Proof of vaccination: privacy considerations for businesses

Authors

Talk of vaccine passports has increased as more Canadians receive their COVID-19 vaccinations.

While the Canadian government recently launched a vaccine passport for international travel, the landscape of domestic vaccine passport systems remains unclear. In this vacuum, Canadian businesses are increasingly considering asking both customers and employees for proof of vaccination as part of their health and safety and return to site planning.

Canadian businesses looking to introduce a proof of vaccination program will need to consider a wide range of factors, including whether the program is optional or mandatory, the potential benefits of alternative health-protection measures, and potentially discriminatory effects. Businesses with operations in the U.S. should also consider how such a program aligns with federal and state-level requirements. As the regulatory landscape changes on both sides of the border, and as the scientific community’s understanding of COVID-19 evolves, businesses should be prepared to revisit their risk assessments.

Primer on vaccine passports

Proof of vaccination vs. vaccine passports

A vaccine passport is a commonly accepted means of proving a person’s vaccination status. It is only one form of proof of vaccination. An individual can provide proof of vaccination in a number of forms, such as through a signed letter from a doctor, a certificate from a vaccination provider, or personal attestation. However, some countries have implemented, or are considering implementing, vaccine passports: a uniform, commonly accepted means of proving vaccination status, typically in a form set out or managed by a single organizing body. Vaccine passports can come as either a digital or hard copy certificate, though current discussions tend to focus on the former. Vaccine passports can also differ in their scope of application, such as whether they are limited to international travel contexts or are also used to obtain domestic services such as entering a business.

Current vaccine passport systems and proposals

One example of a domestic vaccine passport is Israel’s Health Ministry’s “Green Pass”, a vaccination certificate that users can share through a personalized QR code in the Ramzor app. A Green Pass was previously required to enter gyms, hotels, theatres and concerts, but Israel retired the system in June when it lifted most of its pandemic restrictions. Note that other jurisdictions, most notably some U.S. states, have taken steps to ban the use of vaccine passports.

Vaccine passports can certify other COVID-19-related information too. For example, the European Union recently began issuing “Digital Green Certificates” to share proof of vaccination, a negative test result, or recovery from COVID-19. Holders of Digital Green Certificates (in the form of a QR code stored on a mobile device or paper copy) enjoy increased freedom to travel to other Member States.

Non-state actors are also developing vaccine passport apps. New York State is already using two privately developed apps, IBM’s Excelsior and CLEAR’s Health Pass, to confirm customer vaccination status for indoor dining and entertainment. The International Air Transport Association has also developed an app that allows passengers to share test results and vaccination details required for international travel.

Vaccine passports in Canada and abroad: What we (don’t) know

The Canadian government recently lifted quarantine requirements for citizens and permanent residents who provide proof of vaccination when returning to the country. To obtain the exemption, travellers must meet all entry requirements and use the ArriveCAN app to upload documents showing full vaccination status prior to arrival at the border. Efforts are underway to integrate the program with international partners: Canada’s Health Minister Patty Hajdu has been meeting with health officials from other G7 countries to discuss the possibility of a standardized approach to vaccine passports or a system of mutual recognition.

The Canadian government has signaled that it has no intention to develop or impose a vaccine passport for domestic use, but some provinces have begun developing their own programs. Manitoba is now issuing immunization cards, available in digital and physical forms, that allow fully vaccinated Manitobans to travel within Canada without having to quarantine upon return. Holders will also be allowed to visit fully vaccinated patients in health-care facilities. Québec has announced work on a digital vaccine passport system which it expects to use to limit access to certain non-essential services and activities. The Québec government says that it is targeting a September 1, 2021 rollout date and that its exact use will depend on the epidemiological situation at the time. Ontario, on the other hand, recently announced that it will not be implementing a vaccine passport system (aside from paper or electronic receipts provided), leaving it to businesses to determine whether they should implement their own proof of vaccination requirements. Alberta and Saskatchewan have similarly announced that they do not intend to implement vaccine passport systems.

On May 19, 2021, the federal, provincial and territorial privacy commissioners released a joint statement on privacy considerations for the development of vaccine passport frameworks for both governments and businesses (Commissioner Joint Statement). The Commissioner Joint Statement is indicative of privacy regulators’ heightened awareness of the privacy impacts of vaccine passports and the collection of proof of vaccination information.

Collecting proof of vaccination: Privacy considerations for businesses in Canada

In the current absence of national vaccine passports in Canada, businesses are considering their own programs for collecting proof of vaccination information from employees and customers. Vaccination status and similar COVID-19-related information will typically be considered sensitive personal information and therefore engage a number of privacy law requirements.

As a preliminary matter, businesses should determine whether their proposed program to collect proof of vaccination information will apply to employees, customers, or both. This determination impacts what privacy, employment, or other legislation applies to the program. For example, collecting vaccination information from employees may engage employment and human rights laws, but may not engage privacy legislation in certain jurisdictions. Even where businesses are not required to comply with statutory privacy law in the employment context, they should ensure their proof of vaccination programs conform with the broadly established privacy principles and guidelines outlined by privacy regulators. This will enable businesses to meet privacy requirements under the common law, and to mitigate against reputational and employee morale concerns.

Businesses should keep in mind that a number of other privacy law requirements and best practices apply equally to vaccination status as they would any other type of sensitive personal information.

Under the Canadian Personal Information Protection and Electronic Documents Act (PIPEDA) and equivalent provincial legislation, a business that requests personal information must show 1) that the requested disclosure serves a bona fide business interest (i.e., is necessary), and 2) that the loss of privacy is proportionate to the benefit gained. Vaccines’ effectiveness at preventing symptoms and preventing transmission to others will be important to the rationale underlying both necessity and proportionality. The evidence of vaccine effectiveness at preventing COVID-19 symptoms is well established. On prevention of transmission, the Commissioner Joint Statement says: “So far we have not been presented with evidence of vaccine effectiveness to prevent transmission, although members of the scientific community have indicated that this may be forthcoming”.

The primary factors to consider in assessing and implementing a proof of vaccination program as they relate to Canadian privacy law requirements are set out below.

Optional vs. mandatory

Whether a proof of vaccination program is optional or mandatory is one of the most significant factors to consider. Privacy legislation generally only permits businesses to require individuals to consent to the collection, use or disclosure of personal information where the information is necessary to fulfill the business’ explicit and legitimate purposes. A mandatory program would therefore represent higher risk where a business cannot demonstrate why the information is necessary.

Employees

Employers subject to privacy legislation intending to require employees to share proof of, or report on, their COVID-19 vaccination status—particularly as a precondition to returning to a place of work—will need to be able to show why this requirement is necessary and proportionate. Accordingly, employers first need to seriously consider whether they want to require employees to receive the vaccine or to just disclose their vaccination status. Requiring proof that an employee has received the vaccine is less controversial from a privacy perspective than mandating vaccinations.

Having said that, requiring an employee to disclose their vaccination status as part of a returning to work program still raises privacy concerns, which must be balanced against an employer’s health and safety obligations. In such circumstances, employers will need to establish how the collection and use of the data (vaccination status) is fair, necessary and relevant for a specific purpose. An employer’s reason for recording its employees’ vaccination status must be clear and compelling. If the employer is not able to establish a specified purpose for the collection and use of the information, and is recording it on a “just in case” basis, or if the employer can achieve its goal without collecting this information (e.g., via social distancing and masking), it is unlikely that an employer will be able to justify collecting the vaccination status information in the first place. The Commissioner Joint Statement notes that while currently unconfirmed, evidence that vaccinated individuals are significantly less likely to transmit the disease to others may be forthcoming. Accordingly, it is currently unconfirmed that ensuring employees are vaccinated (or receiving information about their vaccination status) will materially increase the health and safety of the workplace.

Employers must still be alive to their obligations under human rights laws.

In contrast, scenarios where employers provide employees with a meaningful choice of whether to share this information (e.g., voluntary self-reporting of vaccination status) are likely to attract less privacy regulatory risk. Optional employee disclosure could still provide employers with meaningful insight into the employer’s risk profile and their ability to meet customer needs.

Whether an employer requires an employee to be vaccinated, requires an employee to disclose their vaccination status, or provides employees with the option of disclosing their vaccination status, employers must still be alive to their obligations under human rights laws, as discussed in further detail below.

Customers

Canadian authorities have given divergent answers on whether businesses can require proof of vaccination as a condition of entry. Manitoba Health Minister Heather Stefanson has stated that businesses “should not be requesting proof of immunization for any purpose”, while Ontario Health Minister Christine Elliott has acknowledged that providing proof of vaccination will likely be an important part of safely reopening spaces where social distancing is impossible or undesirable.

Requiring proof of vaccination from customers is likely lower risk than doing so for employees (assuming privacy legislation is equally applicable) because the consequences of refusal are, on balance, less significant for customers. Many businesses also offer goods and services through online or no-contact channels as alternatives, which reduces the risk that such a requirement is truly a condition of service. That said, businesses will still need to demonstrate why the measure is necessary and proportionate to the degree it is mandatory. Certain industries, such as live entertainment, may have a clearer purpose for requiring proof of vaccination than other industries.

An optional program for customers will still be significantly lower risk than a mandatory one. An optional program, could (subject to public health guidance) provide an individual with alternative ways to limit their risk of contracting or transmitting the virus if they do not wish to share their vaccine status information.

Businesses implementing a proof of vaccination requirement must be cognizant of their obligations under human rights laws.

Access, discrimination and human rights concerns

Before implementing a proof of vaccination program, businesses should consider the potential impact on marginalized groups that experience more difficulty accessing the vaccine, as well as those who cannot or decide not to get vaccinated on the basis of a prohibited ground of discrimination (e.g., an allergy or a religious objection to vaccination).

To the extent that the proof of vaccination program will result in differential treatment of unvaccinated employees, employers will need to consider how to accommodate employees who cannot or decide not to be vaccinated on the basis of their protected characteristics. Similarly, employers should be alive to the fact that treating unvaccinated employees differently (e.g., not allowing unvaccinated employees to return to corporate facilities) can have the effect of “outing” individuals who cannot, or decide not, to be vaccinated. This can result in workplace bullying or ostracization, potentially on the basis of a prohibited ground of discrimination.

Businesses will need to consider how to accommodate customers who cannot or choose not to be vaccinated.

Human rights legislation also affords individuals protection from discrimination in the area of goods, services and facilities. Accordingly, if a proof of vaccination program will result in differential treatment of unvaccinated customers, businesses will need to consider how to accommodate customers who cannot or choose not to be vaccinated on the basis of a prohibited ground of discrimination.

Collecting or using personal information to further unfair, unethical or discriminatory treatment contrary to human rights laws is also one of the “no-go zones” identified by the Office of the Privacy Commissioner of Canada that would presumptively violate PIPEDA. The European Data Protection Supervisor recently identified such a risk with requiring proof of vaccination. In Israel, where the Green Pass system is already in effect, critics are concerned about a two-tiered system where only those who are vaccinated can access certain services.

Means of proof and validation

Businesses should consider the means by which they will allow individuals to provide evidence of vaccination—at least until federal and provincial governments have set a common standard. Here, there is a tension between the accuracy and reliability of the information being collected and the potential intrusiveness of the collection itself. Certain methods of proof, such as self-reporting and certificates vulnerable to forgeries, will be less reliable but may reduce privacy compliance risk. Businesses will have to weigh the risks of receiving inaccurate information against the invasiveness of more reliable methods.

Businesses should also consider ways to limit the information they collect and retain. For example, the Saskatchewan Privacy Commissioner has noted that the least privacy intrusive approach to validate employee vaccination status is to request to view a vaccination status without retaining any of the information. A slightly more intrusive approach is to maintain an employee list of who has shown a vaccination certificate, reducing the need to continually ask to view the certificate. Practically, many employees may be willing to voluntarily disclose their vaccination status if it is simply a “yes” or “no” response, without the requirement to provide proof of receiving the vaccination.

The means of validation (i.e., collecting and assessing the proof of vaccination) should also be done privately to the extent it is practicable.

Other proper privacy practices

Businesses should keep in mind that a number of other privacy law requirements and best practices apply equally to vaccination status as they would any other type of sensitive personal information. As such, businesses should ensure they are implementing proper privacy protocols, including:

  • documenting a defined purpose and authority for the collection and use of this information. This can be done by undertaking a privacy impact assessment;
  • obtaining meaningful consent to collect the information, and being transparent about the rationale for collecting the information, how the information will be handled, and whether there could be any negative consequences if individuals decline to share this information;
  • avoiding the over-collection of information, such as unnecessary data fields;
  • limiting access to the information to those who require it;
  • ensuring the information is only disclosed or otherwise used for the reasons it was collected;
  • ensuring the information is properly protected against unauthorized access;
  • retaining the information only for as long as required (if at all) and securely deleting the information afterwards; and
  • considering whether employee vaccination status (and/or proof thereof) information is necessary for maintaining a safe work environment—and if an employee declines to share their status, whether that individual’s privacy choice can be accommodated through alternative means.

Alignment for businesses with U.S. operations

For businesses seeking to align their proof of vaccination programs in Canada with their U.S. operations, U.S. federal law does not currently prohibit the collection of vaccination status information from employees or customers.

However, businesses seeking U.S. program alignment should closely assess state laws governing vaccine passports and proof of vaccination. Some states have banned government entities from issuing vaccine passports, while others have banned, or introduced legislation banning, businesses from requiring proof of vaccination from customers. Pending legislation in some states would also ban employers from requiring employees to show proof of vaccination. Businesses should also be mindful of requirements imposed by state privacy and data security laws.

Importance of a dynamic analysis

As the situation on vaccinations and vaccine passports will continue to evolve, so too will businesses’ risk analyses. Guidance from privacy regulators, health officials and other government bodies—not to mention legislation explicitly authorizing or requiring collection of proof of vaccination—will impact the factors discussed above. Emerging evidence on the efficacy of vaccines with respect to emerging variants of concern and transmissibility will also impact a business’ risk analysis. Businesses should therefore be prepared to revisit their previous analyses as new information becomes available.

Subscribe and stay informed

Stay in the know. Get the latest commentary, updates and insights for business from Torys.

Subscribe Now