Federal, provincial and territorial privacy commissioners have released a joint statement on privacy considerations for the development of vaccine passport frameworks. Talk of "vaccine passports" has recently increased as more Canadians receive their COVID-19 vaccinations. While the Canadian government has signalled a willingness to introduce vaccine passports for international travel, it remains unclear whether a similar system will be implemented domestically, and if so, in which provinces. In this vacuum, businesses are increasingly considering asking both customers and employees for proof of vaccination as part of their health and safety and return to site planning.

What you need to know

  • A vaccine passport is a centralized means of proving a person has been vaccinated. It is only one form of proof of vaccination. Vaccine passport systems in the European Union and elsewhere could inform what a Canadian vaccine passport may look like.
  • In contrast, business-specific proof of vaccination programs are not centralized, but rather based on collecting data directly from individuals.
  • Businesses should consider a wide range of factors in their privacy risk analysis before implementing a proof of vaccination program. These include:
    • whether the program is optional or mandatory;
    • the rationale for the collection of vaccination status information and the availability of alternative health-protective measures;
    • access, discrimination, and human rights concerns; and
    • the means of proof and validation.
  • In such dynamic circumstances, businesses should be prepared to revisit their risk analysis as the factual and regulatory landscape changes.

Primer on vaccine passports

Proof of vaccination vs. vaccine passports

A vaccine passport is a commonly accepted means of proving a person's vaccination status. An individual can provide proof of vaccination in a number of forms, such as through a signed letter from a doctor, a certificate from a vaccination provider, or personal attestation. However, some countries have implemented, or are considering implementing, vaccine passports: a uniform, commonly accepted means of proving vaccination status, typically in a form set out or managed by a single organizing body. Vaccine passports can come as either a digital or hard copy certificate, though current discussions tend to focus on the former. Vaccine passports can also differ in their scope of application, such as whether they are limited to international travel contexts or are also used to obtain domestic services such as entering a business.

Current vaccine passport systems and proposals

Israel's Health Ministry has implemented the "Green Pass", a vaccination certificate that users can share through a personalized QR code in the Ramzor app. A Green Pass is required to enter gyms, hotels, theatres and concerts, but is not required for other activities, including visiting malls and museums.

Vaccine passports can certify other COVID-19-related information too. For example, the European Union is currently developing a "Digital Green Certificate", which could serve as digital proof of vaccination, a negative test result, or recovery from COVID-19. The Digital Green Certificate would also use a QR code stored on a mobile device, but citizens would also be able to request a paper copy. Member states including France and Denmark have begun testing apps that would integrate with the Digital Green Certificate. If approved, such apps would likely allow vaccinated users to travel without having to quarantine upon arrival in a new EU country.

Non-state actors are also developing vaccine passport apps. While the U.S. government intends to implement paper-only "report cards" showing proof of vaccination, New York State is already using the Excelsior app, developed by IBM, to confirm vaccination status for attendees at sporting events. The International Air Transport Association has also developed an app that allows passengers to share test results and vaccination details required for international travel.

Vaccine passports in Canada: What we (don't) know

Canada's Health Minister recently said that the federal government embraces the concept of vaccine passports and will be developing a form of certification to enable vaccinated Canadians to travel internationally. It would be unsurprising if such a system was designed to be aligned with the EU's Digital Green Certificate. At the very least, the Canadian system would be designed to certify one or more of the Digital Green Certificate data fields (proof of vaccination, a negative test result, or recovery from COVID-19).

The federal government has also signaled that it has no intention to develop or impose a vaccine passport for domestic use. This leaves open at least two possible alternatives: one or more domestic vaccine passports developed by the provinces, or provincial adoption of the federal vaccine passport for domestic purposes. News reports have indicated that Ontario is considering some form of digital certification, though few details are currently available.

On May 19, 2021, the federal, provincial and territorial privacy commissioners released a joint statement on privacy considerations for the development vaccine passport frameworks for both governments and businesses (Commissioner Joint Statement). The Commissioner Joint Statement is indicative of privacy regulators' heightened awareness of the privacy impacts of vaccine passports and the collection of proof of vaccination information.

Collecting proof of vaccination: Privacy considerations for businesses

In the current absence of national vaccine passports in Canada and the U.S., businesses are considering their own programs for collecting proof of vaccination information from employees and customers. Vaccination status and similar COVID-19-related information will typically be considered sensitive personal information and therefore engage a number of privacy law requirements.

As a preliminary matter, businesses should determine whether their proposed program to collect proof of vaccination information will apply to employees, customers, or both. This determination impacts what privacy, employment, or other legislation applies to the program. For example, collecting vaccination information from employees may engage employment and human rights laws, but may not engage privacy legislation in certain jurisdictions. Even where businesses are not required to comply with statutory privacy law in the employment context, they should ensure their proof of vaccination programs conform with the broadly established privacy principles and guidelines outlined by privacy regulators. This will enable businesses to meet privacy requirements under the common law, and to mitigate against reputational and employee morale concerns.

Under the Canadian Personal Information Protection and Electronic Documents Act  (PIPEDA) and equivalent provincial legislation, a business that requests personal information must show 1) that the requested disclosure serves a bona fide business interest (i.e., is necessary), and 2) that the loss of privacy is proportionate to the benefit gained. Vaccines' effectiveness at preventing symptoms and preventing transmission to others will be important to the rationale underlying both necessity and proportionality. The evidence of vaccine effectiveness at preventing COVID-19 symptoms is well established. On prevention of transmission, the Commissioner Joint Statement says: "So far we have not been presented with evidence of vaccine effectiveness to prevent transmission, although members of the scientific community have indicated that this may be forthcoming".

The primary factors to consider in assessing and implementing a proof of vaccination program as they relate to Canadian privacy law requirements are set out below.

Optional vs. mandatory

Whether a proof of vaccination program is optional or mandatory is one of the most significant factors to consider. Privacy legislation generally only permits businesses to require individuals to consent to the collection, use or disclosure of personal information where the information is necessary to fulfill the business' explicit and legitimate purposes. A mandatory program would therefore represent higher risk where a business cannot demonstrate why the information is necessary.

Employees

Employers subject to privacy legislation intending to require employees to share proof of, or report on, their COVID-19 vaccination status—particularly as a precondition to returning to a place of work—will need to be able to show why this requirement is necessary and proportionate. Accordingly, employers first need to seriously consider whether they want to require employees to receive the vaccine or to just disclose their vaccination status. Requiring proof that an employee has received the vaccine is less controversial from a privacy perspective than mandating vaccinations.

Having said that, requiring an employee to disclose their vaccination status as part of a returning to work program still raises privacy concerns, which must be balanced against an employer's health and safety obligations. In such circumstances, employers will need to establish how the collection and use of the data (vaccination status) is fair, necessary and relevant for a specific purpose. An employer's reason for recording its employees' vaccination status must be clear and compelling. If the employer is not able to establish a specified purpose for the collection and use of the information, and is recording it on a "just in case" basis, or if the employer can achieve its goal without collecting this information (e.g., via social distancing and masking), it is unlikely that an employer will be able to justify collecting the vaccination status information in the first place. The Commissioner Joint Statement notes that while currently unconfirmed, evidence that vaccinated individuals are significantly less likely to transmit the disease to others may be forthcoming. Accordingly, it is currently unconfirmed that ensuring employees are vaccinated (or receiving information about their vaccination status) will materially increase the health and safety of the workplace.

In contrast, scenarios where employers provide employees with a meaningful choice of whether to share this information (e.g., voluntary self-reporting of vaccination status) are likely to attract less privacy regulatory risk. Optional employee disclosure could still provide employers with meaningful insight into the employer's risk profile and their ability to meet customer needs.

Whether an employer requires an employee to be vaccinated, requires an employee to disclose their vaccination status, or provides employees with the option of disclosing their vaccination status, employers must still be alive to their obligations under human rights laws, as discussed in further detail below.

Customers

Canadian authorities have given divergent answers on whether businesses can require proof of vaccination as a condition of entry. Manitoba Health Minister Heather Stefanson has stated that businesses "should not be requesting proof of immunization for any purpose", while Ontario Health Minister Christine Elliott has acknowledged that providing proof of vaccination will likely be an important part of safely reopening spaces where social distancing is impossible or undesirable.

Requiring proof of vaccination from customers is likely lower risk than doing so for employees (assuming privacy legislation is equally applicable) because the consequences of refusal are, on balance, less significant for customers. Many businesses also offer goods and services through online or no-contact channels as alternatives, which reduces the risk that such a requirement is truly a condition of service. That said, businesses will still need to demonstrate why the measure is necessary and proportionate to the degree it is mandatory. Certain industries, such as live entertainment, may have a clearer purpose for requiring proof of vaccination than other industries.

An optional program for customers will still be significantly lower risk than a mandatory one. An optional program, could (subject to public health guidance) provide an individual with alternative ways to limit their risk of contracting or transmitting the virus if they do not wish to share their vaccine status information.

Businesses implementing a proof of vaccination requirement must be cognizant of their obligations under human rights laws.

Access, discrimination and human rights concerns

Before implementing a proof of vaccination program, businesses should consider the potential impact on marginalized groups that experience more difficulty accessing the vaccine, as well as those who cannot or decide not to get vaccinated on the basis of a prohibited ground of discrimination (e.g., an allergy or a religious objection to vaccination).

To the extent that the proof of vaccination program will result in differential treatment of unvaccinated employees, employers will need to consider how to accommodate employees who cannot or decide not to be vaccinated on the basis of their protected characteristics. Similarly, employers should be alive to the fact that treating unvaccinated employees differently (e.g., not allowing unvaccinated employees to return to corporate facilities) can have the effect of "outing" individuals who cannot, or decide not, to be vaccinated. This can result in workplace bullying or ostracization, potentially on the basis of a prohibited ground of discrimination.

Human rights legislation also affords individuals protection from discrimination in the area of goods, services and facilities. Accordingly, if a proof of vaccination program will result in differential treatment of unvaccinated customers, businesses will need to consider how to accommodate customers who cannot or choose not to be vaccinated on the basis of a prohibited ground of discrimination.

Collecting or using personal information to further unfair, unethical or discriminatory treatment contrary to human rights laws is also one of the "no-go zones" identified by the Office of the Privacy Commissioner of Canada that would presumptively violate PIPEDA. The European Data Protection Supervisor recently identified such a risk with requiring proof of vaccination. In Israel, where the Green Pass system is already in effect, critics are concerned about a two-tiered system where only those who are vaccinated can access certain services.

Means of proof and validation

Businesses should consider the means by which they will allow individuals to provide evidence of vaccination—at least until federal and provincial governments have set a common standard. Here, there is a tension between the accuracy and reliability of the information being collected and the potential intrusiveness of the collection itself. Certain methods of proof, such as self-reporting and certificates vulnerable to forgeries, will be less reliable but may reduce privacy compliance risk. Businesses will have to weigh the risks of receiving inaccurate information against the invasiveness of more reliable methods.

Businesses should also consider ways to limit the information they collect and retain. For example, the Saskatchewan Privacy Commissioner has noted that the least privacy intrusive approach to validate employee vaccination status is to request to view a vaccination status without retaining any of the information. A slightly more intrusive approach is to maintain an employee list of who has shown a vaccination certificate, reducing the need to continually ask to view the certificate. Practically, many employees may be willing to voluntarily disclose their vaccination status if it is simply a "yes" or "no" response, without the requirement to provide proof of receiving the vaccination.

The means of validation (i.e., collecting and assessing the proof of vaccination) should also be done privately to the extent it is practicable.

Other proper privacy practices

Businesses should keep in mind that a number of other privacy law requirements and best practices apply equally to vaccination status as they would any other type of sensitive personal information. As such, businesses should ensure they are implementing proper privacy protocols, including:

  • documenting a defined purpose and authority for the collection and use of this information. This can be done by undertaking a privacy impact assessment;
  • obtaining meaningful consent to collect the information, and being transparent about the rationale for collecting the information, how the information will be handled, and whether there could be any negative consequences if individuals decline to share this information;
  • avoiding the over-collection of information, such as unnecessary data fields;
  • limiting access to the information to those who require it;
  • ensuring the information is only disclosed or otherwise used for the reasons it was collected;
  • ensuring the information is properly protected against unauthorized access;
  • retaining the information only for as long as required (if at all) and securely deleting the information afterwards; and
  • considering whether employee vaccination status (and/or proof thereof) information is necessary for maintaining a safe work environment—and if an employee declines to share their status, whether that individual's privacy choice can be accommodated through alternative means.

Importance of a dynamic analysis

As the situation on vaccinations and vaccine passports will continue to evolve, so too will businesses' risk analyses. Guidance from privacy regulators, health officials and other government bodies—not to mention legislation explicitly authorizing or requiring collection of proof of vaccination—will impact the factors discussed above. Emerging evidence on the efficacy of vaccines with respect to emerging variants of concern and transmissibility will also impact a business' risk analysis. Businesses should therefore be prepared to revisit their previous analyses as new information becomes available.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.