On May 19, 2021, the federal, provincial and territorial Privacy Commissioners issued a joint statement providing guidance to the government and businesses on how to implement a vaccine passport program that respects and protects the privacy rights of Canadians, and travellers to Canada.
A vaccine passport – whether a digital or paper certificate – would provide verification that the holder has received their vaccination against COVID-19. The vaccine passport would be required to travel, and could also be required by private enterprises to gain entry to venues or receive services. In order for the program to work, Canadians would have to share personal health information – their immunity/vaccine status – with the government and businesses that adopted a vaccine passport program.
As noted by the Privacy Commissioners, if proven effective, vaccine passports could be a tool that allows for an increase in where Canadians are able to go, a decrease in COVID-19 restrictions, and an accelerated reopening of the economy. The evidence is still out on whether a vaccine passport will be effective in achieving its purposes.
The Privacy Commissioners stressed “the necessity, effectiveness and proportionality of vaccine passports must be established for each specific context in which they will be used.” The following guidance was offered:
- Necessity: vaccine passports must be necessary to achieve each intended public health purpose. Their necessity must be evidence-based and there must be no other less privacy-intrusive measures available and equally effective in achieving the specified purposes.
- Effectiveness: vaccine passports must be likely to be effective at achieving each of their defined purposes at the outset and must continue to be effective throughout their lifecycle.
- Proportionality: the privacy risks associated with vaccine passports must be proportionate to each of the public health purposes they are intended to address. Data minimization should be applied so that the least amount of personal health information is collected, used or disclosed.
The necessity, effectiveness and proportionality of vaccine passports will have to be continually evaluated and the program halted if it is no longer necessary, effective or proportional to the privacy infringement created.
At this time, there is no legislation that would permit a private business to implement a vaccine passport program. A business will have to rely on an individual’s consent, in compliance with privacy legislation, to collect the personal health information contained in the vaccine passport. In order for businesses to comply with their legislated privacy obligations, the vaccine passport program must meet the following conditions:
- Consent must be voluntary and meaningful, based on clear and plain language describing the specific purpose to be achieved;
- The information must be necessary to achieve the purpose;
- The purpose must be one that a reasonable person would consider appropriate in the circumstances; and,
- Individuals must have a true choice: consent must not be required as a condition of service.
There may be a desire to require clients and staff to show their vaccine passport in order to enter workplaces, stores and restaurants, or receive services in person. Businesses may feel this is a way to convey to their clientele and employees that they are providing a safe environment to shop, eat or work. Before a business implements a vaccine passport program, an evaluation of the necessity, effectiveness and proportionality of the program must be undertaken. Such a program may attract complaints to the Human Rights Tribunal or the Office of the Privacy Commissioner. A detailed and documented privacy impact assessment, which considers each of the criteria recommended by the Privacy Commissioners should be completed.
The Lerners Privacy, Data and Information Security Group can help businesses develop and implement a vaccine passport program that respects the privacy rights of clients and staff.