Maksim Kabakou - Fotolia

Security Think Tank: ‘Legitimate interest’ crucial for vaccine passports

What are the security issues and challenges presented by vaccine passports, and how should they be designed and used with ethics and privacy in mind?

There are now discernible paths out of the current Covid-related lockdowns. One such path is the use of so-called vaccine passports, but what form would they take and, if adopted, what impact would their use have on an organisation’s security? Bearing in mind that a company’s security stance is a blend of physical security, human resources, regulatory and legal compliance, and IT.

While it would be good for there to be a government-led, single form of passport, there is opposition within the political ranks, so that route is by no means certain. A more probable outcome is that various companies and industries will develop their own passports tailored to specific needs.

Indeed, we already have a form of passport in the personal vaccine record card that people receive when they have their first vaccination. 

Issues that have been cited regarding the use of vaccine passports include:

  • It would discriminate against those who, for legitimate reasons, have not been vaccinated;
  • The difficulty in checking and policing the use of passports, particularly in public venues – although there would be similar issues for companies and workplaces such as building sites;
  • The potential, particularly in a work environment, of gathering personal sensitive information and the associated General Data Protection Regulation (GDPR) and 2018 Data Protection Act (DPA) issues that arise.

In addressing these issues in an ethical way and ensuring compliance with GDPR and DPA 2018 regulations, the following should be considered.

Since all those people who have been vaccinated will have their own personal record (the card given out at the time of their first vaccination), the provision of a passport for those who are not vaccinated for legitimate reasons would seem to be a reasonable approach.

At venues such as pubs, restaurants and theatres that serve the general public, retaining the current NHS Covid-19 test and trace app for customer use would also be a reasonable approach. The only time, then, that a vaccine passport would need to be seen is if a person did not have the test and trace app on their mobile or if the track and trace system were offline. At these venues, there is, however, a legitimate interest in viewing and recording staff vaccine information, be they full-time, part-time or temporary.  

If the vaccination passport information is not recorded, there would not be a GDPR or DPA 2018 issue, but there would still be the issue of whether such information is required to be seen while not being recorded. That would have to be for legitimate interest only for GDPR and DPA 2018 compliance, in my view. However, the Information Commissioner’s Office (ICO) website, at the time of writing, does not specifically give advice regarding vaccine passports, just test and trace information. 

The issue with a passport approach is that of faked passports.

In the workplace, the checking of a person’s vaccine passport could be done by a line manager or equivalent and stored as part of a person’s HR record. Unless government or an industry body’s advice is to the contrary, it should only be necessary to record if a person has a vaccine passport or an exemption passport. That information is still categorised as “personally sensitive” and should only be collected if there is legitimate interest, such as in situations where the person is likely to come into contact with the general public or people from other organisations, or undertake food preparation. Here, again, future government or industry body advice on this area might well determine different outcomes.   

Read more on Privacy and data protection

Data Center
Data Management