Would vaccination passports guarantee data privacy?

One of my friends recently drew my attention to an article in Time magazine, in which the International Olympic Committee (IOC) President Thomas Bach has said that COVID-19 vaccinations could be required for athletes and fans to attend the postponed Tokyo Olympics. This is set against a backdrop where vaccines to inoculate against COVID-19 are being developed and (at the time of this writing) set to be given to the public. To limit the spread of the disease at an event vast numbers of people are expected to attend, drastic measures are being considered to not risk another massive increase in cases worldwide.

Given that there are several global events planned for 2021 and assuming that vaccination passports provide a solution, how could they be implemented appropriately?  What regulations should be complied with to protect personal information and reduce the likelihood of the infringement of human rights?

There are many questions to be answered, some of which focus on the governance of personal data.

Reasoning

IATA recently announced that it was creating a digital platform to facilitate the sharing of vaccination information called the IATA Travel Pass. The reasoning for this is: “to re-open borders without quarantine and restart aviation governments need to be confident that they are effectively mitigating the risk of importing COVID-19. This means having accurate information on passengers’ COVID-19 health status.”

It seems prudent that a collective definition of why the data is being gathered across the world should be adopted. If the reason is simply to present proof of having had a vaccination, that in itself is quite different from requiring presentable proof of immunity. Such a requirement should, at the minimum, include a follow-up test to prove that the individual has produced the required protective antibodies.

Compliance

The concept of data sovereignty means that personal information (including health data) is usually governed by regulations that afford some protection to the citizens of the region where the data is stored. Examples of this include:

• HIPAA (USA)
• PIPEDA (Canada)
• GDPR (EU)
• Data Privacy Act (Philippines)

However, how do you apply the principles of health data governance internationally? What standards should be used to protect the data? How should it be stored, and what should happen to it when it is no longer needed? The standard requirements of asset management and data governance must be observed when processing personal data, even in a global context.

Integrity

In order to have a trusted worldwide system that can prove that an individual has had a vaccination, it would seem logical that such a system should have traceability built in. This would imply that an assertion that an individual has had a vaccination can be traced back to a point in time where the injection was administered (and, potentially, which type of vaccination it was – especially given that different vaccines have different efficacy rates).

Administration

How should such a system be administered? Should it be on a country-by-country basis, given that each nation could claim ownership of said data and how it should be used? If the aviation industry (IATA) is setting up its own system, should this be a process that is extended to travel across land borders? How would such a system be applied consistently in different countries, with varying levels of social and technical infrastructure, so that travelers around the world have equal access to transport?

Conclusion

In the next 12 months, the world has an expectation (or hope) to return to business as usual, including international travel. That includes the following sporting events postponed from 2020:

• Football European Championships (Europe)
• Copa América (Argentina and Colombia)
• Ryder Cup (USA)
• Olympic Games (Japan)

If we are going to reduce the likelihood of a return to the levels of infection seen throughout 2020, a number of measures will have to be implemented. Ideally, these should enable equal access to travel, irrespective of the economic background of one’s country.  A vaccination passport may well be one of these, but to keep the pandemic in check it will require a truly collaborative approach to the governance of data that matches to that seen by the global medical community to make a real difference.

To learn about Capgemini Data Protection and GDPR Services, visit: https://www.capgemini.com/be-en/service/digital-services/gdpr-readiness/data-protection-gdpr/

References

http://www.bbc.com/travel/story/20200831-coronavirus-will-you-need-an-immunity-passport-to-travel

https://time.com/5912335/tokyo-olympics-vaccine/

https://www.iata.org/en/publications/travel-pass/

Terence Stamp

Expert in Identity and Access Management

I advise my clients on the implementation of Identity and Access Management solutions using a number of different technologies. I also architect and design these solutions performing integrations with both on-premise and cloud platforms.