The need for privacy in vaccine passport policies
Let’s be careful and deliberate about what we decide to do with vaccine passports. Considerable consequences to individual freedoms - as well as both societal and public health - are at stake.
As more Americans seek vaccines to reopen the doors to their lives, the topic of digital passports to prove inoculation against COVID-19 has spiraled upward. The evolving story of vaccine passports is global, complicated, politicized and polarized. In many cases, these stories do not consider one of the most critical concerns: privacy impacts related to personal medical information security.
Hacking Healthcare, the weekly blog for members of the Health Information Sharing and Analysis Center (H-ISAC), recently provided some key updates. The EU has launched a Digital Green Certificate Program, expected to be ready later this summer. Israel has a Green Pass to validate vaccination (or COVID-19 recovery date for antibody immunity), needed to enter restaurants and other crowded venues.
Chris Elliott with the Washington Post recently covered new programs, including the IATA Travel PASS, a digital platform under development from the International Air Transport Association, and the Common Pass, a digital immunity passport in testing by the non-profit group Commons Project Foundation along with the World Economic Forum. The Commons Project is also working with Walmart and Sam’s Club to offer digital access to a person’s vaccine records. Our favorite TSA line-skipping service, CLEAR, is also getting in the game.
New York state requires proof of vaccination to enter large venues. Governor Cuomo recently announced the launch of Excelsior Pass, stored in the wallet app on smartphones. It uses blockchain technology to prevent businesses who are scanning the pass access to that person’s medical or personal information without consent. The governors of Texas and Florida have recently taken a different route. Texas Governor Abbott banned vaccine passports altogether. Not to be outdone, Florida Governor DeSantis issued an executive order prohibiting businesses from requiring customers to prove vaccination status to get service.
Let’s look at the policies in play. Aside from the numerous privacy laws designed to protect personal information, HIPAA allows for disclosures of personal information to public health authorities to prevent or control disease (45 CFR § 164.512(b)).
The CDC’s Vaccine Playbook also calls for a nationally coordinated approach to collecting, tracking, and analyzing vaccination data. The CDC’s Immunization Information Systems (IIS) is the platform for collecting this data 1) in a timely fashion (within 24 hours of administration) and 2) through a connection to the Immunization Gateway (IZ Gateway) or data lake. While my hope is that the data lake leverages bullet-proof security, is cloud-native and managed by experts, data lake security is a topic for another day.
On the topic of vaccines, of particular concern from a privacy perspective is with whom the CDC and other regulators choose to share the data about hundreds of millions of individuals. I’m concerned about data sharing agreements, who enforces them, and how. I’m always worried about these third parties’ trustworthiness with regard to tapping in and using that data. Those who refuse the vaccine will end up in the database too. Clearinghouses will likely consume data from those refusing the vaccine to validate whether vendors like CLEAR should allow the flyer to the gate.
The CDC playbook appears to permit the data to be freely shared with contractors without liability concerns. People who opt in and are granted travel privileges will be safer flying with a vaccinated population. Those who won’t travel and do not consent to their data being collected and shared, what rights do they preserve during a pandemic? Will their data be shared regardless of their refusal to consent? After we return to normalcy, will that data be used for political purposes? Could it be used for commercial purposes? Or worse, could it be used to discriminate against those who approached the pandemic “outside the norm?”
The ethical concerns are plentiful. Yet, we need data to be safer, including data about who is and is not immune based on vaccination. Ideally, we want people to be safe AND maintain their rights to privacy.
The Public Readiness and Emergency Preparedness Act (PREP Act) outlines some of these potential access and liability issues. Still, there’s quite a bit to work out concerning the actual compilation, storage, and delivery of the data.
Our government is not known for keeping confidential information protected. Every time I log in to the identity theft monitoring tools provided to me, as a breach victim, I’m reminded of that. On this topic, sadly, past performance gives us a glimpse of future results. This data must be proactively protected and governed. The government must approach this with mobile banking security levels, not mobile hotel reservation levels. We’ve all seen breaches across both industries of these verticals and the harm it causes.
Complicated problems don’t usually have easy solutions. On the one hand, we want to protect each citizen’s privacy. On the other hand, we need to protect each individual’s health. I’m always concerned about misused data, especially those scenarios that could prevent people from participating in society. China’s emerging social credit system is a profound example of where we don’t want to go. There, a person’s social score can be misused to limit a person’s liberties and negatively affect their lives.
Sadly, the harm to individuals has already begun and can include stigmatization, scapegoating and ostracization, to name a few. As shared by The New York Times, even people who have recovered from COVID-19 are being, “forced to navigate a world that clearly is not yet ready to welcome them back into a still-sheltering society.” University of Washington Professor Ryan Calo’s work on objective and subjective privacy harms states “some of the risks to individuals strike at the heart of democratic society and institutions: loss of self-determination, discrimination and loss of trust are examples of privacy risks to individuals that can have wide-ranging consequences for societies.”
As a privacy and compliance expert with years of experience dealing with all manner of healthcare policy issues, I have some concerns about mandating vaccine passports for the following reasons:
1. People should be able to consent to data sharing voluntarily regardless of whether taking the vaccine is perceived as beneficial to the greater good. Patient data is private and should remain as such.
2. At this stage, it’s hard to comprehend who will have access to this data and how it might be used. Such an unknown is problematic from a patient privacy perspective.
3. The vaccine mandate does not adequately address those who have had Covid and have developed baseline immunity from that experience. The question then becomes how will they be treated in society at large for not participating in the vaccine program given that they have developed antibodies to Covid, at least in the short term?
4. Finally, can such data be adequately protected given how prevalent cyber-breaches are in this day and age?
As we move from lockdown to normalcy, I urge our policy makers to:
1. Acknowledge that privacy risks to individuals are real, but difficult to determine, particularly with laws that attempt to define privacy harms.
2. Understand that the harm to a person’s privacy can, and usually does occur later in time than when the violation caused it. What’s happening now may come back to haunt us later.
3. Err on the side of privacy rights to the individual rather than a calloused approach to data collection, sharing and use.
4. Require those entities who share the data to have a legal basis for doing so, just like in the EU. And then ensure that data protection is regulated and enforced at every stage of the data lifecycle.
5. Create rules and impactful penalties for those organizations who misuse vaccination data that belongs to our citizens.
6. Be aware that stigmatized or ostracized individuals will likely distrust the organizations that collect personal information, such as test results and diagnoses. This loss of trust can and will likely result in behaviors that defeat public health efforts in the first place.
Let’s be careful and deliberate about what we decide to do with vaccine passports. Considerable consequences to individual freedoms – as well as both societal and public health – are at stake.