With the Canadian governments slowly easing pandemic restrictions entering buildings and taking commercial flights, some are calling for people to have COVID-19 vaccine certificates to prove they have been inoculated.
However, the country’s privacy commissioners warn these documents or digital apps — sometimes called vaccine passports — have to meet federal and provincial privacy laws.
“Vaccine passports must be developed and implemented in compliance with applicable privacy laws,” the federal and provincial privacy commissioners said in a joint statement issued Wednesday. “They should also incorporate privacy best practices in order to achieve the highest level of privacy protection commensurate with the sensitivity of the personal health information that will be collected, used or disclosed.”
A vaccine certificate “may offer substantial public benefit,” the commissioners admit. But they add, “it is an encroachment on civil liberties that should be taken only after careful consideration.”
Governments approving vaccine certificates must consider three factors:
- Necessity – vaccine passports must be necessary to achieve each intended public health purpose. Their necessity must be evidence-based and there must be no other less privacy-intrusive measures available and equally effective in achieving the specified purposes.
- Effectiveness – vaccine passports must be likely to be effective at achieving each of their defined purposes at the outset and must continue to be effective throughout their lifecycle.
- Proportionality – the privacy risks associated with vaccine passports must be proportionate to each of the public health purposes they are intended to address. Data minimization should be applied so that the least amount of personal health information is collected, used or disclosed.
Exactly what a vaccine certificate looks like is still under discussion. It could be a signed piece of paper or a digital app. Either way, it would have to be tamper-proof to prevent counterfeiting. One of the problems, critics say, is that demand for certificates will be so high people who haven’t been, or refuse to be, vaccinated will be willing to buy fake documents.
In March, Check Point Software reported fake COVID-19 test results and vaccine certificates were being sold on criminal websites to be re-sold to the public.
The director of the Canadian Civil Liberties Association’s privacy program has been quoted as opposing a vaccine certificate in part because getting a COVID-19 vaccine is a personal choice.
“Carrying papers to show that we made that decision has the potential to create a two-tier society,” said Brenda McPhail. “The included, those that got the vaccine. The excluded, those who don’t.”
Vaccination certificates aren’t new. Many public schools require children to show proof of vaccination for childhood diseases like mumps. Some countries required certificates proving vaccination against certain communicable diseases for entry before the pandemic
The COVID-19 pandemic has increased some pressure on governments to issue them to control those crossing borders, particularly on airlines. Some businesses and airlines want customers and passengers to show them as a way of reassuring others in their buildings or planes they likely won’t catch the virus.
Also in March, the New York State approved a mobile app called the Excelsior Pass that allows users to pull up a code on their cellphone or a printout to prove they’ve been vaccinated against COVID-19 or recently tested negative for the virus that causes it. Confirmation information comes from the state’s vaccine registry and is linked to testing data from a number of pre-approved testing companies.
The United Kingdom has said the standard mobile app issued to residents by the National Health Service for online checking of things like test results can be used for proof of vaccination.
In addition to solving problems such as where confirmation of vaccination will come from, (a doctor’s office? a provincial registry that tracks vaccinations?) questions of privacy and security — especially with mobile apps — have to be faced. There’s also the concern that different provinces or countries will create their own standards and apps, leaving individuals to upload several apps.
Meanwhile, there are several groups looking to create a secure standard. One in the U.S. is the Vaccination Credential Initiative, which includes Microsoft, Oracle and the Mitre Corp., a federally-funded non-profit which is behind the Mitre ATT&CK vulnerability classification framework.
According to a poll released in April, a majority of Canadians surveyed expect vaccine passports to be widely used in Canada by the end of the year, with six in ten (61 per cent) who agree (26 per cent strongly/35 per cent somewhat).
There is strong support for showing passports in order to enter the country: nearly eight in ten (78 per cent) agree strongly or somewhat that all travelers entering Canada should be required to have a vaccine passport. Canadians broadly agree that venues capable of hosting large crowds should make vaccine passports mandatory. Two in three (65 per cent) agree either strongly or somewhat that all large public venues such as concert halls and stadiums should require one.
So far, the federal and provincial governments have been cautious. Asked by reporters about federal plans, Prime Minister Justin Trudeau said, “We are working on it on a scientific basis and we will have more to announce when we have it to announce.”
One of the problems created by a vaccination certificate is what does it stand for? As the privacy commissioners note, so far there is no scientific measurement of vaccine effectiveness to prevent transmission of COVID-19. That makes it hard for a jurisdiction to demand people have a certification for access to a building or service. On the other hand, the commissioners recognize that the scientific community says this evidence may soon be available.
Toronto privacy lawyer Barry Sookman of the McCarthy Tetrault law firm said in an interview that a number of his business clients have been investigating the possibility of demanding COVID vaccine certificates. “It’s a useful tool that organizations that want to ensure safety of people that are going to use a service where there is a possibility of infecting others” are pondering, he said.
The public accepts the use of many types of government-issued documents that verify an individual’s status for accessing services, he argued: Driver’s licences, passports, health cards and more. If you don’t have a driver’s licence, you can’t drive. “What those do is just indicate a status. I think of them a more efficient way of recording information.”
Similarly, he said, an airline should be able to say for the safety of passengers it will only allow those with one or two of their COVID shots. For efficiency, the proof would be a government of medically-issued document. That document, Sookman adds, should have to meet privacy protection standards, and only be used for the purpose needed (such as admission to a building). It could not be passed on to a third party.
As for the statement from the privacy commissioners, Sookman described it as “high-level principles” rather than practical guidance governments and businesses can use.
He doesn’t buy the argument that not having a COVID-19 proof of vaccination creates two classes of people.
Teressa Scassa, Canada Research Chair in information law and policy at the University of Ottawa, said the commissioners’ joint statement raises concerns about potential privacy issues raised by vaccine passports in advance of their use in Canada.
“The actual privacy impacts are difficult to assess without knowing more about what implementation is contemplated, or how the so-called vaccine passports will be used,” she said in an email. “Hopefully any government (federal, provincial or territorial) considering the development of a vaccine passport will seek out the specific advice of their privacy commissioner, and will conduct a privacy impact assessment.
“Vaccine passports could have very significant impacts on civil liberties, and there may also be issues of discrimination associated with their use. We have privacy laws for public and private sectors in Canada and strong, respected regulators who provide guidance and oversight of those laws. Yet, digital technologies increasingly present complex challenges that include privacy, discrimination, bias, and civil liberties issues. We have relatively weak legal and regulatory frameworks to address digital technology issues other than privacy, and to provide oversight, guidance, transparency and accountability. We are increasingly going to see digital technologies presenting a complex suite of challenges. Our only serious regulatory/oversight framework is privacy law. If all you have is a hammer, everything looks like a nail. We need more tools in our toolbox to address the impacts of digital technologies on our lives.”
Meanwhile, the privacy commissioners say that governments and businesses should think of these two principles:
- Legal authority: There must be clear legal authority for introducing use of vaccine passports for each intended purpose. Public and private sector entities that require or request individuals to present a vaccine passport in order to receive services or enter premises must ensure that they have the legal authority to make such a demand or request. Clear legal authority for vaccine passports may come from a new statute, an existing statute, an amendment to a statute, or a public health order that clearly specifies the legal authority to request or require a vaccine passport, to whom that authority is being given, and the specific circumstances in which that can occur.
- Consent and trust: For vaccine passports introduced by and for the use of public bodies, consent alone is not a sufficient basis upon which to proceed under existing public sector privacy laws. Furthermore, consent alone may not be meaningful for people dealing with governments and public bodies that often have a monopoly over the services they provide. The legal authority for such passports should therefore not rely on consent alone.
“For businesses and other entities that are subject to private sector privacy laws and are considering some form of vaccine passport, the clearest authority under which to proceed would be a newly enacted public health order or law requiring the presentation of a vaccine passport to enter a premises or receive a service,” said the commissioners.
Without such a law or relying on existing privacy legislation, consent may provide sufficient authority if it meets all of the following conditions, which must be applied contextually given the specifics of the vaccine passport and its implementation:
- Consent must be voluntary and meaningful, based on clear and plain language describing the specific purpose to be achieved;
- The information must be necessary to achieve the purpose;
- The purpose must be one that a reasonable person would consider appropriate in the circumstances;
- Individuals must have a true choice: consent must not be required as a condition of service.