1.  The Information Commissioner has responsibility for promoting and enforcing the Data Protection Act 1998 (DPA) and the Freedom of Information Act 2000. He is independent from government and promotes access to official information and the protection of personal information. The Commissioner does this by providing guidance to individuals and organisations, solving problems where he can, and taking appropriate action where the law is broken. The comments in this evidence are primarily from the data protection perspective.

  2.  The Information Commissioner has been examining issues around the use and disclosure of Passenger Name Record (PNR) information for a number of years now, through the mechanism of the Article 29 Data Protection Working Party (A29 Working Party), which is an independent European advisory body on data protection and privacy, set up under Article 29 of European Directive 95/46/EC. The A29 Working Party has produced a number of opinions on the use and disclosure of PNR data and the Commissioner is represented on the A29 Working Party's PNR subgroup.

  3.  In December 2007, the A29 Working Party produced a joint opinion with the Data Protection Working Party on Police and Criminal Justice (of which the Commissioner is also a member) on the Framework Decision on PNR. The opinion stresses that the EU data protection authorities have always supported the fight against international terrorism and organised crime. Further, they recognise that some use and disclosure of PNR information might be valuable for these purposes. However, any limitations of fundamental rights and freedoms have to be well justified and has to strike the right balance between demands for the protection of public security and the restriction of privacy rights. The opinion concluded that the following data protection concerns were raised by the Framework Decision on PNR.

—  The proposal does not justify a pressing need for the collection of data other than Advanced Passenger Information data (which is basically the information on the machine readable zone on a passport).

—  The amount of personal data to be transferred by air carriers is excessive.

—  The filtering of sensitive data should be done by the data controller.

—  The "push" method should apply to all air carriers.

—  The data retention period is disproportionate.

—  The data protection regime is completely unsatisfactory: the rights of the data subjects and the obligations of the controllers are not specified anywhere within the Framework Decision.

—  The great deal of discretion left to Member States might result in varying interpretations of the Framework Decision.

—  The data protection regime of onward transfers to third countries is unclear.

  4.  The Commissioner strongly supports the findings of the A29 Working Party opinion. A copy of the opinion can be viewed at: http://ec.europa.eu/justice_home/fsj/privacy/docs/wpdocs/2007/wp145_en.pdf.

  5.  As the Committee may be aware, the UK Immigration, Asylum and Nationality Act 2006 (IANA) confers far-reaching powers on various border control agencies to collect, use and share information. However, the provisions of IANA appear to go further than those envisaged under the Framework Decision on PNR in that:

—  the purposes for which information can be shared includes wider police purposes, immigration purposes and for any Revenue and Customs purposes;

—  IANA provides for a Code of Practice, which interprets these purposes very widely, including broad, poorly defined purposes such as "protecting the vulnerable";

—  the broader IANA purposes may mean that the single point of entry for PNR information, which has already been set up by the UK Border and Immigration Authority, may not be compatible with the single point of entry envisaged for narrower purposes under the Framework Decision on PNR;

—  the provisions of the Framework Decision are limited to PNR information from air carriers, while IANA includes all passenger, crew and freight information from air, sea and rail carriers; and

—  under the Framework Decision, a list of 19 data elements are provided to the relevant authorities, whereas under IANA all of the data sets held by the carrier must be provided to the relevant authorities.

  6.  The Commissioner is happy to provide any further information the Committee may require.

Information Commissioner