The vaccine passport dilemma - Proving we’re protected
On 17 May the NHS app is being updated to include a ‘Covid passport’
People in England who have had a full course of the Covid-19 vaccine can demonstrate their Covid-19 vaccination via the app.
The Covid passport will be used for international travel according to the government website. The question is, how much of our lives will be restricted if we do (or don’t) have such a passport? Will it be used to screen job applications? Could it stop us from visiting certain retail outlets? Will pubs and clubs demand our vaccine status alongside our ID?
More importantly for business owners, what can we legally ask of our customers and staff without overstepping data protection legislation? These are important questions to ask, especially for consumer-facing organisations such as retailers and the hospitality sector looking to reopen soon.
Rob Masson, CEO at The DPO Centre, the UK’s leading independent data protection officer resource centre, said this is a potential minefield for companies already grappling with GDPR, Brexit and the impact of a global pandemic.
Rob said: “There needs to be a discussion on the balance and reasonable steps an organisation will need to take between an individual’s right to privacy and the wider impact on the public’s health.
“For example, retailers don’t currently stop customers at the door and ask about their health. So, will it be seen that the Covid-19 passport is a necessary invasion into our privacy?”
Current EU and UK legislation prescribes that any personal data regarding the health of an individual is classed as ‘special category’ data. This is stringently regulated and anyone collecting this type of data must follow strict guidelines to ensure it is held securely and processed lawfully.
Masson adds: “As the UK moves through the road map out of lockdown, and the role of vaccine passports becomes clearer, decisions need to be made by any customer-facing business planning to reopen.
Firstly, if it is important to your business to ask either your customers or staff whether they have had the vaccine or have received a negative Covid-19 test, what is the lawful basis for asking and processing the information? Secondly, how should this data be securely held and for how long? Finally, who can we share this information with and for what reasons?
Rob said: “With Brexit and Covid-19, many companies are facing increased pressure and scrutiny around data protection and privacy issues. Data protection is one of the fastest-growing areas of business in the UK and Covid-19 has placed it firmly at the top of the agenda for most organisations. It’s therefore vital that organisations understand their exposure to data and privacy risk as it impacts every part of their business from employees, to clients, partners and wider stakeholders.”