4 minute read 11 Jun. 2021
Woman sitting on seat

Why vaccine passports could be just the ticket

By EY Global

Ernst & Young Global Ltd.

4 minute read 11 Jun. 2021
Related topics Cybersecurity

As COVID-19 vaccinations roll-out, officials are mulling over the introduction of vaccine passports to boost travel and tourism industries.

In brief
  • With vaccine passports on the horizon, travel and tourism businesses look forward to travelers returning.
  • Privacy officers in government and the travel sector must balance travelers’ privacy concerns with operational practicalities.
  • Campaigners say vaccine passports must protect citizens’ privacy and be freely accessible to all.

There has been much talk across boards and in media headlines recently about the introduction of so-called vaccine passports. Opinions remain divided on the subject, but one thing remains clear to all: the collection and storing of such personal health data will create a trail of complexity for privacy professionals. This article outlines some of the privacy challenges that come with the territory and actions that privacy officers must take to protect vaccine passport holders’ data.

  • What is a vaccine passport?

    A vaccine pass or passport is documentation that proves citizens have been vaccinated against COVID-19. The idea is modeled on the proof of vaccination that several countries required even before the pandemic. For example, outbound travelers from many countries in Africa are required to submit evidence that they have been vaccinated against diseases such as yellow fever. Ideally, it would provide proof of the traveler’s vaccination status and document any recent test results for COVID-19, which would both reassure border agents and safeguard fellow travelers or eventgoers. The passes will be digital or paper documents for citizens to prove that they have been vaccinated, that they recovered from the virus, or recently tested negative for it. In many cases, this could free citizens from mandatory quarantining obligations.

Economies opening up

Countries worldwide have tasked ministerial departments and civil servants to roll-out digital passports of varying names such as Vaccine Passport, Digital Green Pass, Immunity Health Passport and Common Pass, allowing citizens to show they have been vaccinated.

In late April 2021, the European Commission approved its priorities for introducing a Digital Green Certificate to facilitate safe free-movement inside the EU during the COVID-19 pandemic. The Digital Green Certificate will provide proof that a person has been vaccinated against COVID-19, received a negative test result, or recovered from COVID-19. It will be available, free of charge, in digital or paper format. It will include a QR code to ensure the security and authenticity of the certificate.

At the time of publication, the US Government has distanced itself from any sort of federal vaccine certification or pass, preferring to leave the issue to private businesses and states to resolve. As a result, New York has become the first US state to offer digital proof of vaccination. But it isn’t just governments that are suggesting vaccine passports.

In the coming weeks, multiple airlines including British Airways, Etihad Airways and Emirates, have said that they will start using their own form of digital travel passes. For industries such as tourism, hospitality and entertainment – which were caught on the backfoot by the pandemic – they are eagerly awaiting the return of holiday makers and patrons, so proof of inoculation from COVID-19 could very well provide the impetus to jump-start these industries again.

Several big tech companies have begun live-testing of their COVID-19 immunity and vaccine passports. Microsoft has also introduced a “Smart Health Cards Framework” that would allow individuals to store and manage their own COVID-19 vaccination results and present these records to another party in a verifiable manner. IBM has emphasized that their digital health passport will use blockchain technology to verify health credentials, allowing the IBM app to store immunization records in an encrypted format.

Several governments see vaccine passports as the catalyst to allow citizens return to their everyday lives quicker and open-up economies again. Currently, some obstacles facing travelers include being required to take a COVID-19 test before traveling and/or again on arrival, having to quarantine for several days or being outright prohibited from stepping into some countries.

However, traveling abroad is not the only application for vaccine passports. Some other examples include:

  • Venues serving event-going patrons can better manage the risk of large gatherings by verifying attendees’ vaccination records.
  • Educational institutions and organizations with on-site workers
  • Cruise liners and the hospitality sector looking to return to pre-pandemic capacity

Privacy implications

Introducing vaccine – or any digital health – passports, raises a few eyebrows across a spectrum of human rights, data privacy, domestic, equality, COVID-19 and labor laws. The Equality and Human Rights Commission (UK) emphasized that certificates to prove if concerned citizens have been vaccinated could help to ease restrictions “in principle,” however, it could lead to the creation a "two-tier society whereby only certain groups are able to fully enjoy their rights".

Regulatory considerations

The UK’s Nuffield Council on Bioethics, which focuses on the ethical risks of immunity passports, argues against introducing vaccine and immunity passports, as there is a risk that they will exacerbate existing structural inequalities and social stigmatization.

Furthermore, Florida Governor DeSantis has banned all Florida businesses from requiring vaccine passports in an executive order. “Individual COVID-19 vaccination records are private health information which should not be shared by mandate.” DeSantis emphasized that so-called COVID-19 vaccine passports “reduce individual freedom and will harm patient privacy; and would create two classes of citizens based on vaccination.”

On 18 June 2020, the Spanish Data Protection Agency warned that immunity passports were a violation of data protection regulations and that employers could not ask job candidates whether they had COVID-19 antibodies since it is personal data related to health. This resulted in the deletion of any information that referred to antibodies in job applications so that it did not influence hiring decisions.

The Netherlands’ Government (Ministry of Health) recently expressed concerns with respect to the EU COVID-19 certificate or digital green certificate. It stated that the “corona passport” shows more medical data than what the Netherlands’ Government initially wanted to be processed as per their negotiations with the EU. For instance, a foreign travel official will have visibility over which vaccine an individual has been administered, the number of doses, and the date of administration. The officer(s) could also have access to the individual’s latest health records and COVID test results. The Netherlands’ Government pushed for a code that cannot be traced back to the individual, but they were unsuccessful. This is because the EU Member States want to know who has been vaccinated by which brand of vaccine.

Moreover, a recent EY survey of almost 2,000 consumers across the globe revealed that the pandemic is shifting consumers’ expectations of data privacy. Consumers are increasingly more attune with how organizations are collecting, storing and using their data. Expectations are rising and the concept of a value exchange between consumers’ data and what they want in return from organizations for their data, is quickly becoming a hot topic that’s resonating.

The road to recovery

When citizens are vaccinated, a copy of that immunization record is usually sent to a secured database in the country where the individual was vaccinated. It contains the same information that is held on the paper record that the newly immunized person is handed from the healthcare professional administering the job and includes their name, date of birth, the brand of vaccine and location of the vaccination.

Many are opposing digitization of such records since vaccine passports use sensitive personal information, create a medical distinction between individuals based on health status, and could potentially be used to determine the degree of freedom or rights of individuals. But despite the opposition, such schemes are gaining support. The danger is that so far it has exposed some of society’s inequities at every stage of the pandemic. Some argue that vaccine passports may only serve to perpetuate these inequities.

Privacy pitfalls to avoid

There is no question that vaccine passports should incorporate leading privacy and security industry practices to achieve the highest level of data protection proportionate to the sensitivity of the personal health information that will be collected, used or disclosed.

Airlines and other businesses and organizations such as governments, who intend on rolling out vaccine passports or variations of them, should ensure they adopt leading privacy practices that include:

  • Providing appropriate notice to data subjects and obtain their consent;
  • Encryption of sensitive personal data;
  • Implementing appropriate access controls.

Privacy challenges will remain central in the discussion around vaccine passports. Some would argue that privacy regulations were designed to manage these very types of initiatives in a robust way. When adhering to the requirements as stated under these regulations and by putting privacy central in the development and roll-out of the passport, privacy risks can be more effectively managed.


Vaccine passports look set to be the gateway for the safe reopening of key sectors such as travel and tourism. However, the pathway is fraught with privacy challenges that governments and businesses intending to operate their own vaccination passport systems must navigate.

About this article

By EY Global

Ernst & Young Global Ltd.

Related topics Cybersecurity