Covid-19 health status certificates: Policy recommendations on data privacy and human rights

Abstract

Key findings and recommendations This report uses Covid-19 health status certificates as an all-encompassing term, referring to the digital and paper-based certificates that, combined with identity verification, allow individuals to prove their health status (such as the results of Covid-19 tests and vaccination records). It follows from the research that three main barriers to the successful implementation of Covid-19 health status certificates can be identified: 1. Lack of trust 2. Lack of global standards 3. Lack of a holistic approach The research findings suggest that three key sets of measures have the potential to contribute to the responsible implementation of Covid-19 certificates: 1. Inclusion of sunset clauses in legislation 2. Appropriate governance of health data 3. Proactive protection of data privacy

Accordingly, it is recommended that: 1. Policymakers should ensure the availability and affordability of Covid-19 tests and vaccines to the whole population to avoid creating a two-tiered society in which only the wealthy have access to mobility and services. 2. Policymakers should ensure that Covid-19 health status certificates are only used during the pandemic and that their use is discontinued once the WHO declares that Covid-19 is no longer a public health emergency of international concern. 3. Policymakers should ensure that Covid-19 health status certificate providers, whether from the private or public sector, abide by the basic data protection principles, including lawfulness, fairness and transparency, purpose limitation, data minimisation, accuracy, storage limitation, integrity and confidentiality, and accountability. 4. Policymakers should ensure that Covid-19 health status certificate providers build data protection into the design of these certificates by default, thus contributing towards mitigating known risks to data privacy. 5. Policymakers should ensure that Covid-19 health status certificate providers maintain the confidentiality and security of the information collected and processed. They should prevent any unauthorised access, accidental loss, damage or destruction of the data. 6. Policymakers should request that Covid-19 health status certificate providers undertake data protection impact assessments (DPIA) before implementing specific solutions. That is important as these certificates are likely to result in a high risk to natural persons’ rights and freedoms.