My data and me

By | Category: Travel rumblings

the barcode on a boarding pass has personal information on it

Do you remember a year or so ago about retailers asking for boarding passes when you bought something at their airport shops? At the time Boots and W H Smiths were the main  shops involved and it turned out that they were using the information to claim the VAT back if the boarding pass showed that you were leaving the UK.

I confess that I thought that it has stopped but it seems to be continuing.

At Edinburgh airport this week, I bought a meal deal. At the self-service checkout the reader wanted to scan the barcode on my boarding card.


The reader refused to accept the barcode and an employee had to key in an over-ride code so that I could pay. In this case the retailer didn’t have my boarding card details. But that leads me to my second point. Since last May when GDPR (General Data Protection Regulation) became operable, any organisation collecting personal information should tell you why they want it and how it will be used.

The boarding card barcode provides at least my name, flight details, the date and the time. No where did the retailer, either next to the self-service machine or on the receipt say that they were collecting the information or why, how it would be stored and for how long.

As I understand it this contravenes GDPR. You might argue that it would be hard to tie my name to an address (unless that appears in the barcode) or a phone number (that might be in the barcode as a number for use in an emergency) but it isn’t difficult to do. Collecting my name constitutes the collection of personal data and the retailer does not have my permission to do so.

In the old days we were advised not to through boarding cards away as they could be used by identity thieves. The same still applies. The barcode tells anyone – they only need an inexpensive scanner to read the barcode – far more about me than the old non barcoded boarding card did. When you have no need of your boarding card anymore, dispose of it carefully and don’t just throw it in a bin.

In the meantime I am contacting the retailer’s data controller about the data protection policies!

If you enjoyed this post, please consider subscribing to the RSS feed to have future articles delivered to your feed reader.
Tags: , ,