There are various topics we need to address with regard to any kind of vaccine passport. If we skip those areas, then securing it will become even more challenging and the likelihood for fraud increases.
We need to consider data protection, privacy, ethics, fundamental rights and freedoms of the individual, and also perceived government intrusion. The key to a successful vaccine passport system is that the government can demonstrate necessity in introducing one, rather than rely on the nation being swept along on a wave of sentiment instead of rational thinking.
The legal basis to introduce this passport would be to counter the risk of serious cross-border threats, which, of course, is the definition of a pandemic. From a data protection perspective, the considerations here range across all six principles of the Data Protection Act.
Necessity, proportionality and longevity of retention must be fundamental in the decision-making. So, for instance, at what point will the threshold for continuing to process this data be reached? And what processes will be implemented to ensure it is thoroughly erased when no longer required – how will “no longer required” even be defined?
As it currently stands, there is no mandatory requirement to be vaccinated, not for any disease; it is a personal choice. Nor is it mandatory to declare your vaccinations as part of travel – certain vaccinations, such as polio, require documented proof in certain countries, for instance, and this is facilitated using the International Certificate of Vaccination or Prophylaxis, as defined in the World Health Organization’s International Health Regulations.
Until Covid-19 struck, people voluntarily received vaccinations for holidays, extended experiences or work travel, because certain illnesses are endemic in certain regions – this could actually happen to the UK; we have no way of knowing – and we also know that some illnesses we have vaccinated against historically have not been eradicated, only controlled.
Academically, it can be understood why the idea of a vaccine passport may be seen as an attractive option, given the extensive nature and impact of this virus, both economically and in humanitarian terms.
Managing this documentation on an ongoing basis will be very expensive and will make an attractive target for fraudsters and criminals. We have already seen there is a growing market for fake negative test documents and a vaccine passport is one more potential black-market product. If the security of the data and the underlying system are not designed effectively, this creates significant opportunities for cyber criminals.
The security challenges here will very much depend on whether the government intends to go down a centralised or decentralised route. If this seems like déjà vu, that is because many of us expressed the same concerns when the government announced the development of a Covid-19 app.
There is a reasonable expectation, because it is already built-in functionality, for negative test results to be displayed from the app, but to extend this functionality to include vaccine records would mean integrating the app functionality with the online patient care record. This would require serious security considerations because done incorrectly, it risks exposing not just our Covid-19 status, but our whole medical history.
The attractiveness of this data to both criminal and commercial entities should not be underestimated. The UK government has a chequered past when it comes to protecting personal information and many of the lessons from the 2007 HM Revenue & Customs data breach have yet to be learnt.
Human behaviour is fundamental to good security and good security behaviour requires excellent security education. Unfortunately, excellent security education is rarely at the top of government’s security priorities. If this passport is to be a success functionally and securely, then we must ensure that the infrastructure and technology are absolutely underpinned by a better security culture.
