Executive Summary
Advance Passenger Information / Passenger Name Record Program (API/PNR) – Data Acquisition:
Since 2002, commercial air carriers have been required to provide the Canada Border Services Agency (CBSA) with Advance Passenger Information (API) and, beginning in 2003, with Passenger Name Record (PNR) data relating to all passengers on board Canada-bound commercial aircraft.
Once provided, this information helps to enhance the security of Canada through three distinct program activities conducted under the CBSA’s API/PNR program, including: Air Passenger Targeting, Intelligence, and Interactive Advance Passenger Information (IAPI).
The purpose of Air Passenger Targeting and Intelligence activities is to identify persons who may be involved with terrorism or other serious crimes, including organized crime, that are transnational in nature, while IAPI activities assist commercial air carriers in meeting their transporter obligations by helping to determine whether Canada-bound travellers possess the appropriate documentation to enter Canada.
This Privacy Impact Assessment (PIA) acts as a core PIA for the API/PNR program, focusing specifically on the acquisition of API/PNR data while providing a broad overview of the authorized processing parameters for any program activities that use API/PNR information. These parameters include collection, use, access, retention, disclosure and disposal of the data. This PIA is not a stand-alone document and must be read in conjunction with one of the following addenda PIAs: Air Passenger Targeting, IAPI, and Intelligence.
Protecting your Personal Information
The following personal information elements are processed by the API/PNR Program:
- Advance Passenger Information, which consists of the following data elements for travellers:
- their surname, first name and any middle names, their date of birth, their citizenship or nationality and their gender
- the type and number of each travel document that identifies them and the name of the country or entity that issued it;
- their reservation record locator number, if any; and,
- the unique passenger reference assigned to them, if any, by the person that has been required to provide information or, in the case of a crew member who has not been assigned one, notification of their status as a crew member
- Passenger Name Record, which consists of the following data related to travellers:
- 1. Name
- 2. Any API collected for reservation purposes
- 3. PNR record locator code
- 4. Dates of intended travel
- 5. Date of reservation
- 6. Date of ticket issuance
- 7. Travel agencies
- 8. Travel agent
- 9. Contact telephone information
- 10. Billing address
- 11. All forms of payment information
- 12. Frequent Flyer Information
- 13. Ticketing Field Information
- 14. Ticket number
- 15. Split/divided PNR Information
- 16. Go show information (ticket purchase without a reservation)
- 17. No show information
- 18. All travel Itinerary Information
- 19. Standby Information
- 20. Other names on PNR
- 21. Check in Information
- 22. Bag tag numbers (Baggage information)
- 23. Seat information
- 24. Seat number
- 25. One way tickets
API data is collected by commercial carriers on behalf of the CBSA while PNR data is collected by commercial carriers for their own business purposes and then shared with the CBSA. There is no need for the CBSA to collect API/PNR data directly from the traveller, as commercial air carriers, or service providers acting on their behalf, already collect and provide this information to the CBSA. The obligation to do so is outlined in section 107.1 of the Customs Act and section 148 of the Immigration and Refugee Protection Act (IRPA) which jointly provide the legislative authority for the API/PNR program as a whole.
Rights of Access
The CBSA posts key details of the API/PNR program on its external website. This documentation outlines that commercial carriers are legally required to provide API information for all persons on board a conveyance bound for Canada and any PNR data collected relating to these persons. It also states the purpose for which the data is collected. A notification template was sent via e-mail to all air carrier clients of the API/PNR program in 2005. Airlines were encouraged to incorporate this passenger notification into their websites and documentation in a manner that would ensure that travellers researching or making reservations for flights to Canada would be made aware of Canada’s API/PNR program.
Travellers are able to request a copy of their API/PNR data that commercial air carriers provide to the CBSA. They can also request that a notation be included if any of the information is incorrect, as detailed in the section of Memorandum D1-16-3 titled “Rights of Access, Correction, and Complaint”.
The Access to Information Act and the Privacy Act provide Canadian citizens, permanent residents or any person (or entity) present in Canada the legal right to obtain information, in any form, that is under the control of a government institution. These travellers may formally request a copy of their personal information, or access to corporate records related to, or created by the API/PNR Program by contacting the Access to Information and Privacy Division. More information about this process can be found at: http://www.cbsa-asfc.gc.ca/agency-agence/reports-rapports/pia-efvp/atip-aiprp/req-dem-info-eng.html.
All travellers, regardless of their citizenship or presence in Canada, may informally request their API/PNR data or request a correction to erroneous data by completing the Traveller’s API/PNR Information Request Form, which is available on the CBSA’s website, and mailing it to the CBSA. The CBSA will forward a written response to the traveller, generally within 30 days of receipt of the request.
Accountability
If a traveller has concerns about the collection, use, disclosure or retention of their personal information, they may issue a complaint to the Office of the Privacy Commissioner of Canada who is mandated to investigate. Complaints should be made in writing, and include the traveller’s name, contact information, and a brief description of their concerns. Details of the complaint process can be found on the Privacy Commissioner’s Website.
- Date modified: