COVID vaccine passports will fail unless government wins public trust, ICO warns

Plans to introduce COVID-19 vaccine certification won’t work in practice unless ministers make efforts to earn public trust, the head of the Information Commissioner’s Office (ICO) has claimed.

The government is considering developing a form of vaccine passport to help businesses and wider society safely open up as restrictions continue to ease, in the form of Digital ID that can be used to access services or gain entry into businesses.

Any such programme, however, whether developed by the government or a private company, will require the buy-in of the wider public in order to function as intended, the information commissioner Elizabeth Denham has warned. It also isn't good enough to simply expect trust or adoption based on what the wider social benefits may be.

“The obvious benefits of data-driven innovation in both the public and the private sectors rely on trust, and we’ve seen that clearly over the past year, from contact tracing apps to data-sharing to help vulnerable people who are shielding,” Denham said, speaking at the 2021 Data Protection Practioner's Conference.

“The example that’s dominating the headlines now of domestic vaccine certificates is another good example. The success of any COVID status scheme will rely on people trusting it, and that means having confidence in how the scheme would use their personal information.”

She claimed that although there are concerns, developers involved in building the contact tracing apps across the UK, including the devolved nations, had previously shown a keen interest in maintaining user privacy at every stage. There was also a real recognition of the value of public trust and engagement, she added, although that doesn't mean public trust can be taken for granted in future.

“There is simply not an option today for any organisation,” she continued, “public or private sector, to say "how we use data is complex, but this service is important, so just trust us". And that applies just as much to COVID status certificates, as it does to social media companies or app developers.”

For months, the government has been toying with the idea of rolling out a form of digital certificate that people must present to prove they’ve been vaccinated, or have recently returned a negative test, as restrictions lift.

While it’s a highly contentious measure, transport secretary Grant Shapps confirmed plans were underway to integrate this so-called vaccine passport feature into the NHS app. Digital privacy experts have previously urged caution due to concerns that any data collected may be used beyond the scope and timeline of the pandemic.

Similar warnings were sounded in the lead up to the rollout of the NHS COVID-19 app as well as the manual NHS Test and Trace programme. The key charge was that uptake would not be high enough for these schemes to work if the public’s trust wasn’t secured.

The NHS COVID-19 app, for example, underwent a rocky development process and may have risked losing trust among the public as a result.

Ministers were keen at first on developing a centralised version rather than relying on the decentralised blueprint provided by Google and Apple. This is because the government’s original plans involved collecting location data to map areas with high infection rates. These efforts were abandoned, however, due to security issues and bugs, and the government instead opted to develop an app based around the decentralised model.

The manual NHS Test and Trace programme, too, raised eyebrows when it was launched without officials having conducted a data protection impact assessment (DPIA). Alleged shortcomings in the way the project has been managed have also resulted in privacy campaigners taking legal action against the programme.

Details around the incoming vaccine passport scheme are scarce, including when it may launch. However, it’s widely expected to be an important step in the government’s post-COVID roadmap.