Data protection is the answer to vaccine passports

Epidemiologist. Droplets. PPE. Asymptomatic. R number. Long Covid. Social distancing. If there is an indisputable consequence of the Covid-19 pandemic, it is how familiar we have all become with concepts that were alien to most of us barely a year ago. As much as a physical, mental and economic struggle for humanity, Covid-19 has been a constant and rapid learning exercise. Some of it has to do with terminology, but a lot of it has involved a mental readjustment to what is normal, necessary and indeed, acceptable to balance public health and everyday life. As we approach the second year of the pandemic, governments and ethics councils are now grappling with the thorny issue of vaccine passports. Will we need them? Will they be reliable? Are they fair? These are familiar questions to anyone dealing with personal data because their answers have much to do with data protection.

Time will tell, but as Covid-19 vaccination programmes get underway in many parts of the world, the holy-grail of our return to normality is increasingly pinned on the ability of vaccines to do their demanding job. If they prove to be effective – as initial indicators show – it is more than likely that they will become a real door opener for their recipients. Being able to travel, to attend mass events and perhaps even to do certain jobs may depend on our ability to demonstrate that we are one of those recipients by means of a vaccine passport or certificate. However, the prospect of a yet another source of inequality splitting our already divided society is the last thing the world needs right now. How can we therefore make vaccine passports play a fair and safe role in our uncertain future? Possibly by applying data protection principles:

  • Fairness and lawfulness – Data protection professionals know a thing or two about using data fairly and lawfully. This often comes down to being fully transparent and finding an objective and valid justification for such uses. Clearly not every single coming and going will justify a vaccine passport, and those that do will need to be very clearly explained.
  • Purpose limitation – Directly connected to vaccine passports’ justification, it will be crucial to ensure that secondary purposes do not become the norm. As is the case with most uses of health-related data, it will be necessary to be scrupulously rigorous with the uses made of vaccine passports.
  • Data minimisation – One of the great legislative data protection novelties introduced by the EU General Data Protection Regulation (GDPR) was the idea of deploying measures by design and by default aimed at ensuring that only the personal data that is truly necessary for a given purpose is collected and used. This is key to the way in which vaccine passports should be designed and implemented.
  • Accuracy and storage limitation – The importance of accuracy in vaccine passports is indisputable, while placing a reasonable time limit on their validity is equally obvious. 
  • Data security and integrity – The design and deployment of vaccine passports must also take into account the likely attempts to deceive the system. Ensuring the reliability of the information embedded in vaccine passports will not just be a matter of cybersecurity but a pillar for public health.
  • Accountability – Anyone relying on a system of vaccine passports or certificates will have a vital role to play in making sure that such tools serve a beneficial purpose for society as a whole. In the same way that privacy impact assessments are a cornerstone of data-related innovation, those who seek to rely on vaccine passports should be required to undergo an impact assessment that identifies and mitigates any risks of unfairness or discrimination.

There is still much to be learnt and debated about the future of vaccine passports, but data protection can make a significant contribution to their lawful and ethical roll out, and ensure they are not only a useful tool for living in a post-Covid world, but a trustworthy resource available to all.


This article was first published in Data Protection Leader in February 2021.

Authored by Eduardo Ustaran.

Eduardo Ustaran


This website is operated by Hogan Lovells International LLP, whose registered office is at Atlantic House, Holborn Viaduct, London, EC1A 2FG. For further details of Hogan Lovells International LLP and the international legal practice that comprises Hogan Lovells International LLP, Hogan Lovells US LLP and their affiliated businesses ("Hogan Lovells"), please see our Legal Notices page. © 2024 Hogan Lovells.

Attorney advertising. Prior results do not guarantee a similar outcome.