Regulatory considerations
The UK’s Nuffield Council on Bioethics, which focuses on the ethical risks of immunity passports, argues against introducing vaccine and immunity passports, as there is a risk that they will exacerbate existing structural inequalities and social stigmatization.
Furthermore, Florida Governor DeSantis has banned all Florida businesses from requiring vaccine passports in an executive order. “Individual COVID-19 vaccination records are private health information which should not be shared by mandate.” DeSantis emphasized that so-called COVID-19 vaccine passports “reduce individual freedom and will harm patient privacy; and would create two classes of citizens based on vaccination.”
On 18 June 2020, the Spanish Data Protection Agency warned that immunity passports were a violation of data protection regulations and that employers could not ask job candidates whether they had COVID-19 antibodies since it is personal data related to health. This resulted in the deletion of any information that referred to antibodies in job applications so that it did not influence hiring decisions.
The Netherlands’ Government (Ministry of Health) recently expressed concerns with respect to the EU COVID-19 certificate or digital green certificate. It stated that the “corona passport” shows more medical data than what the Netherlands’ Government initially wanted to be processed as per their negotiations with the EU. For instance, a foreign travel official will have visibility over which vaccine an individual has been administered, the number of doses, and the date of administration. The officer(s) could also have access to the individual’s latest health records and COVID test results. The Netherlands’ Government pushed for a code that cannot be traced back to the individual, but they were unsuccessful. This is because the EU Member States want to know who has been vaccinated by which brand of vaccine.
Moreover, a recent EY survey of almost 2,000 consumers across the globe revealed that the pandemic is shifting consumers’ expectations of data privacy. Consumers are increasingly more attune with how organizations are collecting, storing and using their data. Expectations are rising and the concept of a value exchange between consumers’ data and what they want in return from organizations for their data, is quickly becoming a hot topic that’s resonating.
The road to recovery
When citizens are vaccinated, a copy of that immunization record is usually sent to a secured database in the country where the individual was vaccinated. It contains the same information that is held on the paper record that the newly immunized person is handed from the healthcare professional administering the job and includes their name, date of birth, the brand of vaccine and location of the vaccination.
Many are opposing digitization of such records since vaccine passports use sensitive personal information, create a medical distinction between individuals based on health status, and could potentially be used to determine the degree of freedom or rights of individuals. But despite the opposition, such schemes are gaining support. The danger is that so far it has exposed some of society’s inequities at every stage of the pandemic. Some argue that vaccine passports may only serve to perpetuate these inequities.
Privacy pitfalls to avoid
There is no question that vaccine passports should incorporate leading privacy and security industry practices to achieve the highest level of data protection proportionate to the sensitivity of the personal health information that will be collected, used or disclosed.
Airlines and other businesses and organizations such as governments, who intend on rolling out vaccine passports or variations of them, should ensure they adopt leading privacy practices that include:
- Providing appropriate notice to data subjects and obtain their consent;
- Encryption of sensitive personal data;
- Implementing appropriate access controls.
Privacy challenges will remain central in the discussion around vaccine passports. Some would argue that privacy regulations were designed to manage these very types of initiatives in a robust way. When adhering to the requirements as stated under these regulations and by putting privacy central in the development and roll-out of the passport, privacy risks can be more effectively managed.