Digital borders need data. Lots of it. What does that mean for data privacy?

Modern travelers understand that every time they book a flight, check-in, or cross a national border, their personal data will be captured.

Airlines are integral to this data-collection process, gathering and sharing information with governments that is essential for ensuring national security. This data falls into three main types, namely:

• API (Advance Passenger Information): API data is collected during check-in and is drawn directly from official government-issued travel documents e.g., passport details, flight number, and nationality.
• PNR (Passenger Name Record): This data relates to the journey itself, including travel itinerary, payment information, contact details, meal preferences, and frequent flyer status.
• DCS (Departure Control System): DCS data is generated when a traveler arrives at the airport, and includes boarding information, baggage details, seating preferences and eligibility to travel.

Why is this information so crucial?

The importance of national security means that governments are continually seeking to accurately determine the threat level of every traveler through the application of advanced modern intelligence solutions that utilize the data generated across a traveler’s journey.

Continual access to high volumes of quality data combined with rigorous analysis, validation and human oversight means that governments can anticipate risks and take timely, targeted action to prevent threats such as organized crime, terrorism and even health-related challenges like pandemics.

However, it is fundamentally important that the personal data that flows into these systems and processes is lawfully collected, processed, used and stored, respecting the rights of travelers in accordance with national data protection and privacy laws.

A global imperative

Due to the serious implications of unfettered global criminality, including fueling corruption and regional instability, such threat analysis systems are no longer a ‘nice-to-have’ or an optional decision on the part of governments. They are essential.

Yet today, service providers - regardless of their location - are also expected to understand and demonstrate that they are compliant with data privacy rules when using passenger data to improve border security. These regulations include the United Nations Security Council Resolutions, International Civil Aviation Organization standards, and the European Union’s (EU’s) Passenger Name Record (PNR) Directive.

What’s our approach?

At SITA, our global privacy framework has been specifically designed to ensure compliance with existing legislation and major international data protection laws, while ensuring we have the agility and flexibility to incorporate additional oversight processes as and when new technologies and risks emerge.

Our practices are built to align with the leading global privacy standards, including the EU General Data Protection Regulation (EU GDPR) and its global equivalents, as well as other key national privacy legislation, frameworks and standards. As ‘data processors’ on behalf of our government, airline or airport customers (which are typically the ‘data controllers’), SITA understands its role in helping our customers to comply with their own data privacy obligations.

At SITA, traveler personal data is handled not only in accordance with legal frameworks and best practice which require SITA to ensure that personal data is securely handled, shared lawfully and with a clear purpose. Our systems also align with additional customer specific contractual requirements such as adherence to strict data retention and destruction obligations.

How do we do it?

As a major player in the aviation industry for more than 75 years, SITA is well-versed in the legal responsibilities of our customers. These days, that also extends to data privacy.  SITA’s approach to ‘Privacy by Design and Default’ sets the foundations for the compliant use of personal data in all our products and services.

The diligent application of SITA’s privacy principles across the product lifecycle ensures that the use of personal data in the design, delivery and support of our solutions meets our obligations under privacy laws, best practice and customer requirements, all of which are monitored through our own stringent internal processes. These checks and balances include:

• Providing solutions that are aligned with the applicable legal framework, wherever in the world the deployment may be;
• Supported by subject matter experts who work closely with our customers’ own teams;
• Supporting customer Data Protection Impact Assessments (DPIAs)
• Making sure retention policies are clear
• Ensuring processes are in place to facilitate human oversight of automated decisions
• Supporting both robust border security as well as trusted data protection.

We recognize the delicate balancing act required to provide our clients with the information they need to make clear decisions, while simultaneously ensuring that traveler data is used properly. As such, data privacy is baked into the design of all SITA systems and processes. It’s not an afterthought, but an ethos we believe in.