Free, SPOKES Privacy Virtual Conference June 22 and 23

  • Privacy
  • Privacy Tech

Vaccine Passports: Case Studies, Technologies, and Policy Considerations


The Spokes 2021 conference included a panel on vaccine passports, moderated by Virginia Bartlett, Privacy Operations Expert with WireWheel. The panel also included Maureen R. Dry-Wasson, VP, Group General Counsel and Global Privacy Officer with Allegis Group; Scott Gallant, Principal/CEO of Keyed Systems; and Eric Bowlin, Partner, Deloitte & Touche LLP.

The Particular Problems with Vaccine Passports

The discussion opened with an overview of vaccine passports—beginning with the question of whether a vaccine passport is the same as a certificate, the different technologies used for passports or certificates, and most importantly, concerns over data privacy and transparency and how health data might be shared.

Scott Gallant notes that the technology required to make vaccination passports or certificates effective is of particular concern to privacy professionals, who should be carefully considering what data these technologies collect and how, particularly in certain industries, particularly in health care.

“But one thing is certain: We’ve had to sort of re-evaluate our footprint for data,” he said. “And I think it’ll come down to just two things: What’s the source, the issuer of that information, and how far and prevalent will it be distributed and for what purpose.”

For employment, the situation is far more complex, as Maureen R. Dry-Wasson pointed out. “Employers are rapidly trying to figure out [what to do], which if you’re a multi-state employer, you know can be really convoluted. That is always hard to implement you’re trying to do what you think is fair to all employees, recognizing that you can’t do the same thing for all employees.”

She also noted that, when it comes to recruiting employees, there may be additional complications if proof of vaccination is required—who handles the data, how is it shared, and what technology will be used to facilitate establishing an individual’s fitness for a specific role within a company, based on vaccination status? “I think as an employer we’re doing the best that we can just to sort of balance the privacy interests of our employees and the requirements of many of our clients in trying to operate a safe working environment while trying to comply with a patchwork of laws all at the same time. You know, between a rock and a hard place is the best way to explain where we live,” she said.

A Seat at the Table: Beyond the Technology

Next, the panel tackled the technology in use to collect and track health information, and what may be developing on that front. Gallant brought up the point that trust may be an issue. “It comes down to a network that may back a ‘certification,’” he said. “If you have a certification of a vaccination or a test or anything else, that credential in its own right only has merit based on the issuer, so where did it come from?”

He goes on to note that the situation is still very much in flux. “We are in this sort of emergency use of information, whereby some of our rights when it comes to privacy may be a little lacking, but think six months to a year from now, are we setting a tone for a new standard? Or will we just want these technologies here to onboard if ever we’re in a similar situation?”

Bowlin acknowledged that, although the technology itself is interesting and important, the conversation around privacy issues carries a lot of weight. “[What is important for privacy experts is] having a seat at the table and making sure that privacy considerations are taken into account,” he said. “And so what I would say to privacy officers and their teams is to make sure you have that seat at the table, make sure you’ve thought about how you are executing a privacy impact assessment or some similar sort of privacy assessment, a third-party assessment, on that app.”

Bowlin went on to stress the importance of keeping tabs on data, particularly when it comes to third parties, otherwise, data privacy problems are likely to arise.

For the travel industry, the concept of vaccine passports is a pressing one, with potential pitfalls, but solutions are in the works to make the process relatively easy for travelers. “[Some] airlines are actually requesting travelers to download [an app] and do some proof of vaccination, and some of them have a network, whereby, [they may accept vaccination data from a third-party] because there’s a native trust that’s been built in the fabric behind the scenes, otherwise they’re collecting it fresh,” said Gallant. “Then, when you land in a sovereign country, [those countries] are being asked to accept the same passport and of course that’s low friction for the traveler.”

Implications Beyond Vaccines

The panelists then tackled the idea of what kind of data could be accessed to verify a vaccine passport. Dry-Wasson put forth the idea that the ideal system would rely on an individual to upload his or her own verified data and have control over access to it. Such a system would, in theory, put more of the control in the hands of the individual and would protect private data.

As an example, Dry-Wasson proposed a system in which job seekers could provide their verified employment history. “What if I could carry that around, already verified by those people who employed me, confirming that, in fact, those are my dates of employment, that I did work there, and that was my job title, etc.?”

“[The same is] true of vaccines,” she continued. “The person sort of owns [the data], safeguards it, controls it, decides who has access to it. And that can be used for a variety of different use cases in our world, everything from credit checks and background checks to employment verification, too. … For me, at least, I’d love to see the ability for us to store less data about people and figure out ways for them to store it and control it … I think the complication gets into data sharing and then how you really even think through all of that.”

Bowlin emphasized that companies with a good approach to data privacy and governance will be able to handle a multitude of situations such as those proposed by Dry-Wasson, without much difficulty. “What’s so important for all these organizations is [to] have a solid, foundational privacy-by-design process that triggers [a] privacy impact assessment. Hopefully, that process is built in such a way that it’s flexible and adaptable enough to handle this or any other situation that pops up, whether it’s customer personal information, employee personal information.”

Health Data and HIPAA: Possible Catalyst for Privacy Action

The panelists were asked whether a centralized vaccine database in the U.S. was realistic—and what the privacy implications of that would look like.

Bowlin responded by saying, “Doesn’t this really remind us how much we could use a federal data privacy law right now? Because there is no there’s no common standard in the U.S., with different laws that say completely opposite things on what you can and can’t do in this space. I think if there’s ever been any tipping point to push a federal data privacy law over the edge, then maybe this is what we’ll see over the course of the next few months.”

The conversation next turned toward HIPAA, and the role it may play in vaccine passports. “I think that most people forget HIPAA only applies when health data is in the hands of a covered entity,” said Dry-Wasson. “[But] if we were to ever have some kind of a vaccine passport, we’d obviously make sure that the people who run the health plan are using that data.”

She went on to speculate that the conversation around vaccine passports—and privacy implications of it—might spur some action into pulling together a comprehensive federal data privacy law. “Maybe this will actually push the country to get to a more unified federal privacy law,” she said, “because you know HIPPA was passed to deal with an incredibly, narrowly defined category of data, not just health data, which would be a small enough category, but health data only in the hands of certain people.”

Technology and Data Standardizations Are the Keys

One important problem with vaccine passports is the lack of data standardization. In the health space, however, data may be better organized, and Gallant points out that it may be easier than anticipated to standardize that information. “We can put use cases around it so there’s some benefit to standardization from a data standard, [but] we’ve got a lot of work still to do on the actual data side. Once it’s there, you can connect and build interoperability between databases.”

Still, multiple challenges remain, and Gallant notes that it’s not just a matter of flipping a switch. In the end, privacy concerns around vaccine passports are going to remain, especially around the idea of sensitive data being shared between platforms and organizations or companies. “Security folks are working hard on these networking concepts still but there are so many challenges at the technical level of doing this.”

The Future of Vaccine Passports?

As for the future and whether vaccine passports can work, Eric Bowlin is pessimistic. “Countries and states don’t have a proven ability to work together, so I think we’re going to continue to see fragmentation in this market for a long time, unfortunately,” he said.

Gallant believes that, in the near term, many vaccine passport solutions will come to market, but without some kind of consolidated approach to the data behind them. “In five years, I would hope to say that we’ve been able to find a way to shelve the concept [of vaccine passports], where it’s not particularly required for an emergency reaction to a pandemic because we’ve gotten past that,” he said.

Dry-Wasson hopes for more standardization and better data governance in the future. “I hope we see better ways to store data and safer ways to store data, and ways in which we can share data that we don’t today, across not only our own country but other countries,” she says. “But I think in the very short term we’re going to see vaccine passports in major international travel, but I actually don’t think, at least initially, that most employers will require it.”

Implement Privacy by Design with WireWheel’s Privacy Operations Manager for managing assessments.

Request Demo