Privacy and Security Rules for COVID-19 Vaccine Certificates

Posted on

As more people access COVID-19 vaccines, many countries are beginning to consider and implement COVID-19 vaccine certificates. However, privacy and security remain a significant concern for experts and individuals.

In this article, we will cover some privacy and security principles that COVID-19 certificates should reflect.

Privacy and Security Concerns

Privacy and security have been a major concern as countries roll out vaccine credentials. Experts have also warned that policymakers face unique challenges in implementing secure data sharing and protecting the privacy of citizens.

Concerns with the privacy and security of these vaccine certificates have increased.  This is due to the increased risk of forgery for paper-based credentials and the threat of data breaches in the case of digital certificates.

As these concerns grow, institutions such as the World Health Organization (WHO) have come up with privacy and security rules for COVID-19 vaccine certificates.

In January 2021, the WHO began working with Estonia and about 150 volunteer experts to determine how an international vaccination verification system would work. The goal was to develop a system that gave the user full control over their health and privacy.

Data Protection Agencies from different countries have also released recommendations to guide governments, businesses, and public agencies in developing secure and privacy-promoting COVID-19 vaccine certificates.

Guiding Principles and Best Practices

Different COVID-19 vaccine certificates will have varying features.  But when it comes to security and privacy, each vaccine certificate should reflect certain principles. These include:

Data Minimization

The principle of data minimization requires that you do not collect more information than is necessary. Collecting too much information creates a greater risk in case of loss of a paper-based record or the event of a security breach.


Vaccine passports must meet an evidence-based necessity for their use. A government should not adopt a vaccination certificate if there is a less privacy-intrusive and equally effective measure available. Each data field on a vaccine certificate should be justifiable.

Legal Authority

Public and private sector stakeholders that introduce vaccine passports must have the legal authority to introduce these passports. Such legal authority comes from existing laws, amended laws, or new laws or public health orders.  These would specify who has the legal authority to request or require a passport.  They would also indicate the circumstances when one can request or require a vaccine passport.

Technical Privacy and Security Measures

In addition to minimizing unnecessary data, the issuers should develop a vaccine certificate framework based on privacy and security considerations.

Collection, Use, Disclosure, and Retention Limitations

Governments should limit the collection, use, and disclosure of personal health information related to vaccine passports. Apps, governments, and third parties should not use vaccine passports to actively track or log the activities of users without their consent. The information accessible on these certificates should also be limited to that required or authorized by law.


Citizens should have access to information about the scope and purpose of vaccine passports. They should also have access to policies about the collection, use, disclosure, retention, and disposal of health information.

Final word

Privacy and security are top concerns for digital COVID-19 vaccine certificates. With these certificates carrying sensitive health information, the damage that could arise from misuse of the data is significant. Therefore, any technology or vaccine certificate system must convince individuals that their health information and personal data will be secure.

Continue reading