Background
Vaccine passports[1] are being considered by some governments and businesses as a means of allowing a return to something more closely resembling normal life. Canada’s Privacy Commissioners have decided to make a statement at this time in an effort to ensure that privacy is considered at the earliest opportunity as part of any discussions about vaccine passport development.
A vaccine passport can take a number of different forms, such as a digital certificate presented on a smart phone app or a paper certificate, but it essentially functions to provide an individual with a verified means of proving they are vaccinated in order to travel or to gain access to services or locations. Proponents justify this measure based on the idea that vaccinated individuals have a significantly decreased risk of becoming infected and a decreased risk of infecting others[2]. If supported by evidence of their effectiveness, vaccine passports could bring about broad and impactful benefits, including allowing increased personal liberties, fewer restrictions on social gatherings, and accelerated economic recovery resulting from greater participation in society.
At its essence, a vaccine passport presumes that individuals will be required or requested to disclose personal health information – their vaccine/immunity status – in exchange for goods, services and/or access to certain premises or locations. While this may offer substantial public benefit, it is an encroachment on civil liberties that should be taken only after careful consideration. This statement focuses on the privacy considerations.
Vaccine passports must be developed and implemented in compliance with applicable privacy laws. They should also incorporate privacy best practices in order to achieve the highest level of privacy protection commensurate with the sensitivity of the personal health information that will be collected, used or disclosed.
Above all, and in light of the significant privacy risks involved, the necessity, effectiveness and proportionality of vaccine passports must be established for each specific context in which they will be used.
- Necessity: vaccine passports must be necessary to achieve each intended public health purpose. Their necessity must be evidence-based and there must be no other less privacy-intrusive measures available and equally effective in achieving the specified purposes.
- Effectiveness: vaccine passports must be likely to be effective at achieving each of their defined purposes at the outset and must continue to be effective throughout their lifecycle.
- Proportionality: the privacy risks associated with vaccine passports must be proportionate to each of the public health purposes they are intended to address. Data minimization should be applied so that the least amount of personal health information is collected, used or disclosed.
The necessity, effectiveness and proportionality of vaccine passports must be continually monitored to ensure that they continue to be justified. Vaccine passports must be decommissioned if, at any time, it is determined that they are not a necessary, effective or proportionate response to address their public health purposes.
We recognize that scientific knowledge about COVID-19 and the vaccines is advancing quickly and discussions about vaccine passports are underway in some jurisdictions. When contemplating the introduction of vaccine passports, we recommend that governments and businesses adhere to the following privacy principles:
- Legal authority: There must be clear legal authority for introducing use of vaccine passports for each intended purpose. Public and private sector entities that require or request individuals to present a vaccine passport in order to receive services or enter premises must ensure that they have the legal authority to make such a demand or request. Clear legal authority for vaccine passports may come from a new statute, an existing statute, an amendment to a statute, or a public health order that clearly specifies the legal authority to request or require a vaccine passport, to whom that authority is being given, and the specific circumstances in which that can occur.
- Consent and trust: For vaccine passports introduced by and for the use of public bodies, consent alone is not a sufficient basis upon which to proceed under existing public sector privacy laws. Furthermore, consent alone may not be meaningful for people dealing with governments and public bodies that often have a monopoly over the services they provide. The legal authority for such passports should therefore not rely on consent alone.
For businesses and other entities that are subject to private sector privacy laws and are considering some form of vaccine passport, the clearest authority under which to proceed would be a newly enacted public health order or law requiring the presentation of a vaccine passport to enter a premises or receive a service. Absent such order or law, i.e. relying on existing privacy legislation, consent may provide sufficient authority if it meets all of the following conditions, which must be applied contextually given the specifics of the vaccine passport and its implementation:
- Consent must be voluntary and meaningful, based on clear and plain language describing the specific purpose to be achieved;
- The information must be necessary to achieve the purpose;
- The purpose must be one that a reasonable person would consider appropriate in the circumstances;
- Individuals must have a true choice: consent must not be required as a condition of service.
In Quebec, consent cannot form the legal basis for vaccine passports. In that jurisdiction, requesting their presentation would require that the information is necessary to achieve a specific purpose, one that is serious and legitimate.
- Limiting Collection, Use, Disclosure and Retention / Purpose Limitation: The collection, use, disclosure and retention of personal health information should be limited to that which is necessary for the purposes of developing and implementing vaccine passports. Active tracking or logging of an individual’s activities through a vaccine passport, whether by app developers, government, or any third party, should not be permitted. Also, the creation of new central databases of vaccine information nationally or across jurisdictions should not be permitted, other than the local databases necessary for the administration and verification of the vaccine. Secondary uses of personal health information collected, used or disclosed through vaccine passports must be limited to only those required or authorized by law.
- Transparency: Canadians should be informed about the purposes and scope of vaccine passports and about the collection, use, disclosure, retention and disposal of their personal health information for the purposes of vaccine passports.
- Accountability: Policies, agreements and laws must minimize any impact on privacy. Individuals should be informed about who to contact to request access to, and correction of, any information available through vaccine passports or to make an inquiry or complaint about vaccine passports.
- Safeguards: Technical, physical and administrative safeguards must be put in place that are commensurate with the sensitivity of the information to be collected, used or disclosed through vaccine passports. Processes must be put in place to regularly test, assess and evaluate the effectiveness of the privacy and security measures adopted.
- Independent Oversight: To ensure accountability and reinforce public trust, Privacy Commissioners should be consulted throughout the development and implementation of vaccine passports. Privacy Impact Assessments or other meaningful privacy analyses should be completed, reviewed by Privacy Commissioners, and a plain-language summary published proactively.
- Time and Scope Limitation: Any personal health information collected through vaccine passports should be destroyed and vaccine passports decommissioned when the pandemic is declared over by public health officials or when vaccine passports are determined not to be a necessary, effective or proportionate response to address their public health purposes. Vaccine passports should not be used for any purpose other than COVID-19.
[1]Vaccine passport is the most common term, which refers to a means of confirming a person’s COVID-19 vaccination or immunity status. There are others, such as immunity passport, vaccine or vaccination certificate or card, and digital proof of vaccination, and all of these terms may have slightly different meanings in different jurisdictions.
[2] According to the recent Report of the Chief Science Advisor of Canada on this issue (March 31, 2021).