Health passes – otherwise known as vaccine passports, or Covid status certificates – come with many policy questions and risks but ultimately offer the possibility of a safer, more sustainable return to normality. Their success and legitimacy rests on a number of contingencies, many to do with privacy and security of data.
This briefing confronts some of the big questions by laying out the facts behind the kind of data a health pass could aggregate, the role of biometrics and how health passes relate to digital ID.
Why the Emphasis on Privacy is So Important
The debate on privacy is often characterised by a fundamental ideological opposition to any kind of sharing or use of an individual’s information. This sometimes clouds the crucial practical role of privacy in public life. Privacy:
Protects our physical safety
Limits government power
Maintains trust
Enables self-control over one’s life
Facilitates life without coercion
Privacy is protected under the European Convention on Human Rights but it is a ‘qualified’ right. This means it is not absolute: in certain situations, like a global pandemic, it may be justifiable to subjugate the right to privacy to other priorities such as protecting public health. Some of the arguments here echo those in the debate around contact tracing – you can read more here.
The most frequently raised privacy concerns relating to health passes fall into three main groups:
Will my health data be leaked, hacked or misused?
Will I have to share sensitive personal information with all and sundry, including the security guard at the supermarket or the bouncer at a pub?
Could a health pass be used to collect and share new information about me, such as location data, with government bodies or private companies?
All three types of concerns can be resolved by getting the design of the health pass right. But governments will need to be completely transparent about the purpose and design of health passes while confronting the potential privacy tensions in the most simple and accessible way possible.
Aggregating Data and Protecting It
The precise set of data that a health pass would aggregate to provide a certification would depend on its specific design, and on the criteria that governments (or other organisations) set to meet the conditions for entry into a setting. At the minimum, it would need to have access to vaccination type and date, as well as test types, dates and results. It could also include antibody tests or recent recovery as has been explored by some countries like Israel and in the EU’s Digital Green Pass.
The app would access this data in order to generate a credential – a confirmation that the individual meets the criteria set for entry. This credential would be stored on the device itself – but not the underlying data.
In the UK, the government has indicated that the health pass will likely be provided via the existing NHS App. The certificate would be protected by an NHS login and/or biometric face identification, so only the owner of the data can unlock the health passport. But, to be clear, this does not mean that the information would be linked to a picture of the user’s face.
Individuals also have to provide some additional information when signing up for the app. Since the app was rolled out in 2019, it has a well-established process using the NHS login, which only requires an email and phone number to work. However, for certain services, the app may require the user’s NHS record, in which case the user may need to provide their date of birth, NHS number, name and postcode.
In the UK, the relevant data is generated from several sources and linked to patients’ GP records:
Vaccines:
If a vaccination takes place in a GP practice, primary care network, community pharmacy or vaccination centre, the point-of-care system is Pinnacle.
Hospitals use the National Immunisation Vaccination System (NIVS).
Once vaccinations have been recorded at respective locations, the record is sent to Data Processing Services and, from there, it is added automatically to the patient record. If the GP practice uses another data processing system, Pinnacle will send a PDF document to the GP inbox so it can be added manually.
Testing:
Testing data is managed via the NHS Business Services Authority, which currently informs individuals of their test result.
This comes from the National Pathology Exchange (NPEx) that manages the data with the testing labs, which in turn do not receive any personal data, instead they receive only the specimen ID from the test kit.
With or without a health pass, there is no way to completely guarantee the security and privacy of data. But the risks can be minimised through good governance processes, like making sure a high-quality Data Protection Impact Assessment is completed. The personal data that is provided alongside the critical pieces of information around testing and vaccination should be limited, for instance, by using a unique identifier to link an individual to their records rather than including names and contact details.
The Potential of Biometric Authentication in Government Data Collection
A common misconception with both a health pass and digital identity is that if it uses biometric authentication in any way, this means that the government has developed a biometric database. This is misleading.
A health pass, in particular, would not be the beginnings of a government biometric database because biometric ID is not a compulsory element of getting vaccinated or tested. Both government and the NHS would not have access to the biometric element of the app so it cannot be collected either. Biometric ID could be a secure and convenient way to log into the health pass and ensure that only the rightful data owner could use it. It isn’t essential, however; and in either case, no biometric information needs to be accessed or collected by the government, the health pass platform, or any venue that asks for verification of health status.
Biometric authentication can be used in the case of the NHS App but only if the device supports it. Importantly, password-less biometric authentication is voluntary and not an essential part of the app. It is based on the technological capabilities of the individual’s device. If the device does support biometric authentication, then the NHS does not have access to or control over the biometric data stored on the device. This is also further secured by security on the device. On an iPhone, for example, the biometrics are stored in the phone’s secure enclave that firewalls it from all apps. Biometric authentication would be an alternative (and often more convenient) way of accessing the information, as opposed to a password.
A health pass would require individuals identifying themselves at certain points in the process, and biometric authentication in the app would make these processes of verification considerably more secure, convenient and reliable, as follows:
The health pass platform needs to know you are the person who should have access to the credential.
The person checking it needs to know you are the same person that the credential belongs to (but this does not mean they will necessarily need to know the name of the person).
There is currently no obligation to show any form of identity at a vaccination appointment or testing centre in the UK but some potential design options of a health pass could involve biometric authentication in order to add in health credentials and record them in the app.
Technically, there are a number of benefits to using this biometric authentication. Biometric data is hard to fake, convenient to use and stays the same over a user’s life. The user also technically does not have to reveal any information about themselves other than scan their face or fingers, and even this is not actually shown to another human being but just to the phone. This information is stored in the form of a mathematical “hash” of those identification points. This is important because it makes this form of identification both more private and secure – in the eventuality that the data was compromised, it could not be mathematically re-engineered to identify an individual.
However, errors like false rejects and accepts can still happen. Just like all forms of data, there is a risk it could be hacked too. But if encrypted and stored in secure servers, this risk is minimised significantly.
The Difference Between Health Passes and Digital Identity
Digital identity and health passes have frequently been conflated when they are in fact quite different in design and purpose. The fundamental difference between digital identity and a health pass is that health passes prove a health status, whereas digital identity proves that “I am who I say I am”. Part of using a health pass would involve the individual identifying themselves in order to log into the app but that would not equate to proving or disclosing their identity to venues.
There are two main types of digital identity:
Foundational digital identity: These are intended primarily to provide identity as a public good, not to supply a specific service.
Functional digital identity: These generate identities to serve a specific function.
There are multiple potential types of health pass but they all generally have the same purpose. Some may not confer mobility, some may include a variety of indicators like recent recovery from Covid-19 or a recent test, and some may be on paper.
However, people are right to draw attention to the potential parallels between digital identity and health passes and it is useful to clarify where they converge and where they differ.
Similarities between digital identity and health passes:
Both connect with public services infrastructure.
Depending on design, both could include some form of biometric authentication to access ID or health pass (but this is not a compulsory part of data collection).
Differences between digital identity and health passes:
Health passes would specifically connect to public health data sets, whereas a digital identity would ideally be interoperable across all public services in a sign-on function.
Digital identity seeks to verify a person who is who they say they are, whereas health passes seek to prove a person has been vaccinated and/or tested.
A health pass could be used as a mobility credential in certain contexts whereas digital identity could not.
A frequently cited concern is that health passes are “just digital ID through the back door”. This is misleading as functional digital ID has existed in the UK for some years now through GOV.UK Verify. It is important to highlight that digital identity is not merely a digital version of a driver’s licence or an ID card as commonly perceived (though it could be used this way if designed to) but it is generally seen as a more convenient way of logging into and using a service.
NHS login is technically a form of functional digital identity as it allows individuals to sign on to NHS Digital services, enabling them to prove their identity once, and in a manner that is convenient to them. They can then use their NHS login for other NHS services. If health passes were rolled out, they and digital identity would co-exist.
Key Takeaways
Health data is inevitably being generated as part of managing the pandemic. A health pass would allow individuals to access and benefit from their own data. Government need to focus on the safest and most secure way of doing this.
Biometric authentication would not be a compulsory part of getting vaccinated or tested but it could potentially be used as a way to “login” to the health pass app for convenience.
Digital identity and health passes are different but related tools – and can exist independently.