Vaccine passports are looking more likely by the day. Initial hesitation has turned into a recognition that, with the right precautions, vaccine passports may play a very useful role in the return to economic normality. While governments and institutions around the world are figuring out the most appropriate design and functionality for vaccine passports, businesses across many sectors are wondering how they will be able to benefit from this yet-to-be-created tool. Being able to travel, to attend mass events and perhaps even to do certain jobs may require being able to demonstrate that one has been vaccinated. Therefore, it will be essential for any business seeking to have access to this information to understand the responsibilities that come with it.
Fortunately, data protection law offers a practical route to make vaccine passports achieve their purpose in a privacy-conscious and safe manner. The GDPR in particular provides a key mechanism enabling businesses of all sizes and types to get vaccine passports right: Data Protection Impact Assessments (DPIAs). Doing a DPIA need not be a complex and legalistic exercise. Here are the key issues that businesses relying on vaccine passports will need to consider as part of a simple DPIA:
- Is access to vaccine passports’ data necessary? – The first and probably most important consideration of all is to what extent a business will need to rely on this tool. For some businesses, it may become a legal obligation or a government-supported industry standard. In those situations, it will be appropriate to justify their use for reasons of substantial public interest, particularly in the area of public health. In other cases, it may be required to assess the extent to which vaccine passports are necessary to protect the vital interests of other individuals.
- Do people understand why access to vaccine passports data is sought? – Transparency is a cornerstone of privacy and data protection compliance. The reasons for requesting to see a vaccine passport may be patently obvious to travellers, theatre goers, football fans and revellers but it will be important to disclose upfront all uses of the data. Making a simple privacy notice with some basic information available at the entrance of venues or ticket desks may be all that is needed.
- For what purposes will the data be used? – Directly connected to vaccine passports’ justification, it will be crucial to ensure that secondary purposes do not become the norm. As is the case with most uses of health-related data, it will be necessary to be scrupulously rigorous with the uses made of vaccine passports.
- How and for how long will the data be required? – In many cases, it may not be necessary to retain any vaccine passport data at all. But to the extent that any such data is collected and retained, placing a reasonable time limit on their retention will be crucial.
- Who should have access to vaccine passport data? – As part of any data security measures employed when handling vaccine passport data, businesses should think about how to ensure that access to such data is limited and those with access are made aware of their responsibilities.
There is still much to be learnt and debated about the future of vaccine passports, but it is clear that data protection will make a significant contribution to their lawful and responsible use.
This article first appeared on the Global Data Review website on April 1, 2021 (available here).
Authored by Eduardo Ustaran.