Health Data and Vaccine Passports
With the rollout of the Moderna, Oxford/AstraZeneca and Pfizer vaccines, around 46.3 million people in the UK to date have received at least one dose of a Covid-19 vaccine.
Despite 365,300 people (and counting) signing a government petition in opposition of the Covid-19 vaccine passport, many governments are now assessing the prospect of such a framework in relation to both work and travel. Following the Prime Minister’s announcement on 19 July 2021 regarding the requirement to be fully vaccinated in order to attend a nightclub from September, the future of vaccine passports is appearing more likely by the day.
The European Commission have already rolled out the ‘EU Digital COVID Certificate’, which is designed to facilitate safe free movement of citizens in the EU during the pandemic. Whilst the framework has clear benefits, such as preventing the spread of the virus, consideration of such programmes must be given to the collection and processing of data, pursuant to data protection regulations. In light of this, in this article we consider vaccine passports and the implications on health data. Vaccine passports may also have human rights considerations such as whether vaccine passports are a breach of human rights, but this topic is not considered in this article.
Special category data
Special category data, such as health data, is provided with additional protection under the legislation due to its significant risk to an individual’s fundamental rights and freedoms. Health data covers an individual’s current and future health status and includes a wide range of personal data, such as information concerning injuries, disease, disability, medical opinions, examination data, and vaccination details.
UK GDPR and Data Protection Act 2018
Before an organisation can lawfully process an individual’s health data for the purposes of a vaccination passport, they must identify a lawful basis for processing data and a separate condition for processing special category data under the UK GDPR:
- Article 6 of the UK GDPR identifies a basis for which health data can lawfully be processed, including:
- Explicit consent.
- Protection of the interest of the data subject or another person.
- Performance of a task carried out in the public interest.
- Article 9 of the UK GDPR identifies a basis for which special category data can be processed, including:
- Explicit consent.
- Substantial public interest.
- Public interest in the area of public health, such as protecting against serious cross-border threats to health.
It is likely that companies will rely on one of the above reasons for the collection, processing and storage of health data for the purposes of the Covid-19 vaccine passports. If the basis of substantial public interest is relied upon, an organisation must meet one of the 23 specific substantial public interest conditions set out in paragraphs 6 to 28 of Schedule 1 of the DPA 2018.
Appropriate policy and impact assessment
Even if an organisation satisfies the above, as health data is deemed to be high risk, appropriate and effective security must be in place. This includes:
- Completing a data protection impact assessment to ensure the risk of processing such data is known.
- Documenting the categories of data processed.
- Documenting the risks associated with processing the heath data and other obligations such as data minimisation, security, and appointing Data Protection Officers (DPOs) and representatives.
So, whilst there are advantages of vaccine passports, organisations must ensure that they consider and adhere to the regulations above before introducing the framework. Strict privacy and data protection rights of individuals must be balanced with the interests and protection of the wider public, and in the event that organisations strike the lawful balance, the health data must be dealt with appropriately and in accordance with the regulations.
If you have any questions or would like more information about any of the information outlined above, please do not hesitate to contact Emma Weedy or another member of the BPE Commercial team.
These notes have been prepared for the purpose of an article only. They should not be regarded as a substitute for taking legal advice.