Given the immense scientific success in developing multiple vaccines for COVID-19 using existing and novel technologies, countries are scrambling to deliver the approved vaccines as quickly as possible.
Some of these vaccines require two doses over a given period while others are single dose. In order to maximise the benefit from the limited supply over any given time period, software is being used to assist in the administration of the vaccination process. In some cases, such as the French “SI Vaccin Covid” managed by health authorities la Direction Générale de la Santé and the Assurance Maladie, and the Irish system managed by the HSE, the systems may also be used to record adverse effects that may present in those vaccinated.
Given that such systems, by their very nature, will be required to hold the identity of those receiving a vaccine and Special Category Data, the data protection obligations on controllers are quite onerous.
As with all processing of personal data, such systems, whether existing or newly developed, will be required to comply with the GDPR and national legislation. They will require a Data Protection Impact Assessment to be undertaken due to the volume and categories of data that will need to be processed to support the roll-out of the vaccines. The DPIA needs to look at the risks from data subjects’ perspective and will be essential for Data Controllers to demonstrate they have undertaken due diligence.
Within the assessment, a key focus will be on the security of the personal data whether in transit or at rest. Such basic technologies as sufficiently robust encryption, two-factor authentication for access control and comprehensive access logs for auditing are examples of controls that Supervisory Authorities would likely expect to be in place given the volume of data involved and potential uses of that data. Indeed, Supervisory Authorities should be involved in the prior consultation phase of such DPIAs as well as data subjects.
Most users of these systems are likely to be national in scope. As such, being able to manage who has access, and to what data sets, will be an integral part of the system design to ensure confidentiality and adhere to the key principle of minimisation.
Along with the technical and organisational measures, another aspect any DPIA will need to cover will be any future use of the data gathered. This will be key to enable Data Controllers to meet their obligation to provide the necessary information to data subjects whose data will be processed by such systems, and to do so in a clear and transparent manner before their data is processed. Any legislation passed would benefit from setting details about the use of personal data for the purposes of administering the vaccine to support lawful data processing. An important element will be strict retention periods, considered by the Irish DPC as one of the necessary suitable safeguards, when processing is necessary for reasons of public interest in the area of public health [Article 9(2)(i)]. The retention period should be clearly stated and ideally the rationale as to why this period has been deemed necessary.
While the key role of the systems being rolled out will be to ensure the effective distribution and provision of vaccines, the systems will also, therefore, record who has chosen or has been unable to receive a vaccine. This raises issues of how such data may end up being used at a later date. Given that some countries are considering a vaccine passport, it is likely that the data held in such systems could be used for controlling access to international flights and other transport services. They could even have implications for employment or health insurance. These may be unintended uses when the data is gathered, and Data Controllers will need to be fully transparent as the purposes of processing (and the lawful bases). This will enable them to meet their obligations under data protection legislation but also to develop trust in the wider vaccination programme.
The French Data Protection Authority, CNIL, has already confirmed that the data will be protected “by medical secrecy, and will only be seen by trained personnel, under professional secrecy” within the approved healthcare agencies. Other healthcare professionals will also have access, but only once it has been anonymised.
Spain has stated it will proactively identify those who do not voluntarily accept the vaccine and, what is more, will make this list available to other EU countries. However, it has said that the data will not otherwise be available to the public or to employers.
The Irish system’s privacy notice states the data will only be used for the administration of the vaccine programme, such as scheduling appointments. While other government agencies will have access to some of the data, it will only be for the purposes of preparing anonymised statistical reports. These agencies are not specified in the notice.
Despite the pandemic and the urgency to roll out access to the various approved vaccines, Controllers still have an obligation to provide clear information in plain language to those whose personal data will be processed within any vaccine management system. Governments and state agencies will need to be careful to avoid additional use of the rich data that goes beyond the declared purposes communicated at the time of collection. Furthermore, they will need to ensure that only the minimum data necessary is processed and only for as long as is necessary to achieve its stated purpose. The data should also be subject to a defined retention period.
The secure, transparent and well-managed processing of personal data by such systems will play an important role in building trust in the vaccination programme as a whole. Any issues or perceived misuse of such data will only damage the reputation of governments and their agencies while providing ammunition for those who are predisposed to question the motivation for such programmes in the future.
As the DPC has stated, “data protection law does not stand in the way of the provision of healthcare and the management of public health issues; nevertheless there are important considerations which should be taken into account when handling personal data in these contexts, particularly health and other sensitive data.” The data protection principles will help build trust for the current essential roll-out and investment in meeting those obligations will ultimately secure future goodwill.
The Trilateral Research Data Protection and Cyber-risk team has been working on the processing of special category data since 2015. We offer data governance services that can help your organisation develop policies and procedures for ongoing compliance. Trilateral can help audit existing practices, perform gap analyses, and offer compliance support to help turn your healthcare data into an asset that can bring added public health and social benefit. Please feel free to contact our advisors, who would be more than happy to help.