Authors: Kristél Kriel, Adam Lakusta
2020 was a year like no other. Despite recent surges in COVID-19 case numbers across Canada, there is now reason to be cautiously hopeful. Recent medical advances and breakthroughs have produced a variety of vaccines which promise to safely and effectively combat the spread of COVID-19. As vaccination rates continue to climb in Canada, governments and businesses are looking for ways to safely lift public health restrictions and reopen the economy.
What are Vaccine Passports?
One method proposed for getting back to “normal” is the concept of “vaccine passports.” Vaccine passports would function as a means of confirming a person’s COVID-19 vaccination status. Possible applications for such passports include: crossing international borders, accessing air travel and gaining entry to crowded events.
Proponents of vaccine passports argue that they are essential to ensure that people are at a low risk of becoming infected and have a decreased risk of infecting others when participating in high-contact social activities. If vaccine passports are successful in limiting the spread of COVID-19, some benefits include fewer restrictions on social gatherings and accelerated reopening of the Canadian economy. These benefits also come at a cost, however, as any vaccine passport scheme will require individuals to disclose sensitive personal health information and therefore infringe on the privacy rights of Canadians. Any organization considering the use of vaccine passports or collecting information relating to vaccination status must carefully consider privacy and other legal requirements before doing so.
Guide for Businesses and Governments
On May 19, 2021, the Federal, Provincial and Territorial Privacy Commissioners (the “Commissioners”) published a joint statement (the “Joint Statement”) regarding vaccine passports. In their Joint Statement, the Commissioners stated that, as a result of privacy concerns relating to vaccine passports, it is essential that governments and businesses comply strictly with both Canadian privacy laws and abide by privacy best practices.
Necessity, Effectiveness and Proportionality
To comply with Canadian privacy laws, any Canadian vaccine passport scheme must establish its “necessity,” “effectiveness” and “proportionality” in the specific context of its use. In the Joint Statement, the Commissioners define these terms as follows:
- Necessity: vaccine passports must be necessary to achieve each intended public health purpose. Their necessity must be evidence-based and there must be no other less privacy-intrusive measures available and equally effective in achieving the specified purposes.
- Effectiveness: vaccine passports must be likely to be effective at achieving each of their defined purposes at the outset and must continue to be effective throughout their lifecycle.
- Proportionality: the privacy risks associated with vaccine passports must be proportionate to each of the public health purposes they are intended to address. The vaccine passport scheme should apply data minimization to collect, use or disclose the least amount of personal health information.
The Commissioners state that, for vaccine passports to take effect in a given industry, there must be proof of necessity, effectiveness and proportionality, and it should be constantly monitored. Governments and businesses must discontinue vaccine passport schemes if they’re determined to be no longer necessary, effective or proportional.
The Commissioners recommend that governments and businesses adopt vaccine passport schemes in accordance with clear legal authority. Such legal authority may come in the form of new or existing laws or health orders. Sufficiently clear legislation should be unambiguous and provide:
- The legal authority to request vaccine passports;
- To whom the authority is being granted; and
- Under what contexts the government or business may request vaccine passports.
For example, if business requires that individuals present vaccine passports to enter its premises or gain access to services, it must do so with the clear authority of a law or health order and only under the specific conditions set out in the law or health order.
For public bodies engaging in vaccine passport schemes, the Commissioners suggest that consent alone will not be enough under existing public sector privacy laws. Additionally, in situations where public bodies have a monopoly on the services that they provide, the consent of individuals to vaccine passport schemes may not be sufficiently meaningful to be valid. In the view of the Commissioners, public bodies adopting vaccine passport schemes should not rely solely upon consent for legal authority.
For businesses, in the absence of any clear legal directive or health order authorizing vaccine passport policies, the Commissioners contend that businesses should rely on existing privacy legislation. Under existing privacy legislation, consent may provide a sufficient legal basis for requesting patrons to present vaccine passports. However, such consent must meet the following conditions in order to be valid:
- Consent is voluntary and meaningful and based upon clear language describing the purpose for the request;
- The collection of information is necessary;
- The purpose must be reasonable and appropriate in the circumstances; and
- Individuals must have a true choice to consent (i.e. consent must not be a mandatory condition of service)
Core Elements for Vaccine Passports
The Joint Statement outlines the following core elements for public bodies and businesses to adopt vaccine passport schemes:
- Limiting Collection. Governments and businesses should: limit the collection and use of private information to specific purposes, prohibit the tracking of activities of individuals and also prohibit the sharing of national data across borders.
- Transparency. Canadians should be aware of how the public bodies and businesses handle their private information and why.
- Accountability. Governments should tailor laws to minimize the infringement of privacy rights. Canadians should know who to contact to attain information, request corrections to their information and direct inquiries and complaints to.
- Safeguards. Any information collected in administrating a vaccine passport scheme must have physical, technical and administrative safeguards in place to ensure the privacy of the information.
- Independent Oversight. Public bodies and businesses should consult Commissioners over the course of the development and implementation of any vaccine passport scheme. Public bodies and businesses should also conduct privacy assessments and Commissioners should review these assessments.
- Scope Limitation. Governments and businesses should destroy personal information collected during the administration of vaccine passport schemes, along with the vaccine passports, once the public health crisis is over.
The concept of vaccine passports currently remains theoretical. However, in the event that governments and businesses implement vaccine passports schemes, it is essential that they implement these schemes in accordance with applicable privacy laws. Organizations wishing to implement such schemes should seek legal advice at an early stage to ensure privacy is taken into consideration in the development of such schemes. This will usually involve a careful review of the privacy requirements and how they apply to a proposed scheme. Please see our previous posts for further information on the key requirements. MLT Aikins has assisted a number of organizations with completing similar assessments. Please contact a member of our privacy team if you would like to discuss.
Note: This article is of a general nature only and is not exhaustive of all possible legal rights or remedies. In addition, laws may change over time and should be interpreted only in the context of particular circumstances such that these materials are not intended to be relied upon or taken as legal advice or opinion. Readers should consult a legal professional for specific advice in any particular situation.