Why vaccine passports could be just the ticket

Economies opening up

Countries worldwide have tasked ministerial departments and civil servants to roll-out digital passports of varying names such as Vaccine Passport, Digital Green Pass, Immunity Health Passport and Common Pass, allowing citizens to show they have been vaccinated.

In late April 2021, the European Commission approved its priorities for introducing a Digital Green Certificate to facilitate safe free-movement inside the EU during the COVID-19 pandemic. The Digital Green Certificate will provide proof that a person has been vaccinated against COVID-19, received a negative test result, or recovered from COVID-19. It will be available, free of charge, in digital or paper format. It will include a QR code to ensure the security and authenticity of the certificate.

At the time of publication, the US Government has distanced itself from any sort of federal vaccine certification or pass, preferring to leave the issue to private businesses and states to resolve. As a result, New York has become the first US state to offer digital proof of vaccination. But it isn’t just governments that are suggesting vaccine passports.

In the coming weeks, multiple airlines including British Airways, Etihad Airways and Emirates, have said that they will start using their own form of digital travel passes. For industries such as tourism, hospitality and entertainment – which were caught on the backfoot by the pandemic – they are eagerly awaiting the return of holiday makers and patrons, so proof of inoculation from COVID-19 could very well provide the impetus to jump-start these industries again.

Several big tech companies have begun live-testing of their COVID-19 immunity and vaccine passports. Microsoft has also introduced a “Smart Health Cards Framework” that would allow individuals to store and manage their own COVID-19 vaccination results and present these records to another party in a verifiable manner. IBM has emphasized that their digital health passport will use blockchain technology to verify health credentials, allowing the IBM app to store immunization records in an encrypted format.

Several governments see vaccine passports as the catalyst to allow citizens return to their everyday lives quicker and open-up economies again. Currently, some obstacles facing travelers include being required to take a COVID-19 test before traveling and/or again on arrival, having to quarantine for several days or being outright prohibited from stepping into some countries.

However, traveling abroad is not the only application for vaccine passports. Some other examples include:

• Venues serving event-going patrons can better manage the risk of large gatherings by verifying attendees’ vaccination records.
• Educational institutions and organizations with on-site workers
• Cruise liners and the hospitality sector looking to return to pre-pandemic capacity

Privacy implications

Introducing vaccine – or any digital health – passports, raises a few eyebrows across a spectrum of human rights, data privacy, domestic, equality, COVID-19 and labor laws. The Equality and Human Rights Commission (UK) emphasized that certificates to prove if concerned citizens have been vaccinated could help to ease restrictions “in principle,” however, it could lead to the creation a "two-tier society whereby only certain groups are able to fully enjoy their rights".

Regulatory considerations

The UK’s Nuffield Council on Bioethics, which focuses on the ethical risks of immunity passports, argues against introducing vaccine and immunity passports, as there is a risk that they will exacerbate existing structural inequalities and social stigmatization.

Furthermore, Florida Governor DeSantis has banned all Florida businesses from requiring vaccine passports in an executive order. “Individual COVID-19 vaccination records are private health information which should not be shared by mandate.” DeSantis emphasized that so-called COVID-19 vaccine passports “reduce individual freedom and will harm patient privacy; and would create two classes of citizens based on vaccination.”

On 18 June 2020, the Spanish Data Protection Agency warned that immunity passports were a violation of data protection regulations and that employers could not ask job candidates whether they had COVID-19 antibodies since it is personal data related to health. This resulted in the deletion of any information that referred to antibodies in job applications so that it did not influence hiring decisions.

The Netherlands’ Government (Ministry of Health) recently expressed concerns with respect to the EU COVID-19 certificate or digital green certificate. It stated that the “corona passport” shows more medical data than what the Netherlands’ Government initially wanted to be processed as per their negotiations with the EU. For instance, a foreign travel official will have visibility over which vaccine an individual has been administered, the number of doses, and the date of administration. The officer(s) could also have access to the individual’s latest health records and COVID test results. The Netherlands’ Government pushed for a code that cannot be traced back to the individual, but they were unsuccessful. This is because the EU Member States want to know who has been vaccinated by which brand of vaccine.

Moreover, a recent EY survey of almost 2,000 consumers across the globe revealed that the pandemic is shifting consumers’ expectations of data privacy. Consumers are increasingly more attune with how organizations are collecting, storing and using their data. Expectations are rising and the concept of a value exchange between consumers’ data and what they want in return from organizations for their data, is quickly becoming a hot topic that’s resonating.

The road to recovery

When citizens are vaccinated, a copy of that immunization record is usually sent to a secured database in the country where the individual was vaccinated. It contains the same information that is held on the paper record that the newly immunized person is handed from the healthcare professional administering the job and includes their name, date of birth, the brand of vaccine and location of the vaccination.

Many are opposing digitization of such records since vaccine passports use sensitive personal information, create a medical distinction between individuals based on health status, and could potentially be used to determine the degree of freedom or rights of individuals. But despite the opposition, such schemes are gaining support. The danger is that so far it has exposed some of society’s inequities at every stage of the pandemic. Some argue that vaccine passports may only serve to perpetuate these inequities.

Privacy pitfalls to avoid

There is no question that vaccine passports should incorporate leading privacy and security industry practices to achieve the highest level of data protection proportionate to the sensitivity of the personal health information that will be collected, used or disclosed.

Airlines and other businesses and organizations such as governments, who intend on rolling out vaccine passports or variations of them, should ensure they adopt leading privacy practices that include:

• Providing appropriate notice to data subjects and obtain their consent;
• Encryption of sensitive personal data;
• Implementing appropriate access controls.

Privacy challenges will remain central in the discussion around vaccine passports. Some would argue that privacy regulations were designed to manage these very types of initiatives in a robust way. When adhering to the requirements as stated under these regulations and by putting privacy central in the development and roll-out of the passport, privacy risks can be more effectively managed.