Aviation Data Privacy – Passenger Information Regulations

Cross Border crime is one of the biggest challenges for law enforcement, so effectively managing passenger data is a high priority for government agencies; that’s why regulations for passenger information exchange are in place to better detect, investigate and prevent criminal activities.

This second part of our blog on Aviation Data Privacy describes passenger information measures that keep passengers safe and borders secure. We’ll also introduce you to HERMES, WCC’s innovative solution for border security and passenger control. In addition, we explain how HERMES can protect borders from illegal transit and control the health of passengers while meeting the demands made by privacy legislation.

Find out more about Privacy Legislation in the first part of our blog.

Passenger information exchange regulations

Advance Passenger Information (API) is mandatory for all United Nations member states. It usually comprises data found in the Machine Readable Zone (MRZ) of passports and other travel documents. An API dataset contains biographic data for all passengers and crew members and flight details supplied by the aircraft operator. The digital transmission of API data to border control agencies occurs prior to departure. In the EU, API is used to combat terrorism and illegal immigration, covering all incoming flights. In the interest of privacy, border control agents can only store the data for up to 24 hours.

Passenger Name Record (PNR) is personal information provided by passengers and collected and held by airlines. It includes information such as the passenger’s name, travel dates, itineraries, seats, baggage, contact details, and means of payment. The PNR directive regulates the transfer of such data to EU member states’ law enforcement authorities. It also governs their use of the data to prevent, detect, investigate, and prosecute terrorist offenses and serious (cross border) crimes.

When processing PNR data for regular business purposes, the air carriers need to comply with the accountability principle imposed by the GDPR legislation. They need to ensure that the PNR data does not exceed what is necessary for booking and reservation purposes. As accountable controllers, the carriers need to comply with the transparency principle.

The directive prohibits the collection and use of sensitive data. In addition, PNR data can only be kept for 5 years and must be depersonalized after 6 months, so the data subject is no longer immediately identifiable.

E-Health data & the aviation industry

During the COVID-19 global pandemic, the need for test records to confirm uninfected people and vaccination certificates became evident. However, medical information is extremely sensitive, raising privacy concerns.

Digital vaccine passports may rely on storing medical information in a centralized database. As a result, individuals’ vaccination data may be vulnerable to data breaches, government surveillance, or corporate misuse. Privacy risks depend heavily on what privacy and security measures are in place and which entities can access the data.

Inevitably, the disclosure of vaccination information raises serious ethical issues. In addition, the increasing disparities of vaccination rates among more vulnerable populations can infringe personal freedom, for example, by restricting access to a range of public and private activities.

To reduce risks regarding the protection of sensitive health data, the International Air Transport Association (IATA) has focused on finding solutions for the aviation industry. In their role as arbiters for global standards in airline safety, security, efficiency, and sustainability, they came up with an answer: The IATA travel pass.

The IATA travel pass

The IATA Travel pass lets you verify that passengers comply with COVID-19 health requirements. It secures a digital version of your passport on your mobile phone, and it can link your COVID test results or proof of vaccination to your verified identity, alongside your travel information.

Governments issue digital vaccine certificates that you can upload to the app. This data is encrypted and saved on the certificate holder’s smartphone, which circumvents the need for a central database. Furthermore, nobody but the data owner can access and share this information. Therefore, it’s a secure solution that travelers, airlines, and governments can trust.

WCC Group Integration

HERMES, WCC’s innovative solution for border security,  is a person-centric, integrated border security solution for screening Advance Passenger Information (API) and Passenger Name Record (PNR) data while maximizing security and passenger convenience. As a result, HERMES ensures both state-of-the-art security and optimum passenger flow at all kinds of borders, airports, and seaports.

At the same time, HERMES can screen passengers’ data using the COVID-19 Health Dashboard. The Health Dashboard processes IATA Travel Pass information to determine whether a passenger is vaccinated against COVID-19 or whether the traveler possesses a negative COVID test certificate. The passenger’s health data remains on their smartphone, and passengers can choose whether or not to share this information.

Border agents obtain the information needed to maintain health security with this solution. At the same time, passengers can be confident about their data privacy. As a result, they are allowed to travel without the inconvenience of being deprived of entering certain countries and also mitigate the risk of an unnecessary quarantine period when crossing borders.

The future of data privacy

Mr. Roelof Troost, the WCC Group’s ID &Security business unit VP, said:

Passenger data will be moving to and from countries in great quantities from now on. Passenger data will be shared more frequently, and between many different agencies.

Therefore, it is clear that there is a growing demand to ensure there is legislation designed to guarantee the protection and privacy of data and for technological solutions to help law enforcement. WCC continues its commitment to providing software that matters and fosters a safer world.

WCC is a leading provider of advanced ID/Security solutions for government agencies worldwide. WCC’s expertise and technology can help mitigate border security challenges and increase global health security. If you want more information, contact us to set up a call with our ID/Security experts.

Article by: WCC Community
Published on: February 1, 2022

WCC - Software that Matters

Our team is ready to answer your questions.

    Get in touch

    Solutions interest:

    Identity and Security

    Employment Services

    Data Matching

    By submitting you agree to WCC's Terms of Use. Your personal data will be processed in accordance with WCC's Privacy Policy.

      Request a demo

      Solutions interest:

      Identity and Security

      Employment Services

      Data Matching

      By submitting you agree to WCC's Terms of Use. Your personal data will be processed in accordance with WCC's Privacy Policy.

        Subscribe to our newsletter

        By submitting you agree to WCC's Terms of Use. Your personal data will be processed in accordance with WCC's Privacy Policy.

          Please register

          You need to register before you can download this PDF.


          We will send the file link to this email address.

          By submitting you agree to WCC's Terms of Use. Your personal data will be processed in accordance with WCC's Privacy Policy.

            Please register

            You need to register before you can watch this webinar.


            We will send the webinar link to this email address.

            By submitting you agree to WCC's Terms of Use. Your personal data will be processed in accordance with WCC's Privacy Policy.

            Contact
            Demo
            Newsletter