By Julian Hayes, BCL Solicitors LLP

As the UK lockdown eases, the government is considering the introduction of time-limited COVID-status certification to help reopen the economy and society. Julian Hayes, partner & head of Data Protection at BCL Solicitors considers the implications.

As the UK lockdown eases, friends and relatives are reuniting, shops are once again welcoming customers, and beer gardens are full of chatter. With GDP down almost 10% in 2020 and many businesses still on their knees as a result of the emergency measures, the Government is keen to ensure that the current momentum continues and the exit from lockdown is irreversible. One method the UK administration – and others around the world – are considering is the introduction of time-limited COVID-status certification to help reopen the economy and society, reduce restrictions on social contact, and improve safety.

The proposal, apparently pitting long-cherished freedoms against safety, was welcomed by UK sports bodies and some entertainment venues keen for the return of the public ,but denounced by Church leaders and privacy campaign groups appalled at the prospect of a dystopian medical apartheid. Though popular opinion is broadly in favour of the plan, it raises serious ethical and practical issues; an adequate legal framework would be essential if such certificates are not to undermine privacy and do long-term damage to the social fabric of the UK.

What are COVID status certificates and why are they under consideration?

While the plan is still under development and separate schemes have been mooted for international travel and domestic purposes, the certificates would essentially record whether someone has been vaccinated, had a recent negative COVID test, or has immunity after recovering from the virus. There would also be exemptions for those who cannot be immunised and for whom repetitive testing would be difficult. The certificates would be shown and verified on entry to participating venues and used to facilitate travel overseas. Though digital and non-digital forms would be available, the Government is believed to have been exploring various technology to automate the process, including facial recognition and QR codes. It is believed the scheme would foster public confidence, encourage a return to normality, and promote vaccine take-up. Further, if the Government does not introduce national COVID-status certification, it expects private schemes will spring up to fill the void.

A slippery slope?

Proving vaccination status for international travel is not new but COVID status certificates for domestic purposes would be a radical departure. Critics raise a myriad of ethical objections but, at the heart of many of them lies the issue of consent. Though currently envisaged as voluntary and a way of opening up business and entertainment venues, detractors of the idea fear ‘scope creep’ – that domestic COVID status certificates would quickly become the unofficial ‘entry ticket’ to everything, from employment, to accommodation and even to dating. (Vaccination status is already touted as a ‘selling point’ on some Tinder and Bumble user profiles). In essence, opponents suggest, domestic COVID status certificates would become optional in name only, tacitly expected almost everywhere, and bringing fear of and social opprobrium on those unable or unwilling to comply. Moreover, while the Government intends to exempt essential public services, public transport and essential shops from the COVID certification scheme, these are some of the most crowded and therefore riskiest environments. It is easy to see how their exemption would be vulnerable to public pressure if an outbreak was traced back to one of them. Finally, if COVID status becomes certificated, how long before there are calls for the certification of other diseases, splintering society along health lines and unleashing untold discrimination not seen since the HIV and AIDS crisis of the 1980s.

Would they provide protection?

Despite such qualms, faced with exposure to potentially fatal illness, many people would readily trade ethical concerns in return for safety. But would that safety be real or a dangerous illusion? The duration of vaccine or antibody-conferred immunity is undetermined, vaccination is thought to curtail but not stop coronavirus transmission, and the efficacy of existing vaccines against emerging variants is unknown. What is more, the reliability of widely-used, self-administered lateral flow tests varies. Given this uncertain background, COVID-status certificates based on vaccines, naturally acquired antibodies or tests might well bolster public confidence, but cause people to lower their guard and neglect social distancing precautions, increasing infection levels. As the Prime Minister himself warned, “the reduction in hospitalisations, and in deaths, and in infections has not been achieved by the vaccination programme…it’s the lockdown that has been overwhelmingly important…” and the SAGE Group advising the Government has warned that relaxation of social distancing will “highly likely” lead to a wave of deaths on a par with the second wave.

The importance of an adequate legal framework

It is debatable whether any legal framework could entirely defend against the perils of scope creep or stigmatisation, nor could it hold in check unfounded confidence that the risk of infection was over. Without a legal framework, though, the chances of such outcomes would increase dramatically, with the added risk that the personal data processed in the scheme could be exploited for all manner of purposes not originally envisaged. 

Approaches to devising an adequate legal framework have varied geographically. While the US federal government has no plans to mandate a nationwide vaccine passport plan (and states such as Florida, Texas and Missouri have sought to ban them for domestic purposes), the Biden administration has been cautious, rejecting the idea of a national vaccination database but indicating its intention to set standards by producing guidelines to safeguard the privacy and rights of US citizens. 

The EU has been more specific, with the European Data Protection Board, comprising each Member State’s national data protection regulators, issuing a joint opinion with the EU Data Protection Supervisor on the Commission’s so-called ‘Digital Green Certificate’. The joint opinion warned that, to maintain citizens’ trust, the scheme must comply with the GDPR (including ensuring adequate data security), respect the EU Charter rights to private and family life and to the protection of their personal data, be non-discriminatory and be strictly time-limited to the duration of the pandemic. 

By contrast, the UK proposals, published in the Government’s roadmap review on 5 April and confirmed in a Ministerial written statement on 29 April, were relatively laissez faire, with a passing nod to equalities legislation but saying little more about the legal framework which should govern a COVID status scheme. Despite the Government’s reticence on the subject, the UK Information Commissioner (ICO) has confirmed her involvement in consultation over the scheme and warning that any UK scheme must comply with national data protection legislation, including the UK GDPR and Data Protection Act 2018 (DPA). The ICO emphasised in particular the need for transparency (being open and honest about why and how personal data is being processed), fairness (processing personal data only in ways people would expect), data minimisation (limiting the personal data processed to what is necessary) and storage limitation (not keeping the personal data for longer than necessary). In what might have been a veiled admonishment of the Government, the ICO warned of a need for “a strong line from leaders on what is and is not acceptable” if public trust in such schemes was not to be undermined. 

Whatever domestic COVID certification scheme (if any) ultimately emerges, a fundamental requirement under the UK GDPR will be that organisations using it have a lawful basis for processing sensitive health data about individuals. The UK GDPR prohibits the processing of such ‘special category personal data’ unless additional processing criteria are satisfied, for example, with the explicit consent of the data subject or where the processing is necessary in the interests of pubic health. In the context of COVID-status certificates, however, neither of these lawful bases for processing is straightforward. For example, to be valid consent must be “freely given” which cannot be the case if, in reality, the individual has Hobson’s choice and they would be turned away from a venue if they refuse their consent. Public health grounds may appear a firmer basis for processing special category personal data. However, under the DPA, this carries with it the requirement that it is carried out either by a health professional or another person “who owes a duty of confidentiality under an enactment or rule of law”. Venues using public health as a lawful basis for processing would therefore face strict duties of confidentiality if they wish to stay on the right side of the ICO.

Conclusion

Throughout the pandemic, the ICO has emphasised that data protection law is not a barrier to responsibly using personal data to combat the coronavirus; though not easy to navigate, there would be a legal route through it to using COVID status certificates to help lift the population from the malaise of the past thirteen months. Indeed, adherence to data protection principles may help to build public trust in the scheme and avoid abuses which might fatally damage the scheme. Ultimately, though, judging whether to use this technological tool throws up many risks and involves asking  – as the Information Commissioner put it – whether it would do what it says on the tin. Given the practical and ethical problems that arise with COVID status certification for domestic purposes, that may be a big ‘ask’.