GDPR and airlines

jmcgill16

Quick question about GDPR and airlines - I recently flew on a flight into Dublin.

I received a phone call from the HSE a few days later, where there had already been given access to my full address, date of birth, and name, provided to them by the airline.

I know this wasn't gotten from the information on my passenger locator form because I used the English version of my name on that, out of habit, instead of the Irish one on my passport that I'd flown on - and the HSE used my Irish name. And because the HSE also didn't have my eircode, which I had put on the passenger locator form but not given the airline. And, probably more importantly, because the women on the phone offered this as an explanation.

When I gave the airline this data, I was under the impression it was only for their use. I did not authorize them to share the data with anyone else.

Would this constitute a GDPR data breach?

(I've no problem with the HSE having my data for what its worth. But it would make me a lot more comfortable if they'd used the data I'd provided on the passenger locator form, instead of apparently getting the airline to hand contact info over - and god knows what else - to them without informing me. Its the sharing of data between organizations that worries me).

markpb

As far as I know, GDPR allows organisations to share your data where it’s required by law. If the government included a data-sharing stipulation in some of the recent Covid-related health acts, that would cover the airline legally.

Marcusm

jmcgill16 wrote: »

Quick question about GDPR and airlines - I recently flew on a flight into Dublin.

I received a phone call from the HSE a few days later, where there had already been given access to my full address, date of birth, and name, provided to them by the airline.

I know this wasn't gotten from the information on my passenger locator form because I used the English version of my name on that, out of habit, instead of the Irish one on my passport that I'd flown on - and the HSE used my Irish name. And because the HSE also didn't have my eircode, which I had put on the passenger locator form but not given the airline. And, probably more importantly, because the women on the phone offered this as an explanation.

When I gave the airline this data, I was under the impression it was only for their use. I did not authorize them to share the data with anyone else.

Would this constitute a GDPR data breach?

(I've no problem with the HSE having my data for what its worth. But it would make me a lot more comfortable if they'd used the data I'd provided on the passenger locator form, instead of apparently getting the airline to hand contact info over - and god knows what else - to them without informing me. Its the sharing of data between organizations that worries me).

For some reason you think that the airline would not be required to report information to a government the passengers which it carries into the country? Hmmm. I think you are being a bit naive.

Victor

The airlines likely supply a summary list of passengers. That you arrival card didn't match that list probably raised issues.

You are on a manifest. It's that simple and not a new thing

jmcgill16

Thanks for the replies. Apologies for the multiquote, but to address to them one by one:

markpb wrote: »

As far as I know, GDPR allows organisations to share your data where it’s required by law. If the government included a data-sharing stipulation in some of the recent Covid-related health acts, that would cover the airline legally.

Thats interesting. Do you know if/where there is such a measure in the covid health-care acts? I looked but wasn't unable to find one.

Victor wrote: »

The airlines likely supply a summary list of passengers. That you arrival card didn't match that list probably raised issues.

This definitely wasn't it - the woman on the phone said every passenger on the flight was being contacted.

Niner leprauchan wrote: »

You are on a manifest. It's that simple and not a new thing

The flight manifest is usually only accessible to airline staff, and doesn't contain all of the information I mentioned for most of them - full home address etc.

Marcusm wrote: »

For some reason you think that the airline would not be required to report information to a government the passengers which it carries into the country? Hmmm. I think you are being a bit naive.

Advanced Passenger Data used for immigration purposes is only supplied by law to the Irish government for flights originating outside of the EU. This was an internal EU flight.

Again I've no problem with the HSE having my data. But it just seems to have obtained it possibly in breach of GDPR to me, which is why I'm curious. Its a bad precedent to let government bodies get into the habit of.

bennyineire

jmcgill16 wrote: »

Quick question about GDPR and airlines - I recently flew on a flight into Dublin.

I received a phone call from the HSE a few days later, where there had already been given access to my full address, date of birth, and name, provided to them by the airline.

I know this wasn't gotten from the information on my passenger locator form because I used the English version of my name on that, out of habit, instead of the Irish one on my passport that I'd flown on - and the HSE used my Irish name. And because the HSE also didn't have my eircode, which I had put on the passenger locator form but not given the airline. And, probably more importantly, because the women on the phone offered this as an explanation.

When I gave the airline this data, I was under the impression it was only for their use. I did not authorize them to share the data with anyone else.

Would this constitute a GDPR data breach?

(I've no problem with the HSE having my data for what its worth. But it would make me a lot more comfortable if they'd used the data I'd provided on the passenger locator form, instead of apparently getting the airline to hand contact info over - and god knows what else - to them without informing me. Its the sharing of data between organizations that worries me).

Did you read the terms and conditions on the purchase of your tickets?

jmcgill16

jmcgill16 wrote: »

But it just seems to have obtained it possibly in breach of GDPR to me, which is why I'm curious.

There are a number of legal bases under which you can process personal data. Consent, performance of a contract, legal obligation etc. There is also the bases of 'public interest' or 'vital interest'. In my completely uneducated opinion, I'd think either public interest or vital interest could be argued in this case.

What you might have a point with, is the right to be informed, i.e. a privacy statement. Ideally, information about why and how your personal data is processed should be available somewhere. Maybe that's a better angle to investigate, if you're looking to complain.

jmcgill16

jmcgill16 wrote: »

Thanks for the replies. Apologies for the multiquote, but to address to them one by one:



Thats interesting. Do you know if/where there is such a measure in the covid health-care acts? I looked but wasn't unable to find one.



This definitely wasn't it - the woman on the phone said every passenger on the flight was being contacted.



The flight manifest is usually only accessible to airline staff, and doesn't contain all of the information I mentioned for most of them - full home address etc.



Advanced Passenger Data used for immigration purposes is only supplied by law to the Irish government for flights originating outside of the EU. This was an internal EU flight.

Again I've no problem with the HSE having my data. But it just seems to have obtained it possibly in breach of GDPR to me, which is why I'm curious. Its a bad precedent to let government bodies get into the habit of.

Manifest contains a lot of information. The simple one that they have onboard isn't the full one.

ALL your information is stored and shared when required.

jmcgill16

bennyineire wrote: »

Did you read the terms and conditions on the purchase of your tickets?

I did - it made no specific references to health regulations, or the HSE. It just gave a disclaimer about API being used for "border management and immigration control purposes". The exact same wording used by the Irish Passenger Information Unit[1], interestingly - which would make me think its a general EU-wide disclaimer.

true-or-false wrote: »

There are a number of legal bases under which you can process personal data. Consent, performance of a contract, legal obligation etc. There is also the bases of 'public interest' or 'vital interest'. In my completely uneducated opinion, I'd think either public interest or vital interest could be argued in this case.

What you might have a point with, is the right to be informed, i.e. a privacy statement. Ideally, information about why and how your personal data is processed should be available somewhere. Maybe that's a better angle to investigate, if you're looking to complain.

Thats interesting, thanks. Public interest would make some sense, but I would expect that to have been clarified in writing somewhere - a notification that passenger information was now being automatically shared with the HSE or some such. Not just for my own consent/by the airline, but also as a public announcement by the government somewhere.

I've written to multiple data protection officers (the airline, the HSE, and the IPIU) - so I'll see if any of them are able to provide an explanation and update the thread accordingly.

Niner leprauchan wrote: »

Manifest contains a lot of information. The simple one that they have onboard isn't the full one.

ALL your information is stored and shared when required.

The only regulation for this that I can find seems to be for immigration/border control. I'm open to correction on this (thats why I'm asking here!), but there doesn't seem to be anything anywhere about data being allowed to be passed to the HSE.

[1]https://www.irishimmigration.ie/irish-passenger-information-unit/

jmcgill16

jmcgill16 wrote: »

I did - it made no specific references to health regulations, or the HSE. It just gave a disclaimer about API being used for "border management and immigration control purposes". The exact same wording used by the Irish Passenger Information Unit[1], interestingly - which would make me think its a general EU-wide disclaimer.



Thats interesting, thanks. Public interest would make some sense, but I would expect that to have been clarified in writing somewhere - a notification that passenger information was now being automatically shared with the HSE or some such. Not just for my own consent/by the airline, but also as a public announcement by the government somewhere.

I've written to multiple data protection officers (the airline, the HSE, and the IPIU) - so I'll see if any of them are able to provide an explanation and update the thread accordingly.



The only regulation for this that I can find seems to be for immigration/border control. I'm open to correction on this (thats why I'm asking here!), but there doesn't seem to be anything anywhere about data being allowed to be passed to the HSE.

[1]https://www.irishimmigration.ie/irish-passenger-information-unit/

I can't speak directly about the hse, not my area. Very possible they have access under infectious diseases legislation though.

Please do update the thread when you recieve a reply

S.I. No. 126/2021 - Health Act 1947 (Personal Data) Regulations 2021

Would appear to be referring to this.

jmcgill16

Niner leprauchan wrote: »

S.I. No. 126/2021 - Health Act 1947 (Personal Data) Regulations 2021

Would appear to be referring to this.

Which part of it? Theres nothing in there that gives the HSE to access airline data directly that I can see.

The data protection section states:

"Personal data provided on the Covid-19 Passenger Locator Form, or otherwise provided to a relevant person under Regulation 6* , may be processed by -

(a) the Minister for Health, the Health Service Executive"

* which refers to a member of the Garda Síochána

It seems to outline that any information given on the Passenger Location Form, or directly to the Gardai at immigration, may be used by the HSE. But it makes no mention of airlines passing customer information directly to the HSE.

GM228

jmcgill16 wrote: »

Quick question about GDPR and airlines - I recently flew on a flight into Dublin.

Where did you fly in from?

For example there is already pre COVID regulations in force for sharing of airlines PNR/PIU data from outside the EU to the state, and under the EUs PNR Directive which also allows for the state to do the same for intra EU flights too, not sure if they specifically legislated for this under the regulation.

That aside there are so many amendments to the Health Act 1947 and regulations issued under said Act that it is hard to keep up, but I'm sure there is some which not only allows, but obligates an airline to share the data, and if I'm not mistaken there is already provision for such in the GDPR Regulation and associated 2018 Act (have to double check).

jmcgill16

It was an internal EU flight. The regulations for sharing PNR data that I could find - from the Irish Passenger Information Unit - only related to flights coming from outside of the EU, and were "for the purpose of the prevention, detection, investigation and prosecution of terrorism and serious crime" -- ie nothing relating to healthcare.

Thats the same exact language used in the EU PNR directive also, which would suggest a link in purpose/use to me.

The 'GDPR Regulation and associated 2018 Act' suggestion looks more interesting though, thanks for that suggestion:

Processing of special categories of personal data for purposes of public interest in the area of public health

53. Subject to suitable and specific measures to safeguard the fundamental rights and freedoms of data subjects, the processing of special categories of personal data shall be lawful where it is necessary for public interest reasons in the area of public health including—

(a) protecting against serious cross-border threats to health, and

(b) ensuring high standards of quality and safety of health care and of medicinal products and medical devices.

http://www.irishstatutebook.ie/eli/2018/act/7/section/53/enacted/en/html#sec53

That would seem to possibly cover it - pending the "Subject to suitable and specific measures to safeguard the fundamental rights and freedoms of data subjects" aspect being accounted for. Depending on how fundamental rights and freedoms are defined in regards to my personal information I guess.

inisfree0504

Also just my wholly uneducated opinion here - but the assumption that the airline shared your data may be incorrect. Your passport would have been scanned at passport control. Why would your info not have been passed on to the HSE from there? I am not familiar with the legislation in this area but it seems highly likely that either (a) there is legislation providing that personal data can be shared between the dpt of foreign affairs (I'm not sure if this is passport control? but whomever the relevant body is) and other state bodies, or (b) that the sharing of information between state agencies re identifying those entering our jurisdiction, would have been deemed to be in the public interest for the purposes of COVID.

Alternatively, the data was received from the airline. But bear in mind the process behind that if there is, in fact, no relevant legal basis: The state asks ryanair or whoever, for data, providing no legal basis. I think its pretty unlikely that the DPA at Ryanair is going to hand that data over without question. More likely the the relevant legal basis will have been provided by the state or the Ryanair DPA would request it be clarified. Sure, that basis may be open to interpretation (it could have simply been claimed that such sharing was in the public interest), but I simply do not see it being likely that an airline would open itself up to breaching the GDPR unless they were satisfied that the risk of this was very small.