It has been just over a year since COVID-19 halted international travel, emptied sports stadiums and event venues, and transported many employees’ workdays from offices to homes. As vaccinations against the virus continue to rise, a return to normalcy is anxiously anticipated, with attention quickly turning to just what navigating a post-pandemic world could look like.

Digital vaccine passports or health credentials that could be used to verify a person’s COVID-19 vaccination status or test results are gaining traction around the world to potentially reopen travel and more.

The European Commission last week proposed a “Digital Green Certificate” that would verify a person’s vaccination against a COVID-19 negative test result or recovery from the virus. The certificate would include a QR code to confirm authenticity. European Commission Vice President for Values and Transparency Vĕra Jourová called it “a good message in support of recovery,” adding, “Our key objectives are to offer an easy to use, non-discriminatory and secure tool that fully respects data protection.”

China has already launched a vaccine passport for domestic travelers. Air New Zealand is planning to launch a digital health application next month that features a vaccine passport program. And in the U.S., though the Centers for Disease Control said even those vaccinated should avoid travel, airlines are asking for federal guidance on temporary health credentials to monitor travelers’ negative COVID-19 tests and vaccinations. 

But the idea of using digital vaccination credentials to regain access to areas of society is concerning for some, like Italy’s data protection authority, the Garante, which issued guidance stating vaccination data is “particularly delicate,” and “incorrect treatment can have very serious consequences for the life and fundamental rights of people.”

Hogan Lovells Partner Eduardo Ustaran, CIPP/E, said vaccine passports raise questions around necessity, fairness and reliability, familiar questions for those dealing with personal data protection. But applying data protection principles to the rollout of vaccine passports could enable them to play a fair and safe role in a return to normalcy, he said.

In particular, he said any health-related data should only be used for the intended purpose, only necessary data should be collected and used, and accuracy, data security and accountability should be ensured.

“It is obvious to me that you have to apply the concept of a data protection impact assessment. You basically assess what information do we need here, how is it going to be stored and shared and for how long and who has access to this information,” Ustaran said. “It’s almost like a brainstorming mechanism to really think that through so that when you go and design the product or the tool, you’ve taken into account those issues, those principles.”

Data sharing, use ‘is actually pretty straightforward’

Future of Privacy Forum Vice President of Policy John Verdi said sharing data in the context of COVID-19 vaccination passports “is actually pretty straightforward.” While other health diagnoses can include medical scans, clinical notes, blood test results or symptoms, for example, a digital COVID-19 vaccination passport would detail whether an individual had been vaccinated or not. He likened it to a driver’s license used to determine whether an individual is 21 years or older before purchasing alcohol in the U.S.

The EU’s Digital Green Certificate would include an individual’s name, birthdate, date of issuance, and vaccine, test or recovery information, according to the European Commission, and the certificate system would be suspended when the World Health Organization declares the end of the health emergency.

“In this case, you’re not talking about reams of health data; you are talking about a simple fact. Has this person been vaccinated or not?” Verdi said. “The mere fact of vaccination or not does run the risk of pulling in a whole host of other health data in order to validate it in the same way that a clinical diagnosis might.”

Proof of vaccinations is not a new concept, said Verdi, who added examples of mass vaccination initiatives have been seen in the U.S. and around the world.

“One would say that we really have one every summer when young people start to go through K-12 school,” he said. “These sorts of mass vaccination initiatives are not new, they are different than what is going on with (COVID-19), but they have implications for students attending school, they have implications for teachers and other adults who attend those schools, they have implications in the workplace, they have implications regarding travel.”

Verdi pointed out that as vaccine passport programs are designed and implemented, it will be important to be realistic about authenticity and the potential for falsified vaccination data and plan accordingly.

“Going in and saying we know these vaccine passports to be 100% accurate is probably not going to align with the real world,” he said. “When individuals must be vaccinated in order to return to work, school, to travel, there are massive incentives to either get vaccinated or if you cannot because of limited supply or other reasons, there are incentives to falsify.”

Ustaran said it is crucial the authenticity of vaccine passports be verified, noting technology “can play a very crucial role in securing things.”

“It’s not just a matter of data security or cybersecurity, from a public policy perspective this has to work. If you have a percentage of these that are fake, what’s the value,” Ustaran said.

Opening doors

The Fédération Internationale de Football Association’s Club World Cup 2020 held in early February – the organization’s first post-COVID-19 event – welcomed fans to two stadiums in Qatar.

“This was the first testing event, a very small event that wanted to open the doors to fans, and in fact, it opened the doors to fans,” FIFA Head of Data Protection Jorge Oliveira, CIPM, said of the competition that gathered teams from Qatar, Egypt, Germany, Brazil, Mexico and Korea.

Games were held at two stadiums, each match attended by approximately 20,000 fans, he said, and the only known case of COVID-19 to be identified was prior to the games. A German player tested positive, subsequently isolating for 14 days and not playing in the competition, Oliveira said.

Stadiums were limited to approximately 30% capacity, Oliveira said, and fans were asked to provide proof of vaccination or immunity due to being infected with COVID-19 in the three months prior to the competition. Those who were not vaccinated or previously diagnosed were required to take a COVID-19 test at the Qatar National Convention Centre within the 72 hours prior to the event and could only collect tickets if tested negative.

Oliveira said these details were organized by the Qatari Supreme Committee for Delivery & Legacy, with FIFA ensuring any data accessed and collected was done correctly. “Concerning the plan from our perspective, it was very important to ensure the privacy and security of the fans themselves,” Oliveira said.

FIFA is now reviewing the event and will use data on attendance, the number of attendees vaccinated and so on to craft a plan for the FIFA World Cup to be held in Qatar in December 2022, Oliveira said. It is also negotiating with the committee about implementing a “Fan ID,” potentially including immunity passports, during the FIFA Arab Cup to be held in December 2021, he said.

“From a data protection perspective, we need to ensure the security of individuals’ information, if we are really working with health data that we collect with the consent of individuals,” he said.

While the concept of vaccine passports is not a new one, it’s clear privacy and authenticity are key considerations as these initiatives continue to be contemplated and rolled out around the world in response to COVID-19. While organizations like FIFA are exploring options with privacy and security in mind, approaches will be different everywhere, and as Verdi said, “the future is unwritten.”

“I think it remains to be seen what role these sorts of immunity passports or vaccine licenses will play,” he said. “Will it be a small role? Will it be a large role? Will it largely be a beneficial role? Will it be something in the middle? We don’t know.”

Photo by CDC on Unsplash