The creation and use of portable, digital vaccine passports risks endangering basic rights, and could easily result in a situation where everyday activities such as browsing in a shop or having a drink at a bar could demand as much personal data from people as international travel, says BCS, the Chartered Institute for IT.
Although digital vaccine passports in the form of a mobile app are highly likely to form a key element of reopening the global economy after the pandemic, BCS said the ethical and data privacy challenges were extreme, and the risk of denying people access to services by an algorithmic decision created a dilemma.
“It is not necessary to create any central digital identifiers for vaccine validation purposes, but some countries may be tempted to,” said Adam Leon Smith, chairman of BCS’s Software Testing Group. “One reason that healthcare authorities might want to identify people centrally is to manage the vaccination process itself; another might be to exclude vaccinated individuals from particular mass testing activities.”
A particular complexity with personal risk calculations, said Smith, is that putting this data inside an app can extrapolate the findings in ways that were not intended.
“You can easily imagine how this data might be joined with other information, such as address or key worker status,” he said. “All with sensible intentions, but care needs to be taken that this data is not mis-used. One example of inappropriate use could be calculation of a risk score, and denial of rights or services to someone because of an algorithmic decision.
“For example, denying cinema access to someone because an algorithm computes their home location as being a high-risk one, their key worker status as inferring they are an NHS front-line worker.”
Smith said it was vital to convince people that the passport would be ethical-by-design for it to be supported by enough people, and organisations, to render it effective.
Rob Masson, CEO of the DPO Centre, a GDPR [General Data Protection Directive] specialist resource centre, said digital vaccine passports were a potential minefield for private sector organisations struggling through the pandemic, particularly those that might be called upon to mandate their use, such as clubs, pubs and restaurants.
“Until we know the final arrangements for a vaccine passport, we can only plan for what we think might happen and discuss the balance and reasonable steps an organisation will need to take between an individual’s right to privacy and the wider impact on the public’s health,” he said.
“For example, retailers don’t currently stop customers at the door and ask about their health. So, will it be seen that the Covid-19 passport is a necessary invasion into our privacy?”
Masson noted that whether the UK builds vaccine passport functionality into the existing NHS app (not the Covid-19 contact-tracing app), finds a way to persuade the EU to let it access the proposed green pass scheme, or works with the World Health Organization on a global initiative, the law currently regards health data as special category personal data, which is stringently regulated and carries an extra burden of protection and security on those who collect and process it.
It will therefore become important for businesses that must establish whether customers or staff have received the vaccine, or a negative Covid-19 test, to ask themselves what the legal basis for asking, and processing that information, is, as well as how the data will be held, for how long, and with whom it can be shared.
“With Brexit and Covid-19, many companies are facing increased pressure and scrutiny around data protection and privacy issues,” said Masson. “Data protection is one of the fastest-growing areas of business in the UK and Covid-19 has placed it firmly at the top of the agenda for most organisations.
“It is therefore vital that organisations understand their exposure to data and privacy risk as it impacts every part of their business from employees, to clients, partners and wider stakeholders.”
The government’s open consultation on digital vaccine passports closes on 29 March 2021, and contributions are invited from the public.
