ARRANGEMENT OF SECTIONS
PART I
PRELIMINARY PROVISIONS
- Short title
- Commencement
- Interpretation
- Scope and Application of Act
- Duty to provide Advance Passenger Information (API), Passenger Name Record (PNR) Data and Embarkation and Debarkation Data
- Vessel or aircraft for non-traffic purposes or making a technical stop
- Powers and duties of the Competent Authority
- Restriction of disclosure of data or documentation by the Competent Authority
- Powers and Duties of CARICOM IMPACS
PART II
COMMON PROVISIONS FOR ADVANCE PASSENGER INFORMATION AND PASSENGER NAME RECORD
- Establishment of a Passenger Information Unit
- Functions of the PIU
- Advance Passenger Information and Passenger Name Record Data access
- Processing of API and PNR data
- Verification of API and PNR Data submitted to the Competent Authority and IMPACS
- Use and sharing of API and PNR with Regional and International Security Agencies
- Transfer of API and PNR Data to Non-Participating Member States
PART III
API OPERATING PROVISIONS
- Duty to transmit API
- API Data Elements
- Timeframe for the submission of API data and Embarkation and Disembarkation data
- Protection of API data
- Retention of API and PNR data
- Penalties
PART IV
PNR OPERATING PROVISIONS
- Obligations of Captain or Agent of Aircraft regarding the transfer of PNR data
- Obligations of Master or Agent of Vessel regarding the transfer of PNR data
- PNR data transfer method and format
- Transmission Timeframe for PNR data
- Purpose Limitation of PNR data
- Automated processing of PNR data
- Sensitive Data
- PNR data and document retention
- Depersonalisation and Anonymisation of PNR data
- Data Protection Officer
- National Oversight
- Competent Authority to liaise with the Regional Data Protection Officer
- Competent Authority to liaise with the Data Protection Officer
- Safeguards and redress mechanisms
- Penalties
PART V
EXCHANGE OF PNR DATA WITH OTHER MEMBER STATES
- Transfer of PNR data by the Competent Authority or PIU to other Participating Member States and competent authorities
- Request from other Participating Member States
- Request for PNR data from another Participating Member State by the Competent Authority or PIU of Saint Christopher and Nevis
PART VI
MISCELLANEOUS
- Immunity from liability
- Regulations
- Amendment of the Schedules
- Requirement to submit all information electronically
- Non-Imposition of Penalties for Incomplete, Delayed or Erroneous messages resulting from technical issue
- Repeal of the Advance Passenger Information Act
Schedule I: Advance Passenger Information Data Elements and Embarkation and Disembarkation Data Elements
Schedule II: Timeframe for submission of API and Embarkation and Disembarkation Data Schedule III: Timelines for Electronic Submission of PNR data by a Captain or Agent of an Aircraft
Schedule IV: Timelines for Electronic Submission of PNR data by a Master or Agent of a Vessel
Schedule V: Data Elements to be submitted under FAL Convention
Schedule VI: Passenger Name Record (PNR) Data Elements
SAINT CHRISTOPHER AND NEVIS
No. of 2024
A BILL to repeal and replace the Advance Passenger Information Act, No. 1 of 2017; to establish provisions, in accordance with international best practices, for the collection, transmission, sharing, storage and regulation of Advance Passenger Information and Passenger Name Record in respect of persons travelling to, departing from and transiting through Saint Christopher and Nevis; and to enhance the national and regional regulatory regimes and institutional cooperation frameworks governing and related to the implementation and operationalisation of Advance Passenger Information and Passenger Name Record systems, subject to international standards and national legislation governing data protection and data privacy, and other related matters
BE IT ENACTED by the King’s Most Excellent Majesty, by and with the advice and consent of the National Assembly of Saint Christopher and Nevis, and by the authority of the same as follows:
PART I
PRELIMINARY
Short title
- This Act may be cited as the Advance Passenger Information and Passenger Name Record Act, 2024.
Commencement
- This Act shall come into operation on such date as is fixed by the Minister, by Order.
Interpretation
- In this Act, unless the context requires otherwise —
“$” means United States Dollars;
“advance passenger information” or “API” means —
- a set of data detailing information concerning an aircraft or vessel; and
- information concerning a passenger and crew member, or any other person travelling in an aircraft or vessel as set out in Schedule I;
- embarkation and disembarkation data as set out in Schedule I (C);
“agent” means a person who is authorised in writing by the owner, captain or master of an aircraft or a vessel to perform a function under this Act on behalf of the owner, captain or master, as the case may be;
“aircraft” includes an aeroplane, helicopter or other means of airborne navigation by means of which persons, goods or both can travel across international borders;
“anonymisation of PNR data” means the process of removing or encrypting personally identifiable information (PII) from the PNR record;
“API hit” means a name or travel document present in the Watch List System;
“automated processing of data” means the utilisation of authorised applications, software or systems to analyse, screen and compare data against Watch Lists and other predetermined criteria with no human involvement in the subsequent decision-making process;
“captain” means the pilot of an aircraft designated by the operator, or in the case of general aviation, the owner or pilot designated by the owner, as being in command and charged with the safe conduct of the flight;
“CARICOM Advance Passenger and Crew Information System” or “CARICOM APIS” means the CARICOM Electronic Manifest Single Window (CEMSIW) for Advance Passenger Information and Passenger Name Record data interchange, which is —
- managed by IMPACS JRCC, established for the collection, processing and analysis of passenger and crew data to facilitate travel and to identify high risk travellers or potential threats to regional and national security or public safety;
- established for the transmission, collection, processing and screening of API and PNR data by the Competent Authority, and IMPACS against a Watch List for any API Hit;
- established to fulfil all regulatory requirements relating to the arrival or departure of an aircraft or vessel, passengers and crew into Saint Christopher and Nevis;
“CARICOM Council for Security and Law Enforcement” or “CONSLE” means the Council incorporated into the Revised Treaty of Chaguaramas by way of a Protocol which was opened for signature in March 2009;
“commercial aircraft” means an aircraft which engages in transporting passengers or goods for monetary gain;
“commercial vessel” means a vessel which engages in transporting passengers or goods for monetary gain;
“Competent Authority” means the Chief Immigration Officer, who for the purpose of this Act is responsible for –
- the effective and efficient collection and processing of API and PNR data of passengers and crew arriving at, transiting through and departing from Saint Christopher and Nevis; and
- undertaking the requisite national border security and risk management measures pursuant to paragraph (a);
“crew member” or “crew” means —
- in relation to aircraft, any individual charged with performing duties essential to the operation of an aircraft during flight including landing or take-off; and
- in relation to a vessel, any individual charged with performing duties essential to the operation of the vessel and the safety and well-being of its passengers or cargo during a journey;
“data processing” —
- means any operation or set of operations performed on API or PNR data for the purpose of enhancing border security, immigration control, customs clearance and other law enforcement purposes; and
- includes the collection, analysis, recording, organisation, storage, adaptation or alteration, calling-up, retrieval, consultation, use, transfer, dissemination or otherwise making available, alignment or combination, blocking, erasure or destruction of API or PNR data;
“DPO” means Data Protection Officer appointed under section 32 of this Act; “Departure Control System” or “DCS” –
- means the system used to support pre-flight or pre-voyage processes, including checking in of passengers onto aircraft or vessels; and
- streamline the departure process, ensure regulatory compliance, and enhance security measures by effectively handling API and PNR data;
“depersonalisation of PNR data” means the masking of information that enables direct identification of an individual, without hindering the use of PNR data by law enforcement agencies and entities;
“Embarkation and Disembarkation Data” means information concerning a passenger and crew member, or any other person travelling in an aircraft or vessel submitted to the Competent Authority and IMPACS through the CEMSIW who is expected to embark or disembark in Saint Christopher and Nevis as set out in Schedule 1(c.);
“FAL Convention” refers to the Convention on Facilitation of International Maritime Traffic (FAL), adopted on 9th April 1965 and entered into force on 5th March 1967;
“IATA” means the International Air Transport Association founded in Havana, Cuba, on 19th April 1945;
“ICAO” means the International Civil Aviation Organisation which was formed as a result of the Convention on International Civil Aviation also known as the “Chicago Convention” signed on 7th December 1944;
“IMO” means the International Maritime Organisation which was formerly the Inter- Governmental Maritime Consultative Organisation established by a convention adopted in Geneva in 1948 for the purpose of effectively promoting maritime safety;
“IMPACS” —
- means the Implementation Agency for Crime and Security which was established under the 2006 Agreement establishing the CARICOM Implementation Agency for Crime and Security (IMPACS); and
- includes its sub-agencies, namely —
- the Joint Regional Communication Centre (JRCC); and
- the Regional Intelligence Fusion Centre (RIFC);
“INTERPOL” means the International Crime Police Organisation;
“JRCC” means the Joint Regional Communications Centre which is a sub-agency of IMPACS;
“master” includes every person having command or charge of a vessel other than a pilot;
“Minister” means the Minister to whom responsibility for national security is assigned;
“Participating Member States” means States that utilise CARICOM APIS to support the processing and analysis of passenger and crew data and the transmission, collection, processing and screening of API and PNR data;
“passenger” means any person not being a bona fide crew member, travelling or seeking to travel on an aircraft or vessel;
“passenger data” means the list of API and PNR data set out in Schedules IV and VI collectively;
“Passenger Information Unit” or “PIU” means the authority established under section 8;
“passenger name record” or “PNR” means the record created by aircraft or vessel operator or their agents, for each voyage or flight booked by or on behalf of any passenger in the reservation system, Departure Control System or equivalent system as set out in Schedule VI;
“personal data” means all information that can be used to identify a natural person;
“PNR data transfer” means the transfer of PNR data to the Competent Authority and IMPACS via the CEMSIW managed by IMPACS JRCC in the format set out in Schedule VI;
“PNRGOV message” means the standard electronic message format jointly endorsed by World Customs Organization, International Civil Aviation Organisation and International Air Transport Association used by aircraft and vessel to submit PNR data;
“positive match” means the matching of personal or document data of an individual resulting from a comparison, whether naturally or by means of any electronic or other device, between any personal data of the individual, or between any document used by an individual for purposes of travel, against authorised databases and Watch Lists for the purposes of the implementation of this Act;
“push method” means the method used for the transfer of PNR data from the airlines, vessels or transportation operators to the Competent Authority and IMPACS via the CEMSIW;
“private aircraft” means any aircraft which is not a commercial aircraft or state aircraft;
“private vessel” means any vessel which is not a commercial vessel or a state-owned vessel;
“regional space” means the air and maritime spaces managed by the respective governments of the CARICOM Member States in accordance with international aviation and maritime law;
“serious crime” means an offence against the laws of Saint Christopher and Nevis for which a term of imprisonment of at least 12 months is required to be imposed;
“technical stop” or “stop for non-traffic purposes” means an aircraft or vessel arriving for purposes of refuelling, repairs, emergency or a similar purpose other than taking on or discharging passengers, baggage, cargo or mail;
“terrorist offence” means any offence established under the Anti-Terrorism Act, Cap. 4.02 or any other national enactment in respect of acts of terrorism;
“vessel” —
- means any ship, boat, barge, yacht, or other floating or submersible transportation by means of which persons and goods can travel across international borders; and
- includes a cruise line, a cargo ship and a tugboat;
“Vessel Operator” an individual, company, or organization responsible for the operation, management, and control of a particular vessel. This includes overseeing the navigation, manoeuvring, and overall operation of the vessel, as well as ensuring compliance with maritime regulations, safety protocols, and operational procedures;
“Watch List” means a list maintained by IMPACS and the Competent Authority that is used for the identification, tracking and monitoring of the activities or movements of criminals and suspicious travellers, including-
- terrorists or persons convicted of a criminal offence;
- persons suspected to be travelling on stolen and lost travel documents (SLTDs);
- criminal deportees; and
- other persons of interest to law enforcement and the intelligence community.
Scope and Application of Act
- This Act shall apply to the collection, use, retention, transfer, and protection of Advance Passenger Information (‘API’) and Passenger Name Record (‘PNR’) data, by the Competent Authority of Saint Christopher and Nevis, and IMPACS.
Duty to provide Advance Passenger Information (API), Passenger Name Record (PNR) Data and Embarkation and Debarkation Data
5. (1) A master, captain or agent of every aircraft or vessel shall provide to the Competent Authority and IMPACS via the CEMSIW managed by IMPACS JRCC the relevant API and PNR data relating to the passenger and crew, flight or voyage as set out in Schedules IV and VI.
(2) The duty to provide API and PNR data shall apply to all aircraft and vessels, regardless of size and tonnage which are —
- expected to arrive in Saint Christopher and Nevis;
- expected to depart from Saint Christopher and Nevis; or
- in transit through Saint Christopher and Nevis.
(3) Where a flight is code-shared between one or more aircraft, a captain or agent of the operating carrier shall provide API and PNR data of all passengers and crew to the Competent Authority and IMPACS via the CEMSIW.
(4) A passenger or crew traveling into and out of Saint Christopher and Nevis shall provide to the Competent Authority and IMPACS via the CEMSIW managed by IMPACS JRCC the relevant embarkation and disembarkation data as set out in Schedule I (C).
Vessel or aircraft arriving for non-traffic purposes or making a technical stop
- (1) Nothing in section 5 applies to an aircraft or vessel which makes a technical stop or lands, berths, anchors, or otherwise arrives or stops at any port for non-traffic purposes if the arrival is —
- required by any statutory or other requirement relating to navigation;
- compelled by any emergency, accident, unfavourable weather conditions, or other necessity; or
- authorised by the Competent Authority.
- Where an aircraft or vessel arrives or stops for any of the reasons outlined in subsection (1), the captain or master shall —
- forthwith report to the Competent Authority;
- comply with any directions given by the Competent Authority in respect of any crew member, or passenger carried on the aircraft or vessel, and
- not, without the consent of the Competent Authority, permit a crew member or passenger to disembark from the aircraft or vessel;
- Subject to any authorisation granted by the Competent Authority, neither a crew member nor a passenger on an aircraft or vessel shall without the consent of that authority disembark from the aircraft or vessel, and any such person shall comply with any direction given by the Competent Authority.
- A captain, master or agent who fails to comply with or contravenes this section is liable, in the case of a first offence, to an administrative fine of $5,000 to be imposed by the Competent Authority and in the case of a second or repeating offence, to an administrative fine of $20,000.
- Notwithstanding subsection (4), the disembarkation of a crew member or a passenger from an aircraft or vessel shall not constitute an offence, if the disembarkation is necessary for reasons of health, safety or the preservation of life.
Powers and duties of the Competent Authority
- (1) The Competent Authority shall —
- be responsible for overseeing and implementing the provisions of this Act;
- establish protocols, standards, issue guidelines and technical requirements for the secure transmission, storage, and processing of API and PNR data;
- establish a PIU to manage and conduct risk assessments and analysis of the API and PNR data collected from an aircraft and vessel through the CEMSIW for the purpose of prevention, detection, investigation and prosecution of terrorism and serious crime and submit the results to the law enforcement personnel at ports of entry in Saint Christopher and Nevis, using appropriate tools, technologies, and intelligence methodologies;
- establish secure channels and reliable systems for the timely transmission, receipts, storage, management and transfer of API and PNR data from an aircraft and vessel, or transportation operators to the designated authorities or entities;
- in collaboration with IMPACS, monitor compliance with API and PNR regulations and may conduct reviews or inspections of aircraft, vessels, or transportation operators’ operations to ensure adherence to the data collection and transmission requirements;
- establish data transfer agreements or arrangements with other receiving Member States or Competent Authorities, specifying the obligations, safeguards, and conditions for the use, storage, and retention of the transferred PNR data;
- conduct audits and inspections to ensure compliance with the Act;
- establish cooperation and information sharing mechanisms with relevant national and international entities to enhance the effectiveness of API and PNR data usage;
- maintain confidentiality and data protection standards for the handling of API and PNR data;
- provide necessary training and support to PIU Personnel and persons involved in the API and PNR data management process; and
- co-ordinate with IMPACS on matters relating to API and PNR and ensure compliance with this Act.
- The Competent Authority shall —
- be entitled to access API and PNR data or the data processing results in order to examine such information further;
- manage API and PNR data adequately and provide an appropriate level of protection of these data in keeping with the principles of data protection, international best practices and national enactments;
- verify data during physical processing of any passenger or member of crew at any port of entry or exit by comparing the API information to the information contained in the travel document presented by the passenger or member of crew;
- liaise and coordinate with relevant national, regional and international organisations to ensure that, in so far as it is practicable, mechanisms are established which remove the requirement of passengers to submit the same information to more than one entity in respect of the same voyage or journey;
- correct any erroneous data at the port of entry or exit and update the information in APIS and PNR databases after verifying it from the travel or other relevant documents of the crew member or passenger;
- undertake appropriate action for the purposes of preventing, detecting, investigating and prosecuting terrorist offences or serious crimes as well as for border security purposes;
- co-ordinate with IMPACS on all matters relating to API, PNR submissions and CEMSIW;
- if requested, permit the crew or passenger from an aircraft or vessel access to his personal identifiable information maintained in the APIS database to ensure its correctness; but no passenger shall have access to any information provided by IMPACS JRCC to the Competent Authority against a Watchlist for any API hit;
- process all API Hits, high risk travellers and cargo information flagged and referred by IMPACS JRCC and provide timely dispositions on these referrals, in keeping with established protocols;
- determine after consultation with IMPACS JRCC the admissibility or otherwise of passengers or crew into Saint Christopher and Nevis;
- withhold clearance for the departure of an aircraft or vessel whose captain, master or agent has not provided the API and PNR data required pursuant to section 5(3), pending submission of the data; and
- assess the sufficiency, and error rates in reviewing API and PNR transmissions for each flight or voyage.
- Notwithstanding subsection (2)(h) and (j), any decision with respect to the admissibility or inadmissibility of passengers or crew from an aircraft or vessel shall be made solely by the Competent Authority.
- The Competent Authority shall carry out all its activities and responsibilities in a manner consistent with the protection of personal data, principles of data protection and national enactments governing data protection and data privacy.
- In a situation where a PIU has not yet been established or is not operational, the Competent Authority shall process API and PNR data and shall —
- coordinate with IMPACS in carrying out an assessment of passengers prior to their scheduled arrival in or departure from Saint Christopher and Nevis to identify persons who require further examination by the Competent Authority; and
- analyse API and PNR data for the purpose of updating or creating new criteria to be used in the screening process.
- Any positive match resulting from the automated processing of API and PNR data shall be individually reviewed by non-automated means to verify whether the Competent Authority shall take action in accordance with this Act.
- The Competent Authority shall not take any decision —
- that produces an adverse legal effect on a person or significantly affects a person only by reason of the automated processing of data; or
- on the basis of a person’s race or ethnic origin, political opinions, religion or philosophical beliefs, trade union membership, health, sexual life or sexual orientation, unless failure to take the decision would be prejudicial to the interests of public health, public safety and national security.
Restriction of disclosure of data or documentation by the Competent Authority
- (1) The Competent Authority shall ensure that —
- all data, information, and documentation obtained or generated in the course of its functions and responsibilities shall be treated as confidential and subject to non-disclosure obligations; and
- its personnel shall refrain from disclosing any confidential data or documentation, except as expressly authorised by law or with the explicit consent of the relevant parties involved.
- The Competent Authority may disclose confidential data or documentation under the following circumstances:
- when required by law or court order, subject to any applicable legal procedures and safeguards;
- when necessary to fulfil the purposes for which the data or documentation was collected, provided that such disclosure is in accordance with the applicable laws, regulations, and privacy protections; and
- when disclosure is required to safeguard national security, public safety, or the prevention, detection, investigation, or prosecution of serious crimes, subject to the applicable legal framework and relevant procedures.
- The Competent Authority shall —
- ensure that all disclosed data or documentation is handled in compliance with applicable data protection laws and regulations;
- establish and maintain appropriate technical, organisational, and administrative measures to protect the confidentiality, integrity, and security of the disclosed data or documentation;
- restrict access to disclosed data or documentation to authorised personnel who have a legitimate need-to-know for the performance of their duties;
- implement access controls, user authentication mechanisms, and monitoring systems to prevent unauthorised access or disclosure of the data or documentation;
- prohibit its personnel from making any unauthorised disclosure of confidential data or documentation, both during and after their employment or engagement with the authority; and
- implement disciplinary measures and legal remedies to address any unauthorised disclosure, including imposing penalties, suspension, or termination of employment, as deemed appropriate
Powers and Duties of IMPACS
- For the purpose of this Act, IMPACS shall —
- manage the CEMSIW;
- establish and maintain a centralised database or system for the storage, management and analysis of API and PNR data collected via the CEMSIW;
- ensure the security, integrity, and confidentiality of the API and PNR data within its systems, by employing appropriate technological measures and implementing requisite internal policies that facilitate the collection, storage, processing and sharing of API and PNR data in compliance with data protection and privacy laws;
- facilitate the sharing of API and PNR data with authorised national and international entities involved in border control, immigration, security, law enforcement or other authorised purposes, as approved by CONSLE;
- conduct research, analysis and intelligence activities based on the API and PNR data collected, to identify trends, patterns, high risk travellers, or potential threats to national security or public safety;
- produce reports, assessments, or intelligence briefings based on the analysis of API and PNR data, providing actionable insights and recommendations to the Competent Authority and other authorised entities as approved by CONSLE;
- provide technical support, guidance and training to the Competent Authority, aircraft, vessels, transportation operators, and other stakeholders involved in the collection and transmission of API and PNR data;
- implement appropriate measures and safeguards to protect the privacy and confidentiality of API and PNR data, ensuring compliance with applicable data protection laws and regulations;
- establish procedures for the depersonalisation, and anonymisation of PNR data when necessary to safeguard the rights and privacy of individuals; and
- establish and maintain collaborations, partnerships and information sharing arrangements with relevant international organisations, agencies or counterparts involved in the collection and analysis of API and PNR data.
PART II
COMMON PROVISIONS FOR ADVANCE PASSENGER INFORMATION AND PASSENGER NAME RECORD
Establishment of a Passenger Information Unit
- There shall be established by the Minister a “Passenger Information Unit” (PIU) which shall comprise —
- an Immigration Officer of senior rank, as head of the Unit;
- a Police Officer;
- a Customs and Excise Officer;
- a Data Protection Officer; and
- such number of Immigration Officers and personnel as the Minister may determine in consultation with national law enforcement agencies.
Functions of the PIU
- (1) The PIU shall —
- receive, store, process, analyse and manage all API and PNR data transmitted by an aircraft and vessel in accordance with the provisions of this Act for the purpose of national security on behalf of the Competent Authority;
- manage and conduct risk assessments and analysis of all API and PNR data collected from an aircraft and vessel through the (CEMSIW) for the purpose of prevention, detection, investigation and prosecution of terrorism and serious crime and submit the results to the law enforcement personnel at ports of entry in Saint Christopher and Nevis through the use of appropriate secure tools, technologies, and intelligence methodologies;
- in collaboration with the Competent Authority and IMPACS, ensure all aircraft and vessel operators, passengers and crew are aware of their statutory obligations under the Act and compliant with the requirements to enter and leave Saint Christopher and Nevis;
- in collaboration with the Competent Authority, liaise and ensure effective communication and cooperation with any government department or government agency, by sharing information that it has acquired in the course of its duties or in the exercise of its functions under this Act undertake any other responsibility that shall be so assigned by the Competent Authority;
- liaise, collaborate and exchange information, as required, with other national, regional and international competent authorities, including other passenger information units and national, regional and international law enforcement organisations; and
- establish formal arrangements with national, regional and international competent authorities, where required, to support the implementation of its functions.
- The PIU shall carry out all its functions, activities and responsibilities in a manner consistent with the protection of personal data, principles of data protection and national enactments governing data protection and data privacy.
- In processing API and PNR data, the PIU shall —
- coordinate with IMPACS and other competent authorities in carrying out an assessment of passengers and crew prior to their scheduled arrival in or departure from Saint Christopher and Nevis to identify persons who require further examination by the Competent Authority; and
- analyse API and PNR data for the purpose of updating or creating new criteria to be used in the screening and risk assessment process and share risk information and intelligence with IMPACS to further risk assessments and generation of risk criteria.
- Any positive match resulting from the automated processing of API and PNR data shall be individually reviewed by non-automated means to verify whether the Competent Authority shall take action in accordance with this Act.
- The PIU shall possess the capability of 24 hours a day 7 days a week operation, with procedures in place to minimise disruption in the event of an emergency, system outage or failure.
Advance Passenger Information and Passenger Name Record Data access
- (1) No government department or agency shall have direct access to API and PNR data that is maintained by the Competent Authority and PIU.
(2) Notwithstanding subsection (1), the Competent Authority may, pursuant to a written request from another government department or agency, grant limited access to the Advance Passenger Information and the Passenger Name Record data.
(3) All data must be validated by the Competent Authority before it is transmitted to the requesting government department or agency.
(4) Any person who, without the requisite authorisation, accesses, attempts to access, facilitates access or causes access to API and PNR data that is maintained by the Competent Authority and PIU, commits an offence and is liable on summary conviction to a fine of $40,000 or imprisonment for a term of three years, or both.
Processing of API and PNR data
- (1) The PIU shall process API and PNR data for the following purposes:
- conducting risk assessment of passengers and crew before their scheduled arrival in or departure from Saint Christopher and Nevis to identify individuals who require further examination for potential involvement in terrorist related activities or serious crimes;
- responding, to requests received from other competent authorities and government agencies for specific cases, aimed at preventing, detecting, investigating, and prosecuting terrorist offenses or serious crimes; and
- analysing API and PNR data to update or establish new criteria used in the assessments mentioned in (a) above to identify individuals involved in terrorist offenses or serious crimes.
- PNR data shall not be processed in such a manner as to reveal the race or ethnic origin, political opinions, religion or philosophical beliefs, trade union membership, health, sexual life or sexual orientation of an individual and where PNR data reveal such information, they shall be deleted immediately by the PIU.
- When carrying out an assessment under subsection (1)(a) the PIU may —
- compare API and PNR data with authorised databases for the purpose of preventing, detecting, investigating, and prosecuting terrorist offenses or serious crimes, including databases of wanted persons or objects, as permitted by law, or
- analyse API and PNR data using non-discriminatory criteria and share results with the relevant authorities.
- The assessment of passengers and crew prior to their arrival in or departure from Saint Christopher and Nevis carried out under subsection (1)(a) against established criteria shall be carried out in a non-discriminatory manner.
- Criteria used in the assessment of passengers and crew shall —
- be targeted, proportionate and specific in nature; and
- be regularly reviewed in consultation with the Competent Authority and IMPACS.
6. Notwithstanding subsection (5), a criterion for the assessment of passengers shall not, in any circumstance, be based on race, ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, health, sexual life or sexual orientation.
- Where PNR data collected includes data other than those listed in Schedule VI of the Act any such data shall be deleted immediately and permanently upon receipt.
- The storage, processing and analysis of API and PNR data shall be carried out exclusively within a secure location or locations within Saint Christopher and Nevis, as designated by the Minister.
Verification of API and PNR Data submitted to the Competent Authority and IMPACS
- (1) The Competent Authority and IMPACS shall establish a robust system for the verification of API and PNR data submitted by aircraft or vessels, ensuring the accuracy, integrity, and reliability of the data collected, and the verification process shall be conducted in accordance with applicable laws, regulations, and data protection principles.
(2) The Competent Authority and IMPACS shall employ appropriate mechanisms and tools to validate the API and PNR data provided by aircraft or vessels which may include cross checking the data against reliable and authoritative sources, such as travel documents, identity databases or immigration records.
(3) The API and PNR data shall be subject to risk assessment and analysis to identify potential anomalies, discrepancies, or patterns that may require further investigation or action.
(4) Where discrepancies or inconsistencies are identified during the verification process, the Competent Authority and IMPACS shall promptly notify the relevant aircraft or vessel or submitter of API and PNR data, following which the aircraft or vessel shall be given an opportunity to rectify the discrepancies within a specified timeframe.
Use and sharing of API and PNR with Regional and International Security Agencies
- (1) The Competent Authority and IMPACS shall use API and PNR data to conduct screening of passengers and crew on an aircraft or vessel that —
- arrives, departs from and transits through Saint Christopher and Nevis; and
- travels within the regional space in order to provide information to assist the Competent Authority and IMPACS, as required, and other Participating Member States,
against Watch Lists and national, regional, and international databases approved by CONSLE.
(2) CONSLE may, from time to time, identify and update the list of national, regional, and international databases which are to be used to conduct screenings referred to in subsection (1).
(3) Approved national, regional and international databases shall be used to conduct screenings, as authorised by the Minister.
(4) The Competent Authority and IMPACS may share the information contained within the APIS and PNR System with INTERPOL and any other national, regional or international intelligence, law enforcement or security agencies or centres approved by CONSLE in order to further national, regional or international security.
(5) API and PNR data shall only be used for the purposes of this Act and to inform national compilation of statistics by Government Ministries, Departments and Agencies authorised to do so.
Transfer of API and PNR Data to Non-Participating Member States
- (1) The Competent Authority or IMPACS may transmit API and PNR data to the designated authority of another country responsible for national security only —
- in accordance with this Act; and
- upon ascertaining that the recipient country intends to use the data in a manner consistent with this Act.
(2) Any conflict between the provisions of this Act and national enactments of a recipient country, shall be resolved prior to the transfer of data referred to in subsection (1), where the level of management and protection of data in the recipient country is lower than in Saint Christopher and Nevis.
PART III
API OPERATING PROVISIONS
Duty to transmit API
- (1) The captain, master or agent of every aircraft or vessel shall provide to the Competent Authority and IMPACS via the CEMSIW the relevant API data relating to an aircraft or vessel as set out in Schedule I and in accordance with the timeframes stipulated in Schedule II.
- The captain, master or agent of an aircraft or vessel, along with the Competent Authority and IMPACS shall ensure that all API data collected, received, processed, stored, retained, and transferred are in compliance with general data protection principles.
- In addition to any information provided pursuant to subsection (1), the Competent Authority may —
- question any captain, master, agent, crew member or passenger in relation to the aircraft or vessel; or
- request any person within the category of persons mentioned in paragraph (a) to forthwith produce any document within that person’s possession or control in relation to the questions put to the person.
- Any captain, master, agent, member of crew or passenger who —
- refuses to answer or knowingly gives a false answer to any questions put to him by the Competent Authority; or
- fails to comply with a request under subsection 3(b),
is liable, in the case of a first offence, to an administrative fine of $5,000 to be imposed by the Competent Authority and in the case of a second or repeating offence, to an administrative fine of $20,000.
- The Minister may waive the requirements of subsection (1) in such circumstances and subject to such conditions as the Minister may prescribe where the aircraft or vessel is —
- a military or law enforcement aircraft or vessel;
- on official Government business; or
- (c) on the business of a humanitarian organisation.
API Data Elements
- Any aircraft or vessel arriving, departing from or transiting through Saint Christopher and Nevis shall transmit API data to the Competent Authority and IMPACS, through the CEMSIW, in a manner consistent with the list of API data elements set out in Schedule I.
Timeframe for the submission of API data and Embarkation and Disembarkation data
- (1) API data shall be submitted to the Competent Authority and IMPACS, through CEMSIW, in accordance with the timelines set out in Schedule II (A).
(2) In the event of technical failure, an aircraft or vessel shall transmit API by any other appropriate electronic means, in accordance with the timelines set out in Schedule II (A), ensuring the application of the appropriate level of data security.
(3) Embarkation and disembarkation data shall be submitted to the Competent Authority and IMPACS, through CEMSIW, in accordance with the timelines set out in Schedule II (B).
Protection of API data
- (1) An individual may request access to his or her API data to check and verify its accuracy and, where appropriate, request the correction of his or her data, in accordance with data protection principles and national enactments governing data protection and data privacy.
(2) An individual shall have the right to lodge a complaint before the Data Protection Officer if he or she considers that the processing of his or her API data is not in compliance with the provisions of this Act.
Retention of API data
- (1) API data collected under this Act for screening purposes shall be retained for a period not exceeding seven years from the date of travel of the crew member or the passenger.
(2) Upon expiry of the data retention period stipulated under subsection (1), API data shall be deleted from each database in which they were stored, except if needed in connection with a specific case, a threat or a risk identified as being related to terrorism, serious crime or border security.
(3) Nothing contained in subsection (1) applies to the data copied from APIS into any other security database system to which a different data retention schedule applies.
(4) Any security database that stores API data which has been sourced or copied from CARICOM APIS shall apply, at a minimum, equal levels of protection and privacy as applied by CARICOM APIS in accordance with data protection principles and international best practices.
Penalties
- (1) Subject to subsection (2), any captain or master who —
- fails to provide API in accordance with this Act; or
- intentionally or recklessly —
- provides erroneous, faulty, misleading, incomplete, or false API; or
- engages in, or facilitates API data transfer in an incorrect format,
commits and offence and is liable, in the case of a first offence, to an administrative fine of $5,000 to be imposed by the Competent Authority and in the case of a second or repeating offence, to an administrative fine of $20,000.
(2) Where the API provided is inaccurate and the captain, master or agent of the aircraft or vessel satisfies the Competent Authority that the error was not made knowingly or recklessly, then notwithstanding any other provision of this Act, the captain, master or agent may not be charged for an offence pursuant to subsection (1).
(3) Any passenger or crew who fails to provide Embarkation and Disembarkation data in accordance with this Act or intentionally or recklessly provides erroneous, misleading, incomplete, or false data is liable to an administrative fine of $400.
PART IV
PNR OPERATING PROVISIONS
Obligations of Captain or Agent of Aircraft regarding the transfer of PNR data
- (1) A captain or agent of an aircraft shall, in accordance with this Act, transfer by the push method to the Competent Authority and IMPACS via the CEMSIW all PNR data which it has collected in the normal course of business in respect of passengers to be carried by that aircraft into and out of Saint Christopher and Nevis.
(2) Where a flight in respect of which PNR data is required to be collected and transmitted is code-shared between one or more aircraft, a captain or agent of the operating carrier shall transmit the PNR data of all passengers on the flight to the Competent Authority and IMPACS.
(3) A captain or agent of an aircraft shall transfer PNR data to the Competent Authority and IMPACS by electronic means in accordance with the timelines stipulated in Schedule III.
(4) A captain or agent of an aircraft may, when providing updated passenger information, limit the transmission of PNR data to an update of the information previously provided.
(5) A captain or agent of an aircraft shall also transfer PNR data to the Competent Authority and IMPACS on a case-by-case basis, at the request of the Competent Authority and IMPACS at times other than those provided for in subsection (3) where access to that data is required in order to respond to a specific and actual threat related to terrorist offences or serious crime.
(6) A captain or agent of an aircraft shall maintain records of PNR data transfers, including the date, time and details of the transmission, for a specified period as required by the Competent Authority.
(7) A captain or agent of an aircraft shall cooperate fully with the Competent Authority and IMPACS in relation to the transfer of PNR data, providing any additional information or assistance as required for the purpose of national security, law enforcement or other authorised purposes.
(8) A captain or agent of an aircraft shall comply with all requirements under this Act.
Obligations of Master or Agent of Vessel regarding the transfer of PNR data
- (1) A master or agent of a vessel shall, in accordance with this Act, transfer by the push method to the Competent Authority and IMPACS via the CEMSIW all PNR data which it has collected in the normal course of business in respect of passengers and crew to be carried by that vessel into and out of Saint Christopher and Nevis.
(2) Where a commercial or private vessel in respect of which PNR data is required to be collected and transmitted is code-shared between one or more vessels, a captain or agent of the operating carrier shall transmit the PNR data of all passengers and crew on the vessel to the Competent Authority and IMPACS.
(3) A master or agent of a vessel shall transfer PNR data to the Competent Authority and IMPACS by electronic means in accordance with the timelines specified in Schedule IV.
(4) A master or agent of a vessel, when providing updated passenger information, may limit the transmission of PNR data to an update of the information previously provided.
(5) A master or agent of a vessel shall also transfer PNR data to the Competent Authority and IMPACS on a case-by-case basis, at the request of the Competent Authority and IMPACS at times other than those provided for in subsection (3) where access to that data is required in order to respond to a specific and actual threat related to terrorist offences or serious crime.
(6) A master or agent of a vessel shall maintain records of PNR data transfers, including the date, time and details of the transmission, for a specified period as required by the Competent Authority.
(7) A master or agent of a vessel shall cooperate fully with the Competent Authority and IMPACS in relation to the transfer of PNR data, providing any additional information or assistance as required for the purpose of national security, law enforcement or other authorised purposes.
(8) A master or agent of a vessel shall accurately complete and submit information, including such information related to health, crew effects, ship stores and dangerous goods to the Competent Authority and IMPACS, through the CEMSIW for processing, in accordance with the data elements as reflected in Schedule V, pursuant to the FAL Convention, as updated.
(9) A master or agent of a vessel shall comply with all requirements under this Act.
PNR data transfer method and format
- (1) Subject to subsections (4) and (5), any aircraft or vessel arriving, departing from or transiting through Saint Christopher and Nevis shall transfer PNR data, collected in the course of their normal business operations to the Competent Authority and IMPACS through the CEMSIW by the push method, using the PNRGOV message format.
(2) An aircraft or vessel arriving, departing from or transiting through Saint Christopher and Nevis shall not be required to collect and transfer PNR data which they have not collected in the course of their normal business operations.
(3) An aircraft or vessel arriving at, departing from or transiting through Saint Christopher and Nevis shall not be required to filter PNR data prior to their transmission to the Competent Authority and IMPACS.
(4) In the event of a technical failure or any other exceptional case, an aircraft or vessel shall transfer PNR data by any other appropriate electronic means as an alternative to the push method.
(5) The PNR data to be transmitted shall be consistent with the data elements set out in Schedule VI.
Transmission Timeframe for PNR data
- (1) Subject to subsection (2), an aircraft or vessel operating a flight or voyage arriving at, departing from or transiting through Saint Christopher and Nevis shall transfer PNR data to the Competent Authority and IMPACS in accordance with Schedule III or Schedule IV, respectively.
(2) In the event of a cancellation of a scheduled flight or voyage after the first transmission of PNR data, no further transmission shall be required.
(3) Where access to PNR data is required to respond to a specific threat to the public or in the interest of national security, an aircraft or vessel shall be required to provide the Competent Authority and IMPACS, PNR data prior to, between, or after the scheduled transmission timelines established in subsection (1).
Purpose Limitation of PNR data
- (1) PNR data collected in accordance with this Act shall be processed only for the purposes of preventing, detecting, investigating and prosecuting terrorist offences and serious crime and for border security purposes.
(2) In exceptional cases, notwithstanding, subsection (1), PNR data may be processed, where necessary, for the protection of the vital interests of any individual, such as the risk of death, serious injury or threat to life or health.
(3) The Competent Authority may share PNR data with national Ministries, Departments and Agencies, where required under any enactment and in accordance with data protection principles and international best practices.
Automated processing of PNR data
- (1) Automated processing of PNR data shall be based on objective, precise and reliable criteria that effectively indicate the existence of a risk, without leading to unlawful differentiation among individuals.
(2) Automated processing of PNR data shall not be discriminatory.
(3) In accordance with national enactments related to data protection and data privacy, a decision which produces significant adverse actions on individuals, affecting their legal interests, rights or other legal entitlements, as provided for under national enactments, shall not be made on the sole basis of the automated processing of PNR data.
Sensitive Data
- (1) No person shall process PNR data revealing the race or ethnic origin, political opinions, religion or philosophical beliefs, trade union membership, health, sexual life or sexual orientation of an individual.
(2) PNR data containing sensitive personal information shall be immediately deleted if received by the Competent Authority and IMPACS.
(3) Notwithstanding subsections (1) and (2), sensitive data may be processed in exceptional and immediate circumstances to protect the vital interests of an individual.
PNR data and document retention
- (1) PNR data provided by a captain or agent of an aircraft, or a master or agent of a vessel to the Competent Authority and IMPACS shall be retained in a database of the Competent Authority and IMPACS for a period of seven years after its transfer.
- (2) PNR data transferred in accordance with subsection (1) shall be deleted permanently upon the expiration of the period of seven years after they were transferred.
(3) PNR data or the results of the processing of such data that have been transferred to a Competent Authority by the PIU shall be deleted permanently —
- upon the expiration of a period of seven years after they were transferred; or
- where the data were retained for the purpose of the prevention, detection, investigation or prosecution of a terrorist offence or serious crime and proceedings for such offence are brought against any person, on the day on which final judgment is given in the proceedings, whichever occurs later.
(4) The result of the assessment of passengers and crew shall only be retained by the Competent Authority for as long as is necessary to inform competent authorities and passenger information units of other Member States of a positive match.
(5) Where the result of automated processing has, following individual review by non-automated means, proven to be negative it may be retained in order to avoid future false positive matches for as long as the underlying data are not destroyed in accordance with this Act.
(6) The Competent Authority shall ensure that the PIU maintains documentation relating to all of its processing systems and procedures and that documentation shall contain at least —
- the name and contact details of the organisation and personnel of the PIU entrusted with the processing of PNR data and the different levels of access authorisation;
- the requests made by the Competent Authorities and the PIUs of other Member States; and
- all requests for and transfers of PNR data to a third country.
(7) The PIU shall keep records of its processing operations involving collection, consultation, disclosure and erasure of PNR data.
(8) Records kept under subsection (7) in relation to consultation and disclosure shall show, in particular —
- the purpose, date and time of such operations; and
- as far as possible, the identity of the member of staff of the PIU who consulted or disclosed the PNR data and the identity of the recipients of those data.
(9) Records kept under subsection (7) shall be —
- used solely for the purposes of verification, self-monitoring, ensuring data integrity and security, and auditing; and
- kept for a period of seven years.
(10) The PIU shall, on request, make available to the Data Protection Officer all documentation required to be maintained under this Act.
(11) The PIU shall put in place and implement appropriate technical and organisational measures and procedures to ensure a high level of security appropriate to the risks represented by the nature and processing of PNR data.
(12) Where a personal data breach occurs and this is likely to result in a high risk to the protection of the personal data concerned or affect the privacy of the data subject adversely, the breach shall be communicated to the data subject and to the Data Protection Officer without undue delay.
Depersonalisation and Anonymisation of PNR data
- (1) PNR data transferred by a captain or agent of an aircraft, or a master or agent of a vessel to the Competent Authority and IMPACS via the CEMSIW shall, after a period of six months from their transfer, be depersonalised, no longer enabling direct identification of the passengers or crew, except when used in connection with an identifiable ongoing case, threat or risk related to the purposes stipulated in this Act.
(2) The following data elements shall be removed to facilitate the depersonalisation of PNR data referred to in subsection (1):
- passenger and crew name or names, including the names of other passengers and crew on the PNR and number of passengers and crew on the PNR travelling together;
- address and contact information;
- all forms of payment information, including billing address, to the extent that it contains any information which could serve to directly identify the passenger and crew to whom the PNR data relate, or any other person;
- frequent flyer/traveller information;
- any general remarks relating to the PNR data to the extent that they contain any information which could serve to directly identify the passenger and crew to whom the PNR data relate; and
- depersonalised data shall be retained for statistical, analytical or research purposes, provided that it does not infringe upon the privacy rights of the individuals.
(3) PNR data may be re-personalised only if needed in connection with an identifiable ongoing case, threat or risk related to the purposes stipulated in this Act, upon authorisation by the Competent Authority.
(4) PNR data shall be deleted or anonymised after it has been retained for a period of seven years, except when used in connection with an identifiable ongoing case, threat or risk related to the purposes stipulated in this Act.
(5) Nothing contained in subsection (1) applies to PNR data copied from the databases managed by the Competent Authority and IMPACS JRCC into any other security database system to which a different data retention schedule applies.
(6) Any security database that stores PNR data which has been sourced or copied from databases managed by the Competent Authority and IMPACS shall apply, at a minimum, equal levels of protection and privacy in accordance with data protection principles and international best practices.
Data Protection Officer
- (1) The Competent Authority and IMPACS shall appoint a qualified and experienced individual as the Data Protection Officer (DPO) to oversee and ensure compliance with data protection laws and regulations relating to PNR data.
(2) The DPO shall —
- operate independently and autonomously in performing his duties, free from any conflicts of interest and for this purpose shall have direct access to the highest levels of management within the Competent Authority and IMPACS;
- possess expert knowledge of data protection laws and regulations, as well as a deep understanding of the specific requirements and challenges associated with the collection, processing, and management of PNR data;
- provide advice, guidance, and recommendations to the Competent Authority and IMPACS on matters related to the processing of PNR data, ensuring compliance with applicable data protection laws and regulations;
- monitor the processing activities related to PNR data, including data collection, storage, access, use, and sharing, to ensure compliance with legal requirements and established policies and procedures;
- conduct regular risk assessments regarding the processing of PNR data and identify potential risks or vulnerabilities, and shall work with relevant departments and stakeholders to implement appropriate measures to mitigate risks and safeguard the rights and privacy of individuals;
- be responsible for conducting or overseeing Data Protection Impact Assessments (DPIAs) relating to the collection, processing, and management of PNR data, and ensure that DPIAs are carried out in accordance with relevant legal requirements;
- act as the main point of contact for individuals, including passengers and crew members, regarding their rights, concerns, and inquiries related to the processing of their PNR data and in so doing shall facilitate the exercise of data subjects’ rights and handle any complaints or data breaches;
- organise and provide training programs, workshops, and awareness campaigns to enhance the competent authority’s and IMPACS’ employees’ understanding of data protection principles, obligations, and best practices related to PNR data processing;
- cooperate and maintain effective communication with relevant data protection authorities or regulatory bodies, providing necessary information, reports, and notifications as required by applicable laws and regulations;
- prepare periodic reports on data protection activities, incidents, and compliance status for senior management and relevant stakeholders and shall ensure transparency and accountability in the processing of PNR data; and
- provide national oversight for the protection of PNR data.
(3) The Competent Authority and IMPACS shall provide the necessary resources, authority and support to enable the DPO to fulfil their responsibilities effectively.
(4) The DPO’s contact information, shall be made publicly available to allow individuals to reach out with inquiries, concerns, or complaints related to PNR data processing.
National Oversight
- The Data Protection Officer shall provide national oversight for the protection of PNR data.
Competent Authority to liaise with the Regional Data Protection Officer
- (1) The Competent Authority shall liaise with and provide the requisite support and information to the Regional Data Protection Officer appointed by the Executive Director of CARICOM IMPACS.
(2) The Regional Data Protection Officer shall monitor the processing of PNR data and facilitate and ensure the implementation of established related safeguards.
(3) The Regional Data Protection Officer shall be provided with the resources and information to perform his or her duties and tasks effectively and independently.
(4) The Regional Data Protection Officer shall have access to all data pertinent to the processing of API and PNR by the Competent Authority and IMPACS.
(5) In circumstances where the regional data protection officer considers that the processing of any data has not been lawful or was done in accordance with this Act, the Regional Data Protection Officer may refer the matter to the Executive Director of CARICOM IMPACS.
(6) The Regional Data Protection Officer shall coordinate and collaborate with the national data protection officers of CARICOM Member States.
Competent Authority to liaise with the Data Protection Officer
- (1) The Competent Authority shall liaise with and provide the requisite support and information to the Data Protection Officer.
(2) The Data Protection Officer shall monitor the processing of PNR data and facilitate and ensure the implementation of established related safeguards.
(3) The Data Protection Officer shall be provided with the resources and information to perform his or her duties and tasks effectively and independently.
(4) The Data Protection Officer shall have access to all data processed by the Competent Authority.
(5) In circumstances where the Data Protection Officer considers that the processing of any data has not been lawful or was not done in accordance with this Act, the Data Protection Officer may refer the matter to the Competent Authority.
Safeguards and redress mechanisms
- (1) Every individual shall have the same right to the protection of his or her personal data, including the right to be informed, the right of access, the right of rectification and the right to an adequate remedy, in accordance with best practices and national enactments and policy in relation to the protection of personal data.
(2) An agent of an aircraft or vessel shall inform every passenger of his rights related to the protection of his or her personal data referred to in subsection (1).
(3) Every individual shall have the right to lodge a complaint before the Data Protection Officer in circumstances where he or she considers that the processing of his or her personal data constitutes a violation of this Act.
Penalties
- (1) Any captain or master who does not comply with the provisions of this Part is liable, in the case of a first offence, to an administrative fine of $5,000 to be imposed by the Competent Authority and in the case of a second or repeating offence, to an administrative fine of $20,000.
(2) In the event of a conflict of laws between the provisions of this Act and those of the legislation of another country regarding the transmission of PNR data by an aircraft, the penalties provided for under this Part shall be suspended during the period the authorities of the two States are attempting to resolve this issue and until it is demonstrated that the two States have attempted to resolve the situation.
PART V
EXCHANGE OF PNR DATA WITH OTHER MEMBER STATES
Transfer of PNR data by the Competent Authority or PIU to other Participating Member States and competent authorities
- (1) The Competent Authority may share PNR data with another Member State or competent authorities in accordance with applicable laws, regulations, and international agreements.
(2) The transfer of PNR data shall be limited to the purposes specified under this Act, including national security, public safety, immigration control, and the prevention, detection, investigation, and prosecution of serious crimes.
(3) The PIU, acting on the approval and guidance of the Competent Authority, shall ensure that the transfer of PNR data is conducted in compliance with data protection laws and regulations, including appropriate security measures to safeguard the confidentiality, integrity, and protection of the data during transmission and at the receiving end.
(4) The Competent Authority shall transfer PNR data only when there is a lawful basis and a demonstrated necessity for such transfer, as determined by the Competent Authority.
(5) The Competent Authority shall assess the proportionality and necessity of the transfer, considering factors such as the gravity of the threat, the relevance of the data, and the availability of alternative means to achieve the stated purposes.
(6) The PIU, acting on the approval and guidance of the Competent Authority, shall transfer only the necessary and proportionate PNR data required for the specified purposes, ensuring that the transferred data is limited to what is essential and relevant.
(7) The Competent Authority shall establish clear guidelines regarding the retention periods of transferred PNR data by the receiving Member States or competent authorities, ensuring that the data is retained for no longer than necessary for lawful purposes.
(8) The PIU, acting on the approval and guidance of the Competent Authority, shall engage in mutual assistance and information exchange with the receiving Member States or competent authorities, ensuring timely and efficient sharing of relevant information related to the transferred PNR data.
(9) The PIU shall establish mechanisms to facilitate feedback, communication, and coordination with the receiving entities, addressing queries, providing clarifications, and responding to requests for additional information or cooperation.
(10) The Competent Authority shall oversee and monitor the transfer of PNR data by the PIU, ensuring compliance with the legal provisions and applicable agreements.
(11) The Competent Authority shall establish an accountability framework to assess the lawfulness, necessity, and effectiveness of the transfers, conducting periodic audits, and assessments to evaluate the compliance of the PIU with the established requirements.
(12) The Competent Authority shall provide regular reports to relevant government bodies or legislative committees on the transfers of PNR data, including the number of transfers, the receiving entities, and the purposes for which the data was transferred.
(13) The Competent Authority shall ensure transparency in the transfer process, subject to any necessary limitations imposed by law or national security considerations.
Request from another Participating Member State
- (1) Where a request for PNR data is received from the competent authority or passenger information unit of another Participating Member State, but the data have not been depersonalised through masking out, the PIU in consultation with the Competent Authority may transmit any such information in its possession to the competent authority or passenger information unit of the requesting Member State if it believes that transmitting the data is necessary for the purpose of preventing, detecting, investigating or prosecuting terrorist offences or serious crime.
(2) In exceptional circumstances, where a request for PNR data is received from a competent authority or passenger information unit of a Participating Member State at a time other than that provided for under this Act, the PIU may request the aircraft or master of the vessel to transfer the requested PNR data and in turn transfer the PNR data to the competent authority in the requesting Participating Member State. Such a request can only be facilitated where there are reasonable grounds to believe that the data requested is necessary to respond to a specific and actual threat related to terrorist offences or serious crime.
Request for PNR data from another Participating Member State by the Competent Authority or PIU of Saint Christopher and Nevis
- (1) The Competent Authority or PIU may submit a request for PNR data to the competent authority or passenger information unit of a Participating Member State where there are reasonable grounds to believe that the request is necessary for the prevention, detection, investigation or prosecution of a terrorist offence or serious crime.
(2) A request made under subsection (1) may be based on one or more data elements and shall include the reasons for the request.
(3) The Competent Authority or PIU may in exceptional circumstances, request the competent authority or passenger information unit of another Participating Member State to request the transfer of PNR data by an aircraft or vessel to the passenger information unit of that Participating Member State at a time other than the time at which the aircraft transfers the PNR data to the passenger information unit of that Participating Member State and to transfer the PNR data to the passenger information unit where access to the PNR data is necessary to respond to a specific or actual threat related to terrorist offence or serious crime.
PART VI
MISCELLANEOUS
Immunity from liability
- Any person acting under the direction of the Competent Authority or IMPACS shall not be held liable for any direct, indirect, incidental, consequential, or special damages including but not limited to financial loss, personal injury, or reputational harm, arising from or in connection with the collection, receipt, processing, use, disclosure, or transfer of API and PNR data.
Regulations
- (1) The Minister may make regulations to give effect to the principles and provisions of this Act.
(2) Notwithstanding the generality of subsection (1), the Minister may make regulations —
- specifying the circumstances in which and the conditions under which the Minister may waive the requirements set out in section 17(1);
- to provide for procedures for the gathering of information and the collaboration and sharing of information with the agencies mentioned in this Act;
- determining the composition, procedural operations institutional and other arrangements of the PIU to ensure its effective and efficient operations;
- designating Competent Authorities to receive API and PNR data;
- establishing approved watchlists or criteria and databases to be used for national processing in conjunction with API and PNR data; and
- any other matter required to be prescribed under this Act.
Amendment of the Schedules
- The Minister may, by Order published in the Gazette, amend a Schedule to this Act with respect to API and PNR.
Requirement to submit all information electronically
- Any information to be submitted under this Act shall be submitted electronically.
Non-Imposition of Penalties for Incomplete, Delayed or Erroneous messages resulting from technical issue
- Notwithstanding any provision under this Act in respect of the imposition of penalties, an aircraft or vessel operator shall not be penalised or held otherwise responsible for incomplete, delayed or erroneous messages resulting from a technical issue.
Repeal of Advance Passenger Information Act
- The Advance Passenger Information Act, No. 1 of 2017 is repealed.
SCHEDULE I
ADVANCE PASSENGER INFORMATION DATA ELEMENTS AND EMBARKATION AND DISEMBARKATION DATA
(Section 18)
- AIRCRAFT
- Data relating to the flight (Header Data)-
- Flight Identification
- Data relating to the flight (Header Data)-
(IATA or ICAO Airline code and flight number, Registration Number)
- Scheduled Departure Date
(Date of Scheduled departure of aircraft based on local time of departure location)
- Scheduled Departure Time
(Time of scheduled departure of aircraft based on local time of arrival location)
- Scheduled Arrival Date
(Date of the scheduled arrival of aircraft based on local time of arrival location)
- Scheduled Arrival Time
(Time of scheduled arrival of aircraft based on local time of arrival location)
- Last Place or Port of Call of Aircraft
(Aircraft departed from this last foreign place or port of call to go to “place or port of aircraft initial arrival”)
- Place or Port of Aircraft Initial Arrival
(Place or port in the country of destination where the aircraft arrives from the last place or port of call of aircraft)
- Subsequent Place or Port of Call within the country or regional space
- Number of Persons on board including-
- the total number of passengers on Board; and
- the total number of crew members
- Data relating to each individual on board –
- Official Travel Document Number
(Passport or other Government approved travel documents)
- Issuing State or Organisation of the Official Travel Document (Name State or Organisation responsible for the issuance of the official document)
- Official Travel Document Type
(Indicator to identify type of official travel document)
- Expiration Date of Official Travel Document (Expiration date of the official travel document)
- Surname or Given Name(s)
(Family name and given name(s) of the holder as it appears on the travel document)
- Nationality
(Nationality of the holder of the travel document)
- Date of Birth
(Date of birth of the holder)
- Gender
(Gender of the holder)
- Traveller’s Status
(Passenger, crew, in-transit)
- Place or Port of Original Embarkation
(Place or port on that journey where traveller first boarded for foreign travel)
- Port or Place of Clearance
(Place or port where the traveller is cleared by the border control agencies)
- Place or Port of Onward Foreign Destination
(Foreign place or port where the traveller is transiting)
- Data relating to the Reporting Party –
- Reporting Party Name
- Reporting Party Telephone Number
- Reporting Party Facsimile Number
- Reporting Party Electronic Mail Address
- VESSEL
- Data relating to the voyage (Header Data)-
- Vessel Identification
- Data relating to the voyage (Header Data)-
(IMO or Registration number)
- Country of Registration
(Country where the vessel is registered)
- Agent or Owner (where applicable)
(Name of Agent for the vessel or where no Agent, Name of Owner)
- Call Sign (if applicable)
- Scheduled Departure Date
(Date of Scheduled departure of vessel based on local time of departure location)
- Scheduled Departure Time
(Time of scheduled departure of vessel based on local time of arrival location)
- Scheduled Arrival Date
(Date of the scheduled arrival of vessel based on local time of arrival location)
- Scheduled Arrival Time
(Time of scheduled arrival of vessel based on local time of arrival location)
- Last Place or Port of Call of Vessel
(Vessel departed from this last foreign place or port of call to go to “place or port of vessel initial arrival”)
- Place or Port of Vessel Initial Arrival
(Place or port in the country of destination where the vessel arrives from the last place or port of call of vessel)
- Subsequent Place or Port of Call within the country or regional space
- Number of Persons on board including-
- the total number of passengers on Board; and
- the total number of crew members
- Data relating to each individual on board –
- Official Travel Document Number
(Passport or other Government approved travel documents)
- Issuing State or Organisation of the Official Travel Document
(Name State or Organisation responsible for the issuance of the official document)
- Official Travel Document Type
(Indicator to identify type of official travel document)
- Expiration Date of Official Travel Document (Expiration date of the official travel document)
- Surname or Given Name(s)
(Family name and given name(s) of the holder as it appears on the travel document)
- Nationality
(Nationality of the holder of the travel document)
- Date of Birth
(Date of birth of the holder)
- Gender
(Gender of the holder)
- Traveller’s Status (Passenger, crew, in-transit)
- Place or Port of Original Embarkation
(Place or port on that journey where traveller first boarded for foreign travel)
- Port or Place of Clearance
(Place or port where the traveller is cleared by the border control agencies)
- Place or Port of Onward Foreign Destination
(Foreign place or port where the traveller is transiting)
- Data relating to the Reporting Party –
- Reporting Party Name
- Reporting Party Telephone Number
- Reporting Party Facsimile Number
- Reporting Party Electronic Mail Address
- EMBARKATION AND DISEMBARKATION DATA
- Data elements relating to flight or voyage information –
- Residential status
- Vessel Type
- Airline/Vessel name
- Airline/Vessel registration ID
- Country of embarkation
- Port of embarkation
- Intended date of arrival
- Data elements relating to flight or voyage information –
- Data elements relating to personal information –
- First name
- Last name
- Gender
- Date of birth
- Nationality
- Country of birth
- Country of residence
- Zip code
- State
- City
- Address
- Telephone number
- Approval of processing information
- Data elements relating to document information –
- Travel document type
- Travel document number
- Travel document issue country
- Travel document expiry date
- Proof of travel document
- Data elements relating to destination information –
- Purpose of visit
- Accommodation type
- Other accommodation type
- Destination name
- Destination address
- Destination city
- Length of stay
- Data elements relating to health information –
- Symptoms over the past seven 7 days
- Countries visited within the last 21 days
- Data elements relating to customs –
- Total pieces of Luggage
- Bringing of plants and livestock
- Bringing of pharmaceuticals
- Bringing of narcotics
- Bringing of weapons
- Bringing of commercial merchandise
- Bringing of currency
- Bringing of animal products
- Bringing of disease agents
- Bringing of soil
- Items to declare
SCHEDULE II
TIMEFRAME FOR SUBMISSION OF API AND EMBARKATION AND DISEMBARKATION DATA
(A) Timeframe for submission of API
(Section 19 (1) and (3) )
- In case of commercial aircraft, no later than 60 minutes prior to departure from the last port of call.
- In case of a private aircraft, no later than 60 minutes prior to the departure from the last port of call.
- In case of a vessel arriving from outside the regional space, no later than 24 hours prior to arrival.
- In case of a vessel arriving from a destination within the regional space, no later than 1 hour prior to the arrival of the vessel from the last port of call.
- In the event of any changes to the flight or vessel header data or data relating to an individual on board, an updated API file is required prior to departure of the aircraft or vessel.
- In emergency situations, submissions shall be made as soon as practicable where deemed necessary by the Competent Authority.
(B) Timeframe for submission of Embarkation and Disembarkation data
1. Passenger and Crew shall be required to submit embarkation and disembarkation data within 72 hours (including the day of arrival/departure) prior to their arrival into and departure from Saint Christopher and Nevis.
SCHEDULE III
Timelines for Electronic Submission of PNR data by a Captain or Agent of an Aircraft
(Section 23 (3))
An aircraft shall transfer PNR data to the Competent Authority and IMPACS by electronic means via the CEMSIW in accordance with the following timelines –
- 48 hours before the scheduled flight departure time; and
- 24 hour(s) before the scheduled flight departure time; and
- time zero which represents the actual time of departure where flight closure has been completed, that is once the passengers and crew have boarded the aircraft in preparation for departure and it is no longer possible for passengers and crew to board or leave; or
- in the event of technical failure or difficulty, by any other appropriate means with a tolerance of 30 minutes after the departure ensuring the same level of technical and organisational security.
- Where a voyage is cancelled, submissions in keeping with the timeframes articulated above prior to the cancellation are still required. Only submissions due after time of cancellation are not required.
- In emergency situations, submissions shall be made as soon as practicable where deemed necessary by the Competent Authority.
SCHEDULE IV
Timelines for Electronic Submission of PNR Data by a Master or Agent of a Vessel
(Section 24 (3))
An aircraft shall transfer PNR data to the Competent Authority and IMPACS by electronic means via the CEMSIW in accordance with the following timelines –
- 48 hours before the scheduled voyage departure time; and
- 24 hour(s) before the scheduled voyage departure time; and
- time zero which represents the actual time of departure, that is once the passengers and crew have boarded the vessel in preparation for departure and it is no longer possible for passengers and crew to board or leave; or
- in the event of technical failure or difficulty, by any other appropriate means with a tolerance of 30 minutes after the departure ensuring the same level of technical and organisational security.
- Where a voyage is cancelled, submissions in keeping with the timeframes articulated above prior to the cancellation are still required. Only submissions due after time of cancellation are not required.
- In emergency situations, submissions shall be made as soon as practicable where deemed necessary by the Competent Authority.