As COVID-19 vaccination becomes required in more personal and professional contexts, several different frameworks have emerged that propose both guiding principles and technical requirements for vaccine verification systems, including those developed by the World Health Organization (WHO) and the Good Health Pass Collaborative (GHPC).

Digital vaccination certificates are electronic immunization records that function like paper vaccination records and are accessible to both the vaccinated person and those who need to verify the individual’s vaccine status.  The frameworks proposed by WHO and GHCP are not specific programs or applications, but rather a set of standards and protocols designed to create reliable, interoperable systems that can function across a variety of contexts and technologies.  The focus of these systems is simple verification of vaccination status; both emphasize that they are not designed to function as a “vaccine passport” or make determinations about what an individual can and cannot do based on their vaccination status.  They are also designed to be technology agnostic — to avoid creating or exacerbating inequities due to lack of access to specific software or technologies — and to balance potential harms, including privacy risks, against public health benefits.

The WHO’s Digital Documentation of COVID-19 Certificates: Vaccination Status is a guidance document specifically developed for WHO member states and their implementing partners that lays out the technical requirements for developing systems for issuing interoperable digital certificates for COVID-19 vaccination status.  The document describes two purposes for these systems: integration into an individual’s medical record to inform future healthcare decision-making, and proof of vaccination for purposes not related to healthcare, such as participation in work, travel, and recreational activities.

The WHO’s guidance includes a set of data protection principles as well as design considerations.  For example, the WHO recommends that when collecting or processing data for the purpose of vaccine verification, governments and their implementing partners should take into account principles like non-discrimination, transparency, and data minimization.  It also recommends allowing holders of a digital vaccination record to exercise data subject rights like access, correction, and deletion.  And it suggests that an independent public authority should be established to monitor adherence to these standards, including the ability to recommend revoking a data controller or processor’s authorization to collect or process such data.

The GHCP’s Interoperability Blueprint describes a set of interoperability specifications to allow airlines and governments to verify travelers’ COVID-19 status (proof of vaccination, testing, and recovery).  It is designed to enable verification while promoting core principles of privacy, security, user-control, and equity.  Developed by 120 expert volunteers from the health, travel, and technology sectors, the GHCP blueprint emphasizes transparency and data minimization.  One key reason for its development is that existing healthcare data exchange standards were created for healthcare use cases and for exchange between regulated entities, not for the broader process or reopening economies and facilitating global travel.

For additional insight into the legal, regulatory, and commercial issues raised by COVID-19, visit Covington’s COVID-19 Legal and Business Tool Kit.

Photo of Libbie Canter Libbie Canter

Libbie Canter represents a wide variety of multinational companies on privacy, cyber security, and technology transaction issues, including helping clients with their most complex privacy challenges and the development of governance frameworks and processes to comply with global privacy laws. She routinely supports…

Libbie Canter represents a wide variety of multinational companies on privacy, cyber security, and technology transaction issues, including helping clients with their most complex privacy challenges and the development of governance frameworks and processes to comply with global privacy laws. She routinely supports clients on their efforts to launch new products and services involving emerging technologies, and she has assisted dozens of clients with their efforts to prepare for and comply with federal and state privacy laws, including the California Consumer Privacy Act and California Privacy Rights Act.

Libbie represents clients across industries, but she also has deep expertise in advising clients in highly-regulated sectors, including financial services and digital health companies. She counsels these companies — and their technology and advertising partners — on how to address legacy regulatory issues and the cutting edge issues that have emerged with industry innovations and data collaborations.

As part of her practice, she also regularly represents clients in strategic transactions involving personal data and cybersecurity risk. She advises companies from all sectors on compliance with laws governing the handling of health-related data. Libbie is recognized as an Up and Coming lawyer in Chambers USA, Privacy & Data Security: Healthcare. Chambers USA notes, Libbie is “incredibly sharp and really thorough. She can do the nitty-gritty, in-the-weeds legal work incredibly well but she also can think of a bigger-picture business context and help to think through practical solutions.”