On May 19, 2021, a Joint Statement by the Federal, Provincial and Territorial Privacy Commissioners was released. The Commissioners made the statement to ensure that privacy is considered as early as possible during discussions involving vaccine passport development.
What is a vaccine passport?
Vaccine passports provide individuals with a verified means of proving that they are vaccinated in order to travel or to gain access to services or locations. They are based on the idea that vaccinated individuals have a significantly decreased risk of becoming infected and a decreased risk of infecting others. The Commissioners state, “If supported by evidence of their effectiveness, vaccine passports could bring about broad and impactful benefits, including allowing increased personal liberties, fewer restrictions on social gatherings, and accelerated economic recovery resulting from greater participation in society.”
Vaccine passports can come in various forms, some of which include digital certificates presented on a smart phone app or paper certificates.
How is privacy affected by vaccine passports?
Notwithstanding the benefits of vaccine passports, it is important to keep in mind that individuals will be required or requested to disclose personal health information, namely their vaccine/immunity status, in exchange for goods, services and access to certain premises or locations.
Essentially, this constitutes an encroachment on civil liberties that requires careful consideration before making any decisions. To that end, the Commissioners created the statement to highlight the relevant privacy considerations.
Highlights
First and foremost, the Commissioners emphasize that vaccine passports must be developed and implemented in compliance with applicable privacy laws—and they should incorporate privacy best practices to achieve the highest level of privacy protection commensurate with the sensitivity of the personal health information that is collected, used, or disclosed.
It is important to remember that there are significant privacy risks involved with vaccine passports, and therefore the following need to be established for each specific context in which they are used:
- Necessity: Vaccine passports must be necessary to achieve each intended public health purpose. Their necessity must be evidence-based and there must be no other less privacy-intrusive measures available and equally effective in achieving the specified purposes.
- Effectiveness: Vaccine passports must be likely to be effective at achieving each of their defined purposes at the outset and must continue to be effective throughout their lifecycle.
- Proportionality: The privacy risks associated with vaccine passports must be proportionate to each of the public health purposes they are intended to address. Data minimization should be applied so that the least amount of personal health information is collected, used, or disclosed.
These elements must be continually monitored to ensure that they continue to be justified, and vaccine passports must be decommissioned if and when they are no longer a necessary, effective, or proportionate response to address their public health purposes.
As knowledge about vaccines rapidly advances and governments and businesses begin to contemplate the introduction of vaccine passports, the Commissioners recommend that they adhere to the following privacy principles:
- Legal authority: There must be clear legal authority for introducing use of vaccine passports for each intended purpose. Public and private sector entities that require or request individuals to present a vaccine passport in order to receive services or enter premises must ensure that they have the legal authority to make such a demand or request. Clear legal authority for vaccine passports may come from a new statute, an existing statute, an amendment to a statute, or a public health order that clearly specifies the legal authority to request or require a vaccine passport, to whom that authority is being given, and the specific circumstances in which that can occur.
- Consent and trust: For vaccine passports introduced by and for the use of public bodies, consent alone is not a sufficient basis upon which to proceed under existing public sector privacy laws. Furthermore, consent alone may not be meaningful for people dealing with governments and public bodies that often have a monopoly over the services they provide. The legal authority for such passports should therefore not rely on consent alone.
The Commissioners point out that, when it comes to businesses and other entities that are subject to private sector privacy laws and are considering using a vaccine passport, the clearest authority under which to proceed would be a newly enacted public health order or law requiring the presentation of a vaccine passport to enter a premises or receive a service. But in the case where there is no such order or law coming into being, and it is necessary to rely on existing privacy legislation, consent may provide sufficient authority if it meets all of the following conditions that must be applied contextually:
- Consent must be voluntary and meaningful, based on clear and plain language describing the specific purpose to be achieved.
- The information must be necessary to achieve the purpose.
- The purpose must be one that a reasonable person would consider appropriate in the circumstances.
- Individuals must have a true choice: consent must not be required as a condition of service.
Additionally, there are specific rules regarding consent in Quebec—consent cannot form the legal basis for vaccine passports. In fact, requesting their presentation would require that the information is necessary to achieve a specific purpose, one that is serious and legitimate.
The Commissioners stated, “Privacy should be front and centre as governments and businesses consider COVID-19 vaccine passports as a tool to help Canadians return to normal life”.
- Recent proposal for an American federal privacy law - April 19, 2024
- Bill 149 receives royal assent March 21, 2024 - April 1, 2024
- Reasonable expectation of privacy in Internet Protocol (IP) addresses - March 26, 2024