chapter V of the UK GDPR provides for ‘Transfers of personal data to third countries or international organisations’ and outlines the necessary standards and mechanisms required to transfer personal data from the UK to third countries: through an adequacy decision, where appropriate safeguards exist which provide the necessary enforceable data subject rights and effective legal remedies for data subjects or use of derogations for specific situations.
(b) equally, retain the ability to introduce or maintain higher levels of protection of PNR data, in accordance with their legal and administrative framework and to enter into additional arrangements with other Contracting States in particular to: promote collective security; achieve higher levels of protection of PNR data, including on data retention; or establish more detailed provisions relating to the transfer of PNR data, provided those measures do not otherwise conflict with the Standards contained in Section D, Chapter 9 of Annex 9.
Clear demonstration of compliance with the Standards contained in Section D Chapter 9 of Annex 9 will support the application of Chapter V GDPR mechanisms to allow transfers of PNR data from the UK.
9.36 Contracting States shall demonstrate, to any requesting Contracting State, their compliance with the Standards contained in Section D Chapter 9 of Annex 9. A demonstration of compliance with the PNR Standards, upon request, shall take place as soon as possible. Contracting States shall work through this process in good faith and in a timely manner.
The UK has developed this compliance statement to demonstrate its compliance with the Standards contained in Section D Chapter 9 of Annex 9.
9.36.1 Recommended Practice: Contracting States should allow other Contracting States compliant with the PNR Standards to receive PNR data, at least provisionally, while engaging in consultations, as necessary.
The UK will permit transfers of PNR data from the UK subject both to other Contracting States demonstrating their compliance with the PNR Standards to provide appropriate safeguards for PNR data, including enforceable data subject rights and effective legal remedies, and to the UK meeting its national law requirements for international transfers of personal data.
9.37 Where Contracting States have determined they must inhibit, prevent or otherwise obstruct the transfer of PNR data or might penalize an aircraft operator, they shall do so with transparency and with the intent of resolving the situation which caused that determination.
Transfers to the UK: The 2015 Regulations outline the process of how the UK will penalise carriers for not transferring data to the UK when required to do so. Financial penalties, which may not exceed £10,000 (per flight), may be applied when an operator has failed with
a requirement to supply the information by a specified time or within a specified period; a requirement to supply the information in a specified form and manner; or a requirement to be able to receive, in a specified form and manner, communications … relating to the information.
Transfers from the UK: Part 6 of the 2018 Act provides enforcement powers to the Information Commissioner, who may issue information notices, enforcement notices and penalty notices for breaches relating to the principles for transfers of personal data to third countries.
9.38 Recommended Practice: Contracting States establishing a PNR program, or making significant changes to an existing program, pursuant to these SARPs, should proactively notify other Contracting States maintaining air travel between them prior to receiving data, including whether they are complying with these SARPs, to encourage or facilitate rapid consultation where appropriate.
The UK has no requirement to make significant changes to its PNR data function because of the ICAO PNR SARPs.
Through this compliance statement, the UK will demonstrate its compliance with the ICAO PNR SARPs to Contracting States from whose aircraft operators the UK requires the transfer of PNR data.
The UK will seek an indication of compliance with the ICAO PNR SARPs from Contracting States that require the transfer of PNR data from UK aircraft operators.
9.39 Recommended Practice: While attempting to resolve PNR data transfer disputes, Contracting States should not penalize aircraft operators.
The UK has no wish to penalise aircraft operators in the case of such a dispute, but reserves the right to use penalties available in UK law in circumstances where aircraft operators are in breach of requirements under UK law to transfer PNR data to the UK government.