By John P. Desmond, AI Trends Editor
Confirmation of getting a COVID-19 vaccine is likely to be required at some airports and possibly workplaces soon. Multiple efforts are ongoing, each with a range of compliance and privacy risks.
Patients who have been vaccinated get a small piece of paper as proof, a paper that is easy to lose and vulnerable to fraud and counterfeiting. Public and private organizations are responding by developing digital health passports. However, without agreed-upon standards, different health passes run the risk of a fragmented system that could slow down efforts to bring travel back safely and resume other “normal” activities.
“You might show up at the airport trying to prove your recent COVID test result or vaccination certificate, and you pull up an app that is not recognized, and now you’re scrambling to figure out how to get on the plane,” stated Dakota Gruener, executive director of ID2020, an organization which advocates for digital IDs, in a recent account in Fierce Healthcare.
Companies in the technology, health and travel sectors have banded together to form the Good Health Pass Collaborative, announced in February, to create a “blueprint for interoperable digital health pass systems.”
Members include the Airports Council International (ACI), Commons Project Foundation, COVID-19 Credentials Initiative (CCI), Evernym, Hyperledger, IBM, International Chamber of Commerce (ICC), Linux Foundation Public Health, Lumedic, Mastercard, Trust Over IP Foundation, and others
Other efforts include the CommonPass mobile app, created by the Commons Project Foundation and the World Economic Forum, being used by United Airlines and other airlines on some international flights. The World Health Organization is also working on a digital vaccine certificate for international travel, and Health Pass by Clear, which uses biometric identifiers, is in use at Los Angeles International Airport.
“Our health data consists of the most sensitive personal information, deserving of the strongest privacy. Release of our health data must be under our personal control. The Good Health Pass does just that,” stated Ann Cavoukian, Ph.D., executive director of the global Privacy and Security By Design Centre, in a statement. ”With Privacy by Design embedded throughout, you control the release of your digital health data, and to whom; all de-identified and decentralized, privacy and functionality.”
Meanwhile, tech giants including Microsoft Corp, Oracle and healthcare companies Cigna Corp and Mayo Clinic in January joined a coalition pushing for digital records of people who get vaccinated against COVID-19, according to an account from the Reuters Foundation.
The project, called Vaccination Credential Initiative, aims to help people get encrypted digital copies of their immunization records stored in a digital wallet of their choice.
Privacy Concerns Paramount
Companies should avoid asking employees to adopt digital travel health passports until they have conducted extensive data privacy impact assessments, according to the global head of privacy for CWT, the digital travel management company, in an account in Business Travel News.
Under the European Union’s General Data Protection Regulation, health data is treated as “sensitive data,” which may be processed only if a clear legal basis has been established to do so. To date, the legal basis has yet to be clarified for travel health passports, according to Christel Cao-Delebarre, global head of privacy for CWT.
Companies also are advised to carry out due diligence on the security of the different passport products under development and establish whether they, as employers, would face liability in the event of any breaches. In a survey recently published by BCD Travel, business travelers cited satisfactory data protection as their number one criterion for acceptance of health passports.
Health passports carry a digital record of whether holders have been tested or vaccinated for COVID-19. Almost every country worldwide currently requires evidence of a negative Covid test before gaining admission, and discussion has started about whether a vaccination certificate should be made a prerequisite for border entry or boarding aircraft.
At least 10 passport schemes actively are being promoted, and in some cases are already being trialed. “Every new proposal to help people get out of their homes we’ll welcome, but they need to be in compliance with fundamental privacy rights to ensure trust,” Cao-Delebarre said. “There’s more work to do right now before the passports can be issued.”
Currently, in most countries, governments have not made it a legal obligation to be vaccinated against COVID-19. Whether employers can ask employees to disclose whether they have obtained a health passport, is a tricky question and the answer varies by region. Under Europe’s GDPR, consent must be given freely, but this might be impractical if the employee fears the potential consequences of refusal. In the Asia-Pacific region, it is generally allowed for employers to ask for this data.
“All in all, it is unlikely there will be scope for a global policy, which can make it challenging for global employers,” stated Cao-Delebarre. “Privacy risk assessments will be on a case-by-case basis, taking into account, in addition to local law, the sector in which employers have their activity and the specific employment duties and role of a particular employee.”
Blockchain Technology Pointed to as Basis of Security
Data protection schemes including the International Air Transport Association’s Travel Pass, or ICC AOKpass—whose backers include the International Chamber of Commerce and assistance and risk management company International SOS—claim they avoid many privacy pitfalls by not maintaining a central database to store traveler data.
AOKpass, for example, places each record on its own blockchain. “It’s scientifically impossible to go backwards from the hash to the information,” stated co-founder Dr. Chester Drum. “That process allows us to manage signatures instead of the information itself and that provides the authentication backbone.”
Block is being employed in the Digital Health Pass being developed by IBM, which recently announced a pilot program with the State of New York, according to an account on an IBM blog written by Steve LaFleche, General Manager, IBM Public and Federal Market.
“The pass would give the state’s residents the ability to voluntarily share their health status on their own terms using a tool that has been built from the ground-up with robust privacy protections in place,” LaFleche stated. “Each participant will determine what information they want to share, with whom, when and for what purpose—from sharing the underlying personal data used to generate the credential,” he stated.