Five Critical Tips for the Global Adoption of Vaccine Passports
More than a year into the pandemic, the world is ready to go back to normal. The acceleration of vaccinations suggests that ‘normal’ may come earlier than anticipated. However, as governments now work on transition plans from a pandemic to a post-pandemic environment, the question becomes “How do we safely re-open our countries?”.
Vaccine passports or digital health certificates have been gaining traction recently as a solution for this challenge. A vaccine passport is proof that a person has been vaccinated against COVID-19. This proof or certificate can be a document or a digital artifact such as a smartphone app or a QR code. It can be used to return to work, travel, or attend events.
But a lack of standards and data governance controls could also pose potential privacy risks for the passport holder given the sensitivity of the data, the multitude of recipients, and the need for rapid iterations.
A fragmented approach to vaccine passports
Authorities around the world are facing increased pressure to deliver short-term solutions and vaccine passports offer numerous positive use cases. While health ministers from G7 countries have agreed to collaborate on vaccine passports in March, many local, regional, and national initiatives are already being rolled out, trialed or in the development phase.
In the US, the White House announced early April that it will not mandate federal vaccine passports. “The government is not now, nor will we be supporting a system that requires Americans to carry a credential,” Jen Psaki, White House press secretary, said on Tuesday. “There will be no federal vaccinations database, no federal mandate requiring everyone to obtain a single vaccination credential.”
This leaves states and private actors to take a position on the issue. Several states such as Texas or Florida have already taken steps to ban or limit any requirements to provide vaccination documentation.
On the other side, New York rolled out on March 26 the first version of a vaccine passport to allow vaccinated people to gain access to venues and events. New York’s Excelsior App is built on the IBM digital health platform using blockchain technology.
Orange County just announced last week that they are piloting a digital passport. “The Digital Passport enables individuals to participate safely and with peace of mind in activities that involve interactions with other people, including travel, attractions, conferences, meetings, concerts, sports, school, and more,” said Orange County Health Care Agency officials.
Large technology companies such as Microsoft and Oracle in conjunction with prominent health actors like the Mayo Clinic have joined forces in the Vaccination Credential Initiative with plans to release a solution to the public by May.
In Europe, EU leaders have backed a “Digital Green Certificate” initiative with the creation of an executive’s vaccine task force, but EU countries have also launched trials.
For example, Denmark tested a “Coronapas” for domestic travel a couple of weeks ago and plans on extending the use to international travel. Estonia is planning on issuing digital health certificates by the end of April. France announced it was taking part in a month-long trial with Air France for air travel. And, outside of the EU, the UK is also trialing “COVID Status Certificates” this month at major sporting events.
Balancing safety requirements with privacy concerns will be key
Vaccine passports need to answer in real-time a simple question: “Has this person been vaccinated or not?”.
However, the processes, security, and privacy aspects surrounding the data needed to surface this output can become complex, especially in an environment with multiple players, multiple standards, and different data governance approaches.
IATA, the International Air Transport Association, which developed a “travel pass” late last year and just rolled out a test with Singapore Airlines last month, stresses the importance of standards. “It’s the governments that need to come out with a standard for digital vaccine certificates and then we need to make sure that works with the IATA Travel Pass and with other apps out there. Ours is specifically focused on aviation but for it to work there will obviously need to be interoperability between different standards,” said Katherine Kaczynska, assistant director of corporate communications at IATA.
In a world that could see dozens of different passports and certificates over the next few months, questions about security, interoperability, processes are likely to become more present, especially if the situation keeps improving on the vaccination front.
Key actors in the development of these new technologies should collaborate to incorporate privacy-by-design and data governance best practices reducing potential privacy risks and limiting negative impacts of unintended consequences. Four things designers should keep in mind are:
- Authenticate the vaccine passport data
Fake Covid test results and digital vaccine certificates can already be found on the darknet. As Checkpoint also notes, advertising for vaccine passports on the darknet has increased 300% over the past 3 months and it is expected that fraudulent activities will continue to rise. Without a way to validate the data, a giant door is left open for both digital and physical fraud. Digital credentials with signatures directly linked to tests and passports issuers could provide a secure solution as long as there are also strict data access protocols at these organizations.
- Use a data minimization approach in designing the vaccine passport
Gather only data strictly necessary to validate and deliver the certificate and delete unnecessary data right after the issuance. Collaborate as much as possible across platforms so that minimal personal data will need to be shared, especially for travelers whose information might transit across several applications.
- Ensure data consistency in a fragmented approach
Ensure data hygiene, normalization, and standardization across the pool of players. Business leaders know that inconsistent data can lead to misinformed business decisions. By establishing early in the design process the rules for all the input variables, consistent outputs could then be shared across applications. With inconsistent data and a lack of safeguards, there could be false positives (showing people’s vaccination status as vaccinated when they are not).
- Keep the vaccine passport data safe
Protect the data across its lifecycle. The multitude of players increases the complexity around data security. For example, a NY resident traveling to the UK might see his information go from an Excelsior App to the UK-operated system while being passed to IATA, the airline, the EU app, and probably more. It is reasonable to anticipate hacking and malware attempts to attack and collect vaccine passport data. The system must be prepared.
Anonymization, encryption at rest and in transit should have common standards to ensure security and privacy across the data lifecycle. Data decentralization through a blockchain protocol might be an interesting way to keep data safe.
- Safely and efficiently delete data once the pandemic is over
Establish processes today to manage vaccine passport data retirement and deletion after the pandemic. Scientists do not know today how long the vaccine protection and immunity last so this is an unknown. In the EU, the GDPR framework requires companies to delete information when it is no longer necessary. Given the unknowns, this could prove as a challenging task to retire and delete all that additional data in a safe and permanent manner.
The COVID-19 virus still poses multiple challenges to our societies and will transform our world in ways we cannot yet anticipate. But the rapid progress of vaccination development and distribution has shifted the discussion to what a post-covid world would look like. Vaccine passports should continue to be developed, tested, and trialed with data privacy being an integral component in the process. The global adoption and success of vaccine passports rely on the trust citizens will put in them and a focus on collaboration and data privacy can surely play their part.
Suggested Blog Posts
A key component of privacy governance is assessments. While Records of Processing Activity (ROPAs) do not assess risk...
Retrieve Unstructured Data and Save Time With WireWheel’s Trust Access and Consent Center’s M365 Integration
Privacy Laws continue to proliferate across the globe. Many of these laws, including the European Union’s GDPR,...
We are seeing a parallel to what the financial and banking industry went through during the early years of...
Congressional testimony from a former Facebook employee has sparked outrage over the governance of the company’s...
Introduction ‘Personal Data’ has different legal definitions in the GDPR, CCPA in California, CDPA in Virginia, LGPD...