Passenger name record data
Published 11 May 2021
© Crown copyright 2021
This publication is licensed under the terms of the Open Government Licence v3.0 except where otherwise stated. To view this licence, visit nationalarchives.gov.uk/doc/open-government-licence/version/3 or write to the Information Policy Team, The National Archives, Kew, London TW9 4DU, or email: psi@nationalarchives.gov.uk.
Where we have identified any third party copyright information you will need to obtain permission from the copyright holders concerned.
This publication is available at https://www.gov.uk/government/publications/passenger-name-record-data/passenger-name-record-data
Passenger name record (PNR) data is information collected by airlines and other passenger service operators as part of their normal course of business and includes information required to complete and process a booking.
This may include information such as:
- dates of travel and travel itinerary
- ticket information
- contact details like address and phone number
- travel agent
- payment information
- seat number and baggage information
Read the full list of data which may comprise PNR data to the extent it is known by the airline or service operator, under schedules 2 and 4 to the Immigration and Police (Passenger, Crew and Service Information) Order 2008 on the legislation website.
How it is acquired and the legislation that authorises the collection of PNR data
PNR data is transferred to the Home Office, as the passenger information unit (PIU), by carriers and operators using the ‘push’ method.
The requirement for air carriers and other operators to provide PNR data to the Home Office is made under and in accordance with paragraphs 27B of Schedule 2 to the Immigration Act 1971 and the Immigration and Police (Passenger, Crew and Service Information) Order 2008 (SI 2008/5)
What PNR is used for
PNR data is used by law enforcement authorities, and other public authorities competent for the purposes of preventing, detecting, investigating and prosecuting terrorist offences or serious crime, and protecting the vital interests of persons.
The purposes for which PNR data may be used are set in regulation 6A of the Passenger Name Record Data and Miscellaneous Amendments Regulations 2018 (‘the 2018 Regulations’).
The 2018 Regulations have been amended by the Law Enforcement and Security (Amendment) (EU Exit) Regulations 2019 and the European Union (Future Relationship) Act 2020.
How PNR data is protected
Under the 2018 Regulations, PNR data is protected by specific safeguards, including:
- sensitive or special categories of personal data must not be processed
- PNR data must be depersonalised after 6 months
- PNR data may be re-personalised only under strict conditions
- PNR data must be retained no longer than 5 years
- the PIU has an appointed data protection officer responsible for monitoring and implementing safeguards relating to the processing of PNR data who may refer any non-compliance with the Regulations to the Information Commissioner’s Office
- the designation of an independent authority to approve the use or transfer of EU PNR data
The UK General Data Protection Regulation (UK GDPR) provides that everyone responsible for using personal data has to follow strict rules called ‘data protection principles’.
They must make sure personal data is:
- used fairly, lawfully and transparently
- used for specified, explicit purposes
- used in a way that is adequate, relevant and limited to only what is necessary
- accurate and, where necessary, kept up to date
- kept for no longer than is necessary
- handled in a way that ensures appropriate security, including protection against unlawful or unauthorised processing, access, loss, destruction or damage
Read the Data Protection Act 2018 and the 2018 Regulations for further information about the processing of personal data.
How PNR data about you might be used or transferred
Under the 2018 Regulations, your PNR data may be used for the purposes of:
(a) preventing, detecting, investigating and prosecuting terrorist offences or serious crime
(b) protecting the vital interests of persons (protecting persons who are, or may be, at risk or death or serious injury or from significant threats to public health)
PNR data may be used by the PIU for security and border control checks facilitated and expedited by the electronic processing and risk assessment of PNR data in advance of the arrival (or departure) of passengers. PNR data may be transferred by the PIU to:
- a UK competent authority
- a PIU in the EU
- Europol or Eurojust
- a third country competent authority
All transfers of PNR by the PIU must be following a duly reasoned, necessary and proportionate request for information made in respect of a specific case.
Read further information on international transfers of personal data on the Information Commissioner’s Office website and the 2018 Regulations.
Your rights under the Data Protection Act 2018
Under the Data Protection Act 2018, you have the right to find out what information, including PNR data, the government and other organisations store about you.
These include the right to:
- be informed about how your data is being used
- access personal data
- have incorrect data corrected
- have data erased
- stop or restrict the processing of your data
- data portability (allowing you to get and reuse your data for different services)
If you think PNR data about you has been misused or that the PIU or a UK competent authority has not kept it secure, you should contact them and tell them.
If you’re unhappy with their response or if you need any advice you should contact the Information Commissioner’s Office.
Contact information
If you have an enquiry about the use made of PNR data and the operation of the PNR data safeguards you can contact:
If you have a specific concern about PNR data relating to you, you can contact the data protection officer at the PIU:
Personal data
For further information on how the Home Office processes your personal data, read the Borders, immigration and citizenship: privacy information notice on GOV.UK.