Skip Navigation

COVID-19 Vaccination Passports and Digital Privacy

By Alexandra Luchenko and Konrad Spurek (Articling student)
October 19, 2021

The COVID-19 pandemic has brought about a wave of government-led public health measures including vaccine passport regimes with implications for digital privacy, as identified by Canada’s Federal, Provincial and Territorial Privacy Commissioners (the Privacy Commissioners).

This bulletin surveys the current vaccine passport regimes in British Columbia, Alberta, Ontario and Quebec, highlighting certain privacy and cybersecurity implications of each.

BACKGROUND

Vaccine passports can take many forms. While some are paper based, many are digital, such as downloadable Quick Response (QR) code applications on mobile devices. Whichever form they take, vaccine passports require the collection, use, storage and disclosure of personal information. The Privacy Commissioners have expressed reservations with the data security consequences of vaccine passports and their compliance with current privacy laws.

Before the introduction of any vaccine passport regimes in Canada, the Privacy Commissioners released a Joint Statement on Privacy and COVID-19 Vaccine Passports. The statement noted the privacy implications and risks associated with requiring individuals to disclose sensitive personal health information when accessing goods and services.

In particular, the statement stressed the importance of establishing the necessity, effectiveness and proportionality of vaccine passports for each context in which they will be used. Specifically, the Privacy Commissioners stated vaccine passports must be:

  • Necessary to achieve a stated public health purpose;

  • Effective at achieving the desired public health purpose; and

  • Proportional with the privacy risks associated with vaccine passports.

VACCINE PASSPORT REGIMES

Since September 2021, individuals in British Columbia, Ontario and Quebec have been required to show proof of vaccination before entering various non-essential locations, such as restaurants, gyms, cinemas and entertainment events. Alberta, on the other hand, implemented an opt-in program, whereby businesses and event venues have the choice of requiring proof of vaccination or a negative COVID-19 test result before entry, or else follow business capacity restrictions.
 
While provincial vaccine passport regimes share some similarities, such as the general definition of “non-essential” businesses and events, each has approached the challenge of mandating the disclosure of private health information in different ways. Consequently, the personal information being disclosed, and the corresponding privacy risks, are unique to each province. A brief summary of the applicable format of vaccine passports in each province is as follows:
 

 

Personal Information{^widget|(singleimagelinktarget)_parent|(name)BLKWP.InlineImage|(singleimageshowornament)False|(singleimageurl)%7e%2fgetmedia%2fee9766f9-1dbd-4ea8-9bfc-720eef5ff103%2fID.png.aspx|(singleimagesize)third|(widget_displayname)Blakes+Inline+Image|(singleimagealignment)center|(singleimagealttext)ID+graphic|(width)|(height)^}

When Required{^widget|(singleimagelinktarget)_parent|(name)BLKWP.InlineImage|(singleimageshowornament)False|(singleimageurl)%7e%2fgetmedia%2fe81f8f87-a1e9-4b5a-8287-72e73867a348%2fNon-Essential-Businesses.png.aspx|(singleimagesize)third|(widget_displayname)Blakes+Inline+Image|(singleimagealignment)center|(singleimagealttext)house+icon|(width)|(height)^}

Format{^widget|(singleimagelinktarget)_parent|(name)BLKWP.InlineImage|(singleimageshowornament)False|(singleimageurl)%7e%2fgetmedia%2f2678f30f-ebf4-460b-8fb5-179c98595c4f%2fQR_Code.png.aspx|(singleimagesize)third|(widget_displayname)Blakes+Inline+Image|(singleimagealignment)center|(singleimagealttext)QR+code+icon|(width)|(height)^}

British Columbia

Name; DOB; dates of vaccination; type of vaccine; lot numbers of vaccine doses received; clinic where doses received.

Before entering non-essential businesses.

B.C. Vaccine Card.
 
May be saved to a mobile device or printed. Uses a SMART Health Card QR code format.

Ontario

Name; health card number; DOB; dates of vaccination; type of vaccine; vaccine injection site; number of doses; lot numbers of vaccine doses received; clinic where doses received.

Before entering non-essential businesses and events.

COVID-19 vaccination receipt.
 
Enhanced Vaccine Certificate with QR Code.

Quebec

Name; vaccination status.

Before entering non-essential businesses and events.

QR Code.
 
Businesses use Quebec’s VaxiCode Verif application to verify whether someone is vaccinated.

Alberta

Name; DOB; gender; date of vaccination; vaccine name and description; vaccine source.

“Discretionary” businesses and events can either: (i) require proof of vaccination, negative COVID-19 test results, or a valid medical exemption to continue operating as usual; or (ii) follow business capacity and operating restrictions.

COVID-19 Immunization Record
 
QR Code with AB Covid Records Verifier (to be used exclusively after November 15).
May also present a paper vaccination record, show a negative rapid antigen or PCR test completed within 72 hours, or provide proof of a medical exemption.

 IMPLICATIONS

Canada’s vaccine passport regimes are still in their infancy, and it remains unclear whether their current structure will adequately address the Privacy Commissioners’ recommendations and best practices, as well as the implications for those organizations utilizing the data in question.
 
Compliance with existing privacy laws remains a live issue for organizations that interface with vaccine passports on a regular basis. Federal and provincial privacy legislation limit the collection, use, storage and disclosure of personal information by private and public sector organizations. It is imperative that the principles outlined by the Privacy Commissioners remain top-of-mind for organizations as they contemplate how to best manage the influx of sensitive personal health information from customers and employees.
 
The widespread use of vaccine passports also presents data security concerns. Organizations that collect vaccine-related data (or send such data to other third parties for storage) have in their possession or control sensitive personal information that would not have been considered appropriate to collect until quite recently. As millions of Canadians use vaccine passports every day, organizations should be cognizant of the risks that they could face from cyber security breaches and consider implementing best practices to mitigate against the side effects of any such incidents, particularly in light of concerns that some have raised about the technological safeguards in place at certain “proof of vaccination” applications.
 
Recent changes to privacy legislation may also significantly affect the implementation of private and public vaccine passports in certain Canadian jurisdictions. On September 22, 2021, Quebec’s Bill 64, An Act to modernize legislative provisions as regards the protection of personal information (the Quebec Amendments), received royal assent. Although the Quebec Amendments do not come into force for two years, they will transform the province’s privacy legislation. Among its many new requirements, the Quebec Amendments call for enhanced consent obligations before public bodies may release an individual’s sensitive personal information. Article 12 provides that medical, biometric, or otherwise intimate personal information is deemed to be “sensitive,” thus entailing a heightened expectation of privacy.
 
The Quebec Amendments also greatly increase potential penalties for private sector actors who violate privacy legislation. Penalties may reach C$50,000 for individuals and the greater of C$10-million or 2 per cent of worldwide turnover in the previous year for organizations. If an offence is committed under the Quebec Amendments, the penalties increase to C$100,000 for individuals and the greater of C$25-million or 4 per cent of worldwide turnover in the previous year for organizations. A recent summary of these legislative changes can be found at: Privacy Update: Quebec’s Bill 64 Receives Royal Assent | Blakes.
 
The Quebec Amendments are likely to be reflected in new and updated privacy legislation in other Canadian jurisdictions. For instance, on June 17, 2021, the Ontario government released a white paper (the Ontario White Paper) outlining proposed frameworks to govern the collection, use and disclosure personal information by private sector organizations. The Quebec Amendments are referenced throughout the Ontario White Paper, including in its discussion of consent and lawful uses of personal information. Similarly, Alberta is currently in the review stage of a public consultation to modernize its privacy legislation, and British Columbia’s privacy commissioner released a briefing note in 2020 discussing potential changes to the province’s privacy legislation.
 
While the precise substance of these statutes will vary, we expect that many of the issues highlighted in the Quebec Amendments will feature prominently in any provincial or federal bills that are brought forward on this subject in the coming months. It is equally likely that any such legislative changes will impact the use of vaccine passports across industry once they are brought into force.

CONCLUSION

 As the pandemic evolves the measures designed to combat it will inevitably follow suit. As vaccination rates continue to climb in Canada, vaccine passports will remain an important feature in many provinces’ public health policies. How governments will address the inevitable privacy concerns of vaccine passports remains a live issue. Blakes remains committed to providing up-to-date information as the situation unfolds.
 
For further information, please contact any other member of our Cybersecurity group.
 

More insights