As COVID-19 vaccination becomes required in more personal and professional contexts, several different frameworks have emerged that propose both guiding principles and technical requirements for vaccine verification systems, including those developed by the World Health Organization (WHO) and the Good Health Pass Collaborative (GHPC).
Digital vaccination certificates are electronic immunization records that function like paper vaccination records and are accessible to both the vaccinated person and those who need to verify the individual’s vaccine status. The frameworks proposed by WHO and GHCP are not specific programs or applications, but rather a set of standards and protocols designed to create reliable, interoperable systems that can function across a variety of contexts and technologies. The focus of these systems is simple verification of vaccination status; both emphasize that they are not designed to function as a “vaccine passport” or make determinations about what an individual can and cannot do based on their vaccination status. They are also designed to be technology agnostic — to avoid creating or exacerbating inequities due to lack of access to specific software or technologies — and to balance potential harms, including privacy risks, against public health benefits.
The WHO’s Digital Documentation of COVID-19 Certificates: Vaccination Status is a guidance document specifically developed for WHO member states and their implementing partners that lays out the technical requirements for developing systems for issuing interoperable digital certificates for COVID-19 vaccination status. The document describes two purposes for these systems: integration into an individual’s medical record to inform future healthcare decision-making, and proof of vaccination for purposes not related to healthcare, such as participation in work, travel, and recreational activities.
The WHO’s guidance includes a set of data protection principles as well as design considerations. For example, the WHO recommends that when collecting or processing data for the purpose of vaccine verification, governments and their implementing partners should take into account principles like non-discrimination, transparency, and data minimization. It also recommends allowing holders of a digital vaccination record to exercise data subject rights like access, correction, and deletion. And it suggests that an independent public authority should be established to monitor adherence to these standards, including the ability to recommend revoking a data controller or processor’s authorization to collect or process such data.
The GHCP’s Interoperability Blueprint describes a set of interoperability specifications to allow airlines and governments to verify travelers’ COVID-19 status (proof of vaccination, testing, and recovery). It is designed to enable verification while promoting core principles of privacy, security, user-control, and equity. Developed by 120 expert volunteers from the health, travel, and technology sectors, the GHCP blueprint emphasizes transparency and data minimization. One key reason for its development is that existing healthcare data exchange standards were created for healthcare use cases and for exchange between regulated entities, not for the broader process or reopening economies and facilitating global travel.
For additional insight into the legal, regulatory, and commercial issues raised by COVID-19, visit Covington’s COVID-19 Legal and Business Tool Kit.