Today, in light of the COVID-19 pandemic, the eyes of the world are on the subject of vaccination tracking. To discuss pathways forward, IEEE hosted a side session at the United Nations High Level Political Forum (HLPF) called “Vaccine Passports and Databases: Privacy vs. Public Health.” The session discussed the use of COVID-19 “passes,” like the EU Digital COVID Certificate or New York’s Excelsior Pass, to show vaccination and immunity status.
Aimed at better understanding the situation, the limitations, the potential problems, and how to avoid them, the interactive 1.5 hour session featured several participant polls and much discussion. Questions considered included:
- What level of control should a person have over what happens to their vaccination data?
- Can we trust the system? Can people game it?
- Should people be made to share their information in the name of public health, in the name of science and research?
The session moderator, Maria Palombini, Director of Emerging Communities & Opportunities Development, Global Business Strategy and Intelligence (GBSI) and IEEE SA Healthcare and Life Sciences Practice Lead, began the session by pointing out that we have long needed to disclose vaccine status when traveling to some countries, giving as an example the yellow fever vaccination. Now, however, everyone and every country is affected.
She pointed out that what we do at this point with respect to vaccine proof could set a precedent. There could be future diseases in this category, she noted, or the chance that one’s HIV status might fall in this area as well. She asked: Is this really a technology issue? a policy issue? a general industry issue? or a combination of all these things? To discuss possible pragmatic directions forward, she introduced a panel of experts on health data, health passes, and blockchain for healthcare.
Sharing Personal Data Is Not New to Us
The first panelist, Dr. Dipak Kalra, President of the European Institute for Innovation in Health Data, agreed with Ms. Palombini that in the past we have had to present proof of vaccination against yellow fever to gain entry to a number of countries around the world. The proof, however, did not stay with immigration authorities. It was a little yellow paper booklet. We could keep that data with us, on our person. We could throw it away if we wished, even. Passports on the other hand, he noted, are increasingly read electronically and the data is shared with other agencies. Thus, we already share our personal data in ways that we cannot know or control, in exchange for the right to travel, he said.
“It is not as if the COVID-19 certificate is introducing a brand new scenario of unknown information propagation. We have lived with that already with our passports.”
–Dr. Dipak Kalra, President of the European Institute for Innovation in Health Data
Very few of us know who has access to our passport data after we have passed through immigration control, noted Dr. Kalra. Very few of us have used that as a reason for not traveling. Dr. Kalra said that he expected that the information would be used in ways that citizens would not object to — to monitor the effectiveness of checking people’s COVID status, to look at the extent to which people from a different country have certificates, to know the prevalence of the vaccines they might have had, and, if there are outbreaks or issues. He argued that the certificate is a useful tool to look at vaccine effectiveness and vaccine safety.
Having transparency means that the individual will know how their data is used, if it is shared, why it is shared, and what the recipients can do with it.
US Stakeholders Are Reluctant to Share Data
Panelist Alex Colgan, Head of Marketing & Strategic Partnerships for LedgerDomain, a blockchain-based solution for the pharmaceutical supply chain, pointed out that Europe and the US have taken different approaches. While Europe is taking a multilateral, open approach, national security is the “north star” of US federal government policy, with transparency and data privacy taking a backseat. This reasoning would be difficult for Europe to adopt given the number of actors involved. Within this environment, several states in the US are carving out greater privacy protections on their own.
Charting the path to a single vaccine database has also proven difficult in the US because distributors and pharmaceutical companies all hold their own proprietary data silos. With each company maintaining their own legacy systems, it is nearly impossible to have one database without opening enormous security holes, added Mr. Colgan.
Doctors in the US have been reluctant to share some data, noted panelist JP Pollack, Co-Founder and Chief Architect of the Commons Project, developer of the CommonPass, (a forerunner in COVID-19 health status verification). For example, as a patient one has a right to access all of one’s clinical information, including the Doctor’s notes, but doctors in the US maintain that the notes are a private space, only relevant to the care team, and that sharing them with patients might cause problems.
In Sweden, doctors had a similar concern when the Swedish government mandated the sharing of all health data with patients. They thought that patients would get worried about things they read that they did not understand, which, doctors thought, would in turn increase their workload, with people calling, worried about their data. In the end, however, this was not the case.
Justifications for Wanting Some Amount of Privacy
Mr. Pollack pointed out that there are some cases in which people might be put at risk if their data were shared. For example, if the vaccination date was shared, and the person received the shot in January, when only people with preexisting comorbidities were able to receive the vaccine, would that private information be shared with employers for example? Also, what will entities asking for vaccination proof do with the data? Would that data collection be for public benefit? Or will it be self-serving and potentially misused?
“How secure is the data in vaccine ‘passports’?” asked Ms. Palombini, “If it is breached, what will hackers have access to?” Mr. Pollack replied that the systems may have varied levels of security. For example, QR codes could allow the information to be decoded with simple tools. The data–name, date of birth, contact, and vaccination status–can be retrieved by scanning the QR code. He added that, while it is not the most secure of systems in the world, it is also not the most exciting for hackers. Everyone’s immunization history is already in databases in the US: first name, last name, contact, phone, email, date of birth, and immunization data.
The Need to Share Data for Collective Health
“Both privacy and public health are needed: ‘The work we’re doing now with vaccination records is focused on how we can support public health while doing our best to preserve people’s privacy.’”
–JP Pollak, Co-Founder and Chief Architect of The Commons Project
Dr. Kalra stressed that vaccination records need to be shareable, for continuity of care. They represent an important clinical data point in a person’s health record. He also emphasized the need for a soft call to action to share our data with trustworthy institutions for our collective health, noting “Beyond vaccination status information, there is a broader societal need to learn about the disease, its treatment effectiveness, its vaccine effectiveness and safety and long-term consequences. There needs to be a soft call to action to the whole of society to be supportive of trustworthy agencies such as medical research institutions and health related industry sectors to have access to these kinds of data about us in order to help improve our future health and well-being. This needs to occur in trustworthy ways.”
Making Up for the Lack of a Centralized US Database
Dr. Kalra suggested that we need societally agreed terms that limit the distribution and uses of our data to agencies that can demonstrate they will safeguard our information. For instance, this could include the agreement that the data would only be:
- accessed in an anonymized form
- securely protected, and
- used only for approved purposes that target health beneficial innovations and knowledge discoveries.
The urgency of the situation presents a challenge: People want to travel now, and the tech is not embedded in immigration systems yet.
And, because of the urgency of the matter, perhaps we need to ask ourselves if we are willing to accept generic transparency as a temporary measure before we get personalised transparency? Dr. Kalra posited. Would it be alright if the government simply informed us about what happens to our data? Perhaps because COVID-19 data given to border officials would not need to be held for long, archiving could be an option.
What is Data Ownership About?
Ms. Palombini noted that when it comes to our vaccinations, beyond COVID-19, the government is already building databases. This is why we are asked every time we go to the doctor in the US if it is okay to share our data, she said. At the moment, we do not have access to this data. We just have a card. Is it okay for us to say that we each need to keep track of our own card? Is that possible given the technology we have today? Mr. Pollack answered that we have the technology to make it happen. Currently, COVID-19 vaccination data is stored in a large database. But there is a bigger question that looks at the broader realm of trust.
In the US we have never had one centralized database of all vaccination data, but rather it has been stored and scattered in a variety of databases. Currently, we have “moderately interoperable silos,” commented Mr. Pollack.
To make up for this problem, The Commons Project decided to join technology companies and customer-managed relationship (CMR) vendors and the Health Tech system to see if they could come together to agree on a way to issue a trustworthy and verifiable certificate (not a paper copy of a certificate). Through the Vaccine Credential Initiative (VCI), they created a tamper proof vaccine information card called the SMART Health Card, convening over 450 healthcare stakeholders. The card will not afford one access to foreign countries, but it is a trustworthy ID that one can bring, either electronically, or by using a printout with a QR code, to show that one has been vaccinated.
Mr. Pollack had three warnings, however. First, we need to trust that the data is correct to begin with. Not even the most secure ID system will help if no one is confident that this record was actually theirs in the first place. When an individual got the shot, they probably told someone their name, he said. The registries will have this data, but that information may or may not have been verified to be true. Second, we must also be able to trust the entities doing the vaccinating. Trust frameworks can help with this, helping to avoid situations in which people try to use falsified information about their vaccination status. Perhaps their forged card shows they were vaccinated at “JP’s Vax-Mart in Tribeca, NY” when, actually, they did not receive the vaccine, or perhaps they were actually vaccinated, but by an uncredentialed institution. Third, he pointed out that if a given vaccine is not effective, showing that people have received it might not help anything.
Lack of Public Awareness About Privacy and Data Sovereignty
When asked, “What are the incentives of the stakeholders? What do they want?” Mr. Colgan replied that the vast majority of travellers are solely interested in reaching their vacation destination or their doctor’s visit. Most people are in the habit of quickly surrendering their data to remove obstacles, and are unconcerned until surprised by something going wrong.
When QR codes are used for verification, the entities doing the scanning can potentially access personal data. Ms. Palombini asked Mr. Colgan what might be done with the data scanned–do the entities requiring it put it into a marketing database? Or are they using secure software so they cannot read it?
Mr. Colgan pointed out that there is a difference between distributed and decentralized systems, using the pharmaceutical industry’s approach to the US Drug Supply Chain Security Act (DSCSA) as an example.
The DSCSA, which “outlines steps to build an electronic, interoperable system to identify and trace certain prescription drugs as they are distributed in the United States,” requires authorized trading partners to exchange data with each other, even when prior business relationships do not exist. If everyone shares the same distributed ledger, but the keys are being held by a few players, one could enter and take all of the data at once.
Decentralized systems make it possible for identity and access to private data to be self-sovereign, making large-scale data breaches untenable while aligning with modern data privacy regulations. For this to be possible, a standards-driven approach with stakeholder alignment is required.
“Decentralized technologies including distributed ledgers and verifiable credentials have emerged to enable self-sovereign healthcare privacy, in which individuals and healthcare professionals have some measure of control over their data and identities with their own private credentials.”
–Alex Colgan, Head of Marketing & Strategic Partnerships for LedgerDomain
Standards Can Help Knit Together International Pass Use
With several vaccination verification cards already created– CommonHealth, EU COVID-19 Certificate, the Chinese International Travel Health Certificate, New York’s Excelsior Pass, and others–the next step is to make it possible for all countries to agree on the cards and to harmonize the system so people can move seamlessly between one place to the next.
A global standards-driven approach can help with semantic interoperability of obtaining verified vaccine credentials from original digital source records across the world and the established data governance structure of DIDs verifiers that would appropriately protect the privacy of the consumers/patients.
Current published standards and other projects in development can provide a baseline foundation to these needed standards. For example, IEEE 1752.1 – IEEE Approved Draft Standard for Mobile Health Data, which standardizes mHealth data and metadata, will improve the ease and alignment accuracy of aggregating data across multiple mobile health sources (semantic interoperability) and will “reduce the costs of using this data for biomedical discovery, improving health, and managing disease.”
Essentially, the open source standard enables mhealth data regardless of developed device to be aggregated and utilized for clinical research. The concept could be applied in this case as it relates to semantic interoperability of verifying vaccine credentials from different sources in order to meet policy guidance for required proof of vaccination of status that can be verified and aggregated over time.
Reflecting on the discussion, Ms. Palombini observed that this is clearly not only a policy, technical, or industry challenge – it is everything. Right now, it so happens that we are talking about COVID-19, but there will be others. She asked: “Can we make it the right way, now, to serve in the long term? Then we can focus on cures.”
For more information about this issue, visit IEEE SA’s work in Healthcare and Life Sciences.
Author: Kristin Little