Comment on vaccine passports and how companies can collect Covid-19 data
With countries across the globe working tirelessly to vaccinate their residents against Covid-19, thoughts are now turning to the practicalities of reopening the global economy.
One suggested tool to enable this is to create a digital vaccine passport – or ‘green pass’ as it is being called by EU leaders who plan to publish their legislation shortly. Holders could potentially resume travelling between countries, attend major events and, for those who cannot (or will not) have the vaccine, it could record negative Covid-19 test results.
The question is, how much of our lives will be restricted if we do (or don’t) have such a passport? Would it be used to screen job applications? Could it stop us visiting retail outlets? Will pubs and clubs demand our vaccine passes alongside ID?
More importantly for business owners, what can we legally ask of our customers and staff without overstepping data protection legislation? These are important questions to ask, especially for consumer facing organisations such as retailers and the hospitality sector looking to reopen in the near future.
Rob Masson, CEO at The DPO Centre, the UK’s leading independent data protection officer resource centre, said this is a potential minefield for companies already grappling with GDPR, Brexit and the impact of a global pandemic.
Rob said: “Until we know the final arrangements for a vaccine passport, we can only plan for what we think might happen and discuss the balance and reasonable steps an organisation will need to take between an individual’s right to privacy and the wider impact on the public’s health.
“For example, retailers don’t currently stop customers at the door and ask about their health. So, will it be seen that the Covid-19 passport is a necessary invasion into our privacy?”
It looks increasingly likely that technology will play a major part in whatever the solution ends up being. Although anyone vaccinated in the UK currently receives a paper-based notification, not too dissimilar from the Yellow Fever certificates issued for those visiting parts of Africa, going forward we are more likely to see an app-based solution.
Whether the UK utilises the existing NHS app (not to be confused with the NHS Covid-19 app), which currently provides a record for all immunisations, joins the digital green pass scheme with its European counterparts, or works with the WHO on a global initiative, current EU and UK legislation dictates any data regarding the health of an individual held by a company is classed as a ‘special category’ personal data. This is stringently regulated and anyone collecting this type of data must follow strict guidelines to ensure it is held securely and processed lawfully.
Masson adds: “As the UK moves through the road map out of lockdown, and the role of vaccine passports becomes clearer, decisions need to be made by any consumer facing business planning to reopen.
Firstly, if it is important to your business to ask either your customer or your staff whether they have either had the vaccine or have received a negative Covid-19 test, what is the legal basis for asking and processing the information? Secondly, how should this data be securely held and for how long? Finally, who can we share this information with and for what reason?
Rob said: “With Brexit and Covid-19, many companies are facing increased pressure and scrutiny around data protection and privacy issues. Data protection is one of the fastest growing areas of business in the UK and Covid-19 has placed it firmly at the top of the agenda for most organisations. It’s therefore vital that organisations understand their exposure to data and privacy risk as it impacts every part of their business from employees, to clients, partners and wider stakeholders.”
Contact: Louise Ahuja firstname.lastname@example.org Tel. 07788676913
Notes to Editors
Founded in 2017 by Rob Masson, The DPO Centre is the UK’s leading independent data protection resource centre, offering expert advice and ensuring organisations have access to the level of knowledge and expertise they require to comply with the highest standards of privacy and data protection.