First look at vaccine passports

Countries around the world are considering introducing vaccine passports, and the UK is among them. Government recently launched a review, asking for evidence or comments regarding the possible introduction of a “COVID-status certification”.

Open Rights Group (ORG) responded to this consultation, building on our experience of the NHSX App and the deployment of the Test and Trace system. At this very early stage, and lacking more information regarding Government plans, we formulated some broad recommendations.

Intentions must be clear

Data can be used and can be abused, and Government intentions around the introduction of vaccine certifications must be made clear. Vaccine passports may be used for easing international travels, clear access to pubs and hospitality venues, or be allowed to return to work. Each of these options would present different challenges and risks for individuals, that we will be able to consider once these plans are clear.

On top of that, we also reminded Government that it is still not clear how vaccinations affect the transmissibility of the virus, nor there is a solid understanding of covid immunity. This is why, for instance, the World Health Organisation is advising against easing travel safety restrictions based on vaccination data.

Only if it’s necessary and effective

Once intentions will be clear and validated, data protection considerations will come into play. Government already tried to build a centralised and privacy-invasive digital contact tracing system for no appreciable reason but to choose the most data-hungry solution. These plans were eventually reverted, but not without significant delays that made the UK one of the last EU countries to roll out their digital contact tracing app. On top of that, uptake never reached the threshold to make it useful, hinting to a substantial lack of trust among the public about the merit of this solution.

Government should learn from these mistakes, and make sure that any next plans they develop are using the most privacy-preserving methods available, and process data only and insofar it is strictly necessary to achieve the desired result. This would be the first step to ensure security for the data and foster trust among users. In turn, trust and uptake would give a chance for these measures to succeed.

Data Protection Impact Assessments

Even the most well private and well-intentioned system is exposed to risks: vaccination data could be (ab)used in ways that were not foreseen, or exploited for commercial purposes. In turn, this risks exposing individuals to discrimination and other adverse consequences.

We are lucky to have a tool to deal with these risks and uncertainties: the UK GDPR requires to carry out a Data Protection Impact Assessment for those uses of data that may be particularly risky or pervasive. These assessments also need to be kept updated, making them a powerful tool to reassess risks in light of ongoing developments.

Unfortunately, Government track record in this regard is rather grim: Test and Trace was deployed without conducting a DPIA, and the Secretary of State for Health answered to it by proudly claiming that “he wouldn’t be held back by bureaucracy”.

Safeguards are needed

Open Rights Group strongly supported the proposal to advance primary legislation that specifies and complements general data protection obligations, as a way to increase trust and certainty over public health responses to Coronavirus. This road was neglected by Government last year, but we asked them to reconsider this option.

On top of that, we urged Government to be careful about vaccine passports’ potential consequences for migrants, as well as for movements across the Irish border.

What’s next

Open Rights Group were already a key actor in scrutinising Government responses to Coronavirus, as well as driving them to move their NHSX App to a decentralised-privacy friendly system. We hope these failures are not bound to repeat again, and we will keep a close eye on Government plans to develop a vaccine certification scheme.

Want to know more? Stay tuned or join us, and help us protect your rights in the digital age.

Hear the latest

Sign up to receive updates about Open Rights Group’s work to protect digital rights.