‘Vaccine passports’ and GDPR

The rollout of the Pfizer and AstraZeneca vaccines across the UK has brought with it the hope that large scale vaccination against Covid-19 will allow life to resume to a new sense of normality.

As this happens, there are have been calls amongst certain industries for individuals to demonstrate their vaccination status before being granted access to services. This could be of importance in several sectors, including to airlines or large sports venues which rely on full stadiums to draw in money.

It has been reported that a trial will take place throughout January and February 2021 using a free app which can demonstrate whether one, two or no jabs have been received by an individual. However, consideration needs to be given as to whether vaccination details can be collected and processed in exchange for access to venues or services pursuant to the General Data Protection Regulations (GDPR).

Special category data

Special category data is a category of personal data which is particularly sensitive and therefore requires more protection than usual. It includes personal data which reveals or concerns details of an individual’s health, including data that allows someone’s health details to be inferred or guessed. Therefore, an individual’s vaccination details would be deemed to be special category data and subject to special protection.

What are the rules?

To process special category data, as well as complying with the usual principles and requirements of the GDPR, one of the specific conditions set out in Article 9 of the GDPR must be met. The specific conditions include obtaining explicit consent from the data subject and reasons of substantial public interest.

If the basis of substantial public interest is relied upon, one of the 23 specific substantial public interest conditions set out in the Data Protection Act 2018 (DPA) must also be met. One of these is protection of the public. Therefore, it is likely that organisations seeking to implement a ‘vaccine passport’ will attempt to rely on either explicit consent or reasons of substantial public interest as the basis for processing special category data.

As health data is generally deemed to be high risk (even where an individual is happy to explicitly consent to having their health data collected, stored and processed) technologies used to collect the data need to have built in security effective enough to provide the highest level of security to the data. It is also likely that processors will be required to carry out an impact assessment before processing any health data.

Organisations collecting and processing special category data must keep records, including documenting the categories of data processed and the risks that such processing has on other obligations such as data minimisation, security, transparency, and rights related to automated decision-making.

Whilst there are clear advantages to a ‘vaccine passport’, before looking to impose an obligation on individuals to disclose their vaccination details, organisations and governments will need to balance the privacy rights of individuals against the wider protection of society. They must ensure that any steps taken do not infringe on an individual’s right to have their sensitive data dealt with appropriately and in accordance with data protection rules.