More than Just a Stamp: Proposed Vaccine Passports Raise Privacy Concerns and Data Security Risks
Click here to view PDF version.
As the number of Canadians receiving COVID-19 vaccines continues to rise, vaccine passports are now sparking discussion as a means to return to “normal”. However, privacy commissioners and ombudspersons across Canada have stressed that these proposed tools raise a host of privacy and data security concerns, many of which are only now being considered as governments and organizations implement reopening plans.
In their simplest terms, vaccine passports are a way of documenting and verifying that a person has received certain vaccines. The passports would then allow the individual to travel, and gain access to goods and services. The rationale behind vaccine passports is that vaccinated people have a decreased risk of being infected and infecting others, and should therefore be granted increased personal liberties for the trade-off of having their personal health information collected (and tracked) across a range of public and private sector entities.
Vaccine passports are not a new concept as they were already required for travel to certain locations pre-pandemic. However, due to the global reach of COVID-19, their proposed implementation would have a wider impact than previous versions of passport programs.
Vaccine Passports in Canada: A Moving Target
It remains to be seen how vaccine passports could be implemented across the country. Notwithstanding the significant labour and employment law hurdles to be considered in the workplace, the privacy implications of such programs are significant. In a recent joint statement issued by federal and provincial Privacy Commissioners, and the Ombuds of Manitoba and New Brunswick, any vaccine passport program must meet the highest levels of personal privacy protection. Specifically, any organization considering such a program must establish its necessity, effectiveness and proportionality in advance of rollout. Moreover, there must be clear legal authority for the implementation of such a program and local privacy commissioners should be consulted well in advance.
Nova Scotia’s Information & Privacy Commissioner echoed these statements in a recent interview. As federal and provincial governments across the country are now working on a number of different vaccine passport plans, Commissioner Tricia Ralph also stressed that a critical step in their development is the completion of privacy impact assessments.
Prime Minister Justin Trudeau has said that vaccine passports will be an essential part of international travel in order to keep up with other countries’ public health entry requirements. While self-isolation rules have recently been relaxed for Canadians returning home from abroad this summer, they will still need to show proof of vaccination, either with a paper or digital copy of their health documentation. Travelers will also be required to submit proof of their vaccination – and other COVID-19 related information – into the government’s ArriveCAN app before entering Canada (which is already raising the ire of some privacy advocates given the lackluster response to Canada’s COVID Alert app).
Going Digital: Vaccine Passports around the World
There are several countries and multinational corporations also rolling out digital vaccine passports. For example, the European Union has created the Digital Green Certificate, which can be carried on a smart device. The Digital Green Certificate shows that the bearer has been vaccinated, which vaccine they received, if they tested negative for COVID and whether they have previously recovered from the virus. Israel implemented a similar program (now retired).
In addition, the World Health Organization is working on its own “smart vaccination certificate”. Furthermore, the International Air Traffic Association is testing a travel pass initiative that would require travelers to create a digital version of their passports, which they can upload with their medical records to be verified by border officials around the world. Similar efforts are underway in the United States as Apple is leading a push for states to recognize digital identity cards within Apple Wallet.
Data Security & Privacy Risks of Vaccine Passports in Canada
Despite the multifaceted (and haphazard) approach being taken to develop vaccine passports across Canada, experts are raising alarms at the privacy risks (and utility) of such plans.
The Canadian Civil Liberties Association has voiced several concerns about the privacy of individuals who are exempt from the COVID-19 vaccine due to underlying health conditions. However, they may now be forced to share this sensitive health data with foreign governments should they travel internationally. In addition, the more touchpoints personal health information has in moving between provincial, federal, and international bodies, the greater the risk of it being improperly accessed or hacked.
For Canadian businesses, the federal Office of the Privacy Commissioner has stressed that vaccine passports should only be implemented in situations where the threshold test of necessity, effectiveness and proportionality is met. In light of present scientific evidence and legal frameworks, the OPC recommends that businesses should also:
- Identify the legal authority under which a vaccine passport could be implemented. This legal authority must be clear, and may come from a new statute, an amended law, or an emergency public health order specifying the particulars of the authority, to whom it is given, and the special circumstances in which the program can operate.
- Ensure consent to participate in such a program is meaningful, and build trust with your employees/customers by being transparent about the strong data protection and cybersecurity measures in place to protect their personal health information.
Conclusion: An Inevitability?
Vaccine passports certainly appear to be the price to be paid for individuals to return to the land, sea, and air. Interestingly, in a recent poll 80% of Canadians supported the implementation of vaccine passports for domestic and international travel. However, this number drops to 60% of those in favour of public bodies and businesses requiring vaccine passports to access goods and services.
At the very least, any organization considering the development and implementation of a vaccine passport regime should take the following steps to limit liability and improve privacy protections:
- Complete a privacy impact assessment on the proposed vaccine passport program, with specific focus on whether pre-existing COVID-19 measures implemented at the outset of the pandemic (e.g., masks in the workplace, health screening, contact tracing, etc.) remove or limit the necessity of having a vaccine passport program.
- Follow guidance from federal and provincial privacy commissioners when it comes to considering and meeting the test for necessity, effectiveness, and proportionality.
- Develop and implement a data retention (and destruction) plan specific to any information collected through a vaccine passport program.
- Engage external legal counsel to help link such a program with internal data incident response protocols and cybersecurity measures, and coordinate discussions with relevant regulators in the event of a privacy breach.
The Cybersecurity and Data Privacy Group at Cox & Palmer is happy to assist organizations as they consider and review the appropriateness of developing (and implementing) a vaccine passport program.
*This article was written with significant contributions from Cox & Palmer’s Caraid McGinty, Summer Student.