To re-open borders without quarantine and restart aviation governments need to be confident that they are effectively mitigating the risk of importing COVID-19. This means having accurate information on passengers’ COVID-19 health status.
Informing passengers on what tests, vaccines and other measures they require prior to travel, details on where they can get tested and giving them the ability to share Your tests and vaccination results in a verifiable, safe and privacy-protecting manner is the key to giving governments the confidence to open borders.
To address this challenge IATA is launching the IATA Travel Pass (“ITP”), in collaboration with interested airlines and governments.
Who is IATA?
The International Air Transport Association (“IATA”)’s mission as the trade association of the airlines is to represent, lead, and serve the airline industry. Our members comprise 82% of total air traffic.
IATA is an association created by Special Act of Parliament of Canada, with its head office located at 800 Place Victoria, P.O. Box 113, Montreal, Quebec, Canada H4Z 1M1.
IATA will be designated as the data controller for the purpose of the IATA Travel Pass Application (“ITP”).
What is the ITP & How does it work?
ITP is composed of four interoperable modules, each of which is designed to help travelers navigate the complex world of post-COVID international travel.
- Travel Pass App: it enables You, a passenger, to (1) create a ‘digital passport’, (2) verify Your test/vaccination meets the regulations & (3) shares test or vaccination certificates with authorities to facilitate travel.
- Timatic: it has been used for decades by airlines and travel agents, but also the passengers, to verify passenger travel document requirements for your destination and any transit points.
- Registry of Covid-19 testing and vaccination centers: it enables You to find testing centers and laboratories at Your departure location which meet the standards for testing/ vaccination requirements of your destination.
- Lab App web application: it enables You to securely share Your ID details with the testing centers and authorized labs for them to securely send back Your test results or vaccination certificates.
What the ITP is not?
The downloading and/or usage of the ITP are purely voluntary and will never be compulsory for anyone. It is purely optional and left to Your appreciation and choice, and only subject to the participation of the airline You are flying within the ITP program.
If You choose to download and use the ITP, it does not warrant or otherwise guarantee that You will be able to travel to Your intended destinations.
IATA make no representations with respect to the accuracy, reliability, completeness, timeliness or usefulness of the information You uploaded in the ITP.
In no event IATA shall be liable for:
- the accuracy of the information and data provided to us by you or on your behalf;
- for any loss or injury caused in whole or in part by delivering such information through the ITP;
- any decision made or action taken or not taken by You or anyone else in reliance on the information provided in the ITP.
At all times, You remain fully responsible for ensuring You satisfy all travel requirements set by your airline carrier and Your destination country.
How is IATA protecting my data?
IATA is committed to ensuring a high level of data protection for the users of the ITP. IATA conducted a thorough and in-depth Data Protection Impact Assessment (“DPIA”) to transparently work, share and explain to the different stakeholders how the ITP has been built, how data protection and privacy risks are managed and, in fine, ensure Your adequate and complete information for you to engage safely with the ITP.
IATA will never have access to the data that is being processed.
As a controller, IATA shall and will ensure at every step of the journey with the ITP:
- Your personal data is processed lawfully, fairly and in a transparent manner,
- Only strictly necessary personal data in relation to the purposes for which they are processed will be required,
- Your personal data is collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes,
- Your personal data is accurate, kept up to date, and every reasonable step is taken to ensure that personal data that are inaccurate can be erased or rectified without delay.
IATA adopts internal policies and implements all necessary measures to meet the principles of data protection by design and data protection by default and ensure the appropriate technical and organizational measures are taken to protect Your Data and Your Privacy.
IATA has a dedicated team in charge of security. The Head of Information Security reports directly to the Chief Information Officer.
The vendors have been through a security assessment based on three main components:
- Security Vendor Assessment (https://vsaq.iata.org)
- External party scoring (https://www.riskrecon.com)
- Compliance to Security Non-Functional Requirements
The purpose of this program is to ensure all subcontractors have best-in-class security controls implemented,
compliant with IATA requirements. Each vendor is contractually bound to high standards of data protection and security.
Storage of the data
All your data is stored encrypted to the digital wallet on your device. Your information is only shared with others (such as airlines, governments, airports or test centres) when you choose to share it. When you do choose to share your information, it is sent directly to the receiving party using only secure end-to-end encrypted communication technologies.
Usage of the data
- What categories of personal data
- Your photo (“selfie”)
- A video recording of your face (“liveness test”)
- Biometric data from your passport i.e. your passport photo
- Your passport information: name, middle name(s), last name, passport number, gender, date of birth, expiry date
- Your flight booking reference
- Your test result(s) and/or proof of vaccination including government-issued health certificates which may contain details of the lab, type of test and date the test was taken
- Purpose for data processing and legal ground
Your personal data are necessary to:
- Verify Your identity: You download the ITP on Your mobile. Once You open the App, You will be requested to take a selfie picture with Your phone. Then you will be asked to take a video to perform a liveness check to ensure You are not a robot or another individual and to prevent You are not taking a picture of a picture to enroll. To do this the app will need to access video files from the device.
- Create an electronic version of Your passport: once Your identity is successfully verified, You will be requested to scan the chip in Your passport using Your NFC’s reader. The program will compare Your passport’s picture with the selfie picture and the liveness check.
- Securely store Your digital identity in a decentralized way in an encrypted digital wallet, which is only stored locally on Your mobile device
- Retrieve Your flight itinerary,
- Identify Yourself at a registered Laboratory to perform a Covid-19 test or being vaccinated in order to obtain and share, upon Your consent, Your test results or proof of vaccination, and
- Obtain an “OK to Travel” confirmation based on your health certificates. Your Health data can be digitised either using your camera or by reading files on your device. It will be sent to Timatic and checked against your travel itinerary to confirm whether you’re eligible to go on a certain journey given your health status.
- Excluded usage
We do not share Your personal data with third parties, unless You provided Your consent, and this directly relates to the service we are providing to You.
We do not use Your personal data for marketing purposes.
We will never sell Your personal data.
We do not further process Your personal data.
For how long is my data stored?
For the purposes of the Trial with your Airline, IATA will securely store Your personal data until the 25th April 2021 after which time it shall be permanently deleted. This will ensure any issues arising from the Release 1 of the App can be managed without interruption to your travel and participation in the trial.
From the 25th April 2021 none of Your personal information will be stored by IATA and will only be held for the purpose of processing Your transactions, specifically creating a digital identity and receiving or sharing your identity or test results. Your data will remain in the IATA Travel Pass secure digital wallet on your phone as long as You keep the IATA Travel Pass App. It can be deleted at anytime and the information uploaded in the ITP will be deleted immediately.
We will not retain any data in the ordinary course of providing our services to you. Once your data has been processed (to create your digital passport, receive your test results or successfully share your data with partners) it will be immediately deleted from our servers and only stored on your phone. If a process cannot be completed (for example, if you are offline when your test results are sent to you) it will be kept secure and encrypted on our servers until you are on-line and can receive them, and at that point it will be deleted from our servers.
When you choose to share your data with a partner, the data is encrypted and sent from your phone to them. From this point, they will be in charge of the processing of Your personal information, in accordance with Your own privacy and data protection policies. IATA will have no control or involvement whatsoever in that regard.
Who will have access to your data?
As a general principle, only You can access the data uploaded in Your ITP on Your phone.
In order to carry out the services related to the ITP, Your data will be shared, upon Your consent with:
- IATA’s service providers in order to carry out the following services:
- Verification of Your identity once You download the App and upload Your passport information
Which data will be necessary? Your picture/ biometrics and Your passport information
- Retrieval of Your flight itinerary through a secure connection with the airline’s reservation system
Which data will be necessary? Your name, last name and booking reference
- Verification of Your identity once You download the App and upload Your passport information
- the Lab You select, in order to verify Your identity before performing Your test or obtain a vaccine certification and later on to share Your test result/ vaccinate certificate with You
Which data will be necessary? Your name, last name and Your passport number
Will my data be transferred abroad?
IATA selected services providers located in the European Economic Area and/or in countries considered by the European Commission to implement a sufficient level of protection to guarantee a high level of data protection according to the most stringent rules.
How can I exercise my privacy rights?
Your consent is the cornerstone of the ITP data exchange. None of Your personal data will be shared unless You expressly agreed to it.
You have the right to be informed, to access Your data, rectify Your data, erase them. You can exercise those rights through different channels:
- Second level: passenger support on iata.org
- Third level: contact established through IATA Customer Service Center
No cookies will be used on the ITP.
For any further questions related to this policy or the way in which Your data is processed, please send an email to email@example.com.