As the restrictions begin to be eased across the UK, the current hot topic is the introduction of ‘Covid vaccine passports’ – certificates showing the status of an individual’s vaccination (and potentially of their latest tests or their immunity status).
This proposed system, which is already being implemented in other countries such as Israel and China, is intended to assist with the easing of lockdown rules, but it raises complex societal, ethical and legal issues.
The risk of creating a ‘two-tier Britain’ is widely reported in the media. The fear, ultimately, is that this would unjustifiably discriminate between individuals. It is believed that it would discriminate: between those who hold a Covid vaccine passport and those who do not; or between those who have been vaccinated, and those who have not, whether by choice or otherwise (for instance by reason of being in a category which has not yet been offered the vaccine). From a legal perspective, the proposed system also involves a sacrifice of basic privacy rights for public health purposes. So is this sacrifice justified?
Health data engages an individual’s right to privacy, and any disclosure of health data would potentially constitute an interference with an individual’s rights under Article 8 of the European Convention on Human Rights. The European Court of Human Rights considers that “respecting the confidentiality of health data is a vital principle in the legal systems of all the Contracting Parties to the Convention” (I v. Finland, Judgment of 17 October 2008, ), including the UK. In data protection law, health data has the protected status of “special category data” which, because of its sensitive nature, benefits from additional protection. In practice, this means that a data controller processing such data must identify not only a lawful basis for processing (which is the case in relation to the processing of any personal data, whether or not it is sensitive), but also a separate condition specifically justifying the processing of sensitive personal data (one of which is that the processing is necessary for reasons of public interest in the area of public health).
Overall, therefore, health data benefits from a high level of protection. Making an individual’s health data public in unauthorised circumstances is unlawful. However, interference with an individual’s rights in relation to health data in order to protect public health is permitted – the question being what the interference will entail, and what guarantees are associated with the interference.
These issues were considered last year in the context of the contact tracing apps, which held the promise of helping to ease the first lockdown. But the use of contact tracing apps was always intended to be voluntary. Whether the use of Covid vaccine passports will be voluntary is unclear. Even if it is, if failure to present a vaccine passport results in an individual being denied entry to some events or premises, or being denied the right to travel, then the system may be voluntary in name only.
From a practical perspective, the use of some form of health credentials is already being partially implemented. When international travel was allowed in between lockdowns, travellers were sometimes asked to produce a negative Covid test when leaving their country of origin, upon arrival to their destination, or on both occasions. The use of health credentials may well be inevitable, at least for a period of time, in order to navigate a return to more ‘normal’ life.
In those circumstances, the question is not so much whether the use of Covid passports should be accepted, but what the guarantees surrounding their use will be. The general principles are well established. The interference with the right to privacy must be justified and proportionate to the legitimate aims pursued and must involve the solution which is least restrictive of privacy rights.
From a data protection perspective, it will be crucial for the data protection principles to be strictly followed and applied. The processing will need to be fair and lawful (and therefore, in practice, justified). The data must be collected for a specified, explicit and legitimate purpose, and it should not be processed for any other purposes. The principle of data minimisation will mean that the only data that should be processed is that truly necessary for the purposes of the Covid vaccine passport. That data will also, plainly, need to be accurate, and it should be stored only for a limited amount of time. Whatever form the Covid vaccine passport takes, it will need to be accompanied by strict security measures in order to prevent data breaches. Lastly, any data controllers relying on Covid vaccine passports will need to be held accountable. In practice, this will involve carrying a systematic analysis of the data protection risks of a processing activity in order to identify and minimise them.
The effectiveness of those guarantees is crucial, because they ultimately dictate the sort of society we live in, and therefore determine whether or not the trade-off of basic privacy rights for public health purposes is justified. From a more pragmatic standpoint, at a time when data subjects are increasingly aware of their rights, and when the courts are seeing the first signs of class (or representative) actions in data protection, it is also immensely important for data controllers to ensure strict compliance with their obligations if they want to avoid being held liable for any failure to comply with data protection laws. Where the processing involves highly sensitive and confidential data, any such failure could carry very serious consequences, which could include the payment of potentially large fines and the need to deal with data subject complaints including demands for compensation.
Mathilde Groppo is an Associate at Carter-Ruck