Vaccine Passports and how businesses can go wrong
Rob Masson, CEO, The DPO Centre comment on vaccine passports. Offers practical advice on how organisations can protect themselves when considering requests for health information
“Business owners need to ask what can be lawfully requested from customers and staff without overstepping data protection legislation? These are important questions to ask, especially for consumer facing organisations and the hospitality sector.”
“Organisations need to discuss the balance between an individual’s right to privacy and the wider impact on the public’s health.”
“For example, retailers don’t currently stop customers at their doors and ask anything about their health. So will it be seen that the Covid-19 passport is a necessary invasion into our privacy?”
“Current legislation classifies data relating to the health of an individual held by a company as ‘special category’ data. This is more stringently regulated and anyone collecting this type of data must follow strict guidelines to ensure it is processed securely.”
“First, if it is important to your business to ask either your customer or your staff whether they have either had the vaccine or have received a negative Covid-19 test, what is the legal basis for requesting and processing this information? Secondly, how should this data be securely held and for how long? Finally, who can access this information and for what reason? If the Information Commissioner comes knocking on your door, can you justify why the information was requested and retained?”
“It is vital businesses understand their exposure to personal data and privacy risk as it impacts every part of their business from employees to clients, partners and wider stakeholders.”