Border security professionals: managing API-PNR data as laws vary between countries
In our previous post, we discussed the priorities for border security professionals as we move out of restrictions and back into normal travel. We also explored the key attributes of API and PNR, and now we return to find out how they can be effectively managed when the parameters between destinations can vary so widely.
Types of API data systems
API data elements are transmitted by the airline companies to the law enforcement agencies. The data is collected by air carriers during check-in, route information is added, then the complete set is transmitted to border control at the destination. IATA says that over 90 countries now require airlines to send API before the flight’s arrival, and more will soon. Countries should limit their data requirements to the minimum to comply with national legislation.
API data can be divided into two main categories:
Non-interactive Batch Style API Systems is an API transmitted as a single data file or batch. Required data elements are collected and transmitted to border control agencies prior to flight departure or arrival, made available at the airport of entry. This covers all passengers and often, crew member data is collected during check in then transmitted in a single manifest message.
Interactive API System (i-API) is an electronic system that transmits, during check-in, API data elements collected by the aircraft operator to public authorities. The stipulation of certain articles in national legislation creates a legal obligation plus penalty policies between the parties in the case of failure. So, airline companies are sometimes unwilling to transmit the passenger data in advance to law enforcement agencies of the arrival country. This makes it harder for law enforcement agencies to request data in advance, due to the absence of legal obligation.
Data protection and human rights
An important aspect of API and PNR systems is data protection mechanisms. Legislation on data protection protects privacy and allows individuals to exercise their rights regarding use of their personal data, and this varies between countries. However, there is a common provision of such legislation.
WCO/IATA/ICAO 2014 stated that data must be:
- Obtained and processed fairly and lawfully;
- Stored for legitimate purposes and not used in any way incompatible with those purposes;
- Adequate, relevant and not excessive in relation to their purpose;
- Accurate and kept up to date
- Preserved in a form which permits identification of the data subjects for no longer than is required.
Building API and PNR capacity across UN Member States
ICAO has already recommended the deployment of API capacity. A Standard in Annex 9 to the Chicago Convention was established regarding the use of API systems by the ICAO’s Member States. Many have yet to implement this standard. Each Contracting State must establish an API system and Article 9.6 stipulates support by appropriate legal authority. Additionally, the obligation to collect, process and analyze PNR data should become standard.
Effective implementation requires governments to apply a comprehensive approach to API, considering the legal, technical, operational and cooperation aspects. It must plan for high quality data transmission between carriers and law enforcement agencies. Closer cooperation is needed between stakeholders. Effective targeting using intelligence and risk management tools will help border officials to identify high-risk travelers on time, prevent serious crimes and maintain legitimate passenger flow.
The effective processing and profiling of API and PNR data plays a crucial role in national security and integrated border management. Cooperation between relevant authorities involved in border management boosts data and information sharing practice and a risk-based data-driven approach in operational activities.
The full research report can be read at www.border-security-report.com
Article by: Rovshan Namazov