Different forms of vaccine and Covid-19 passports are gradually being introduced in jurisdictions around the world. In most cases these are to enable travel between countries but, occasionally, they are being used to provide entry to hospitality venues or to places of work.
Many people are now rightly concerned by the legal implications of the use of sensitive personal data held within a Covid passport. Here Osborne Clarke’s head of digital health Marcus Vass, and Olivia Sinfield, a partner specialising in employment related privacy issues, speak about some of the implications in the EU and UK.
What are the challenges to cross-border data flows on health and Covid-19 vaccine passport data?
Marcus Vass says: “Vaccine passport data will be health data – and health data is special category data. There are several challenges and additional obligations that will apply under GDPR and UK GDPR – including obtaining the correct consent to any transfer and therefore providing the right privacy notice. Any privacy notice must be specific to the processing in question.
“A balance will need to be struck with principles of the European Convention on Human Rights – will vaccine passports exacerbate some of the disadvantages that people sometimes suffer because of their age, ethnicity or gender? Will there be an equivalent to vaccine passports for individuals who have been unable, for age or medical reasons, to receive a vaccine?”
Are there any implications for privacy if health data is shared between companies?
“The far more likely scenario is that personal health data will flow between individuals and public institutions – however it is possible to envisage circumstances where vaccine/health data would flow between companies,” says Marcus Vass.
“A company that collects vaccination passport data will be the data controller and the controller responsible for the processing must undertake an assessment of the data protection implications of vaccination passport on a case-by-case basis.
“Vaccination passport data would require a data protection impact assessment (DPIA) prior to implementation, given that the processing is likely to result in a high risk to rights and freedoms. It is also likely that the processing would require large-scale processing of special category data (in this case, health data), which always requires a DPIA. Companies should keep any such DPIA under review, particularly if there is a change in scope or context that affects the risks of the processing.
“If a company or group of companies wished to have its own vaccination passport then the GDPR principles would apply. The controller should consider how to apply these principles throughout the lifecycle of the vaccination passport. Any vaccination passport must have a lawful basis for processing personal data and meet a condition for processing special category data under data protection law. The good news is that if the processing is necessary and proportionate, it is likely that there will be an appropriate lawful basis for it.
“In the UK, the Covid passport is to form part of an existing NHS App. There must be security built into its use that prevents both the unauthorised use of the sensitive health data that verifies the Covid passport, and unauthorised access to the other sensitive health data it contains.”
Is there divergence between EU member states on handling the health data of their employees?
Olivia Sinfield says: “The operation of privacy laws across Europe limits employers in processing, on a pan-European basis, employee information in relation to vaccinations.
“It is against this context, and the ongoing rollout of the vaccination programme, that employers are now thinking carefully around how the availability of vaccines impacts return to work programmes and whether they can request proof of employee vaccinations status and process this data to help plan for a safe return to physical work.
“An employers’ legal ability to require proof of vaccination and to process this data (being ‘special category data’) varies from jurisdiction to jurisdiction which makes it difficult for businesses to apply a ‘one size fits all’ cross border approach. For example, in the UK this processing of health data is permissible, provided data protection obligations are adhered to and data usage is restricted to the purpose for which it was collected ie health and safety reasons. However, some other jurisdictions take a different (stricter) view. For example, in Belgium employers cannot process data concerning employee vaccination status. While in France and Germany, employers cannot require proof of vaccination from their employees.”
What is the European Commission’s approach?
“It’s this ‘patchwork’ of laws that has driven the European Commission to work on a proposal for a coordinated pan-European approach to the use of (digital) vaccine certificates,” says Olivia Sinfield.
“In some European countries there is a push now for employers to be given more leeway and flex in processing of vaccination data as their current, more restrictive laws, were not designed with response to a global pandemic in mind. Until then, employers need to proceed cautiously when determining their approach to processing of COVID related data of their workforce.”