Governments and companies are racing to develop and deploy Covid-19 digital passports that would store information about a person’s status, whether they have been vaccinated and their immunity level. The data would be generally processed through a mobile phone application and accessible to among other agencies border control, port health and immigration officials.
One justification for the Covid-19 digital passports is the need for verifiable and safe data on an individual’s Covid-19 status. There have been reports of travellers possessing fake Covid-19 certificates. Digital passports could contain tamper proof information that would be encrypted.
The International Air Transport Association (IATA) launched the IATA Travel Pass which is one of the initiatives for a Covid-19 digital passport. On its website, IATA indicates that its Travel Pass would provide a global and standardised solution to validate and authenticate all country regulations regarding Covid-19 passenger travel requirements. The IATA Travel Pass would enable passengers find accurate information on travel, testing and vaccine requirements for their journey and find testing centres and labs at their departure location which meet the standards for testing/vaccination requirements of their destination. The Travel Pass would also enable authorised labs and test centres to securely send test results or vaccination certificates to passengers and enable passengers create a ‘digital passport’, verify their test/vaccination meets the regulations and share test or vaccination certificates with authorities to facilitate travel.
While the Covid-19 digital passports/passes are welcome, it is instructive to note that in many countries contact tracing applications have generally failed to gain notoriety with the masses. One, Covid-19 apps have failed due to low uptake despite Google and Apple providing platforms to host applications developed and deployed by governments. There has been mistrust on real intention of governments deploying these apps. It is said data from the apps would be used for unregulated government surveillance. There is also the technical question of whether the apps would adopt a centralised or decentralised database.
Generally it said that a decentralised database provides better protection for personal health data especially if such data is anonymised or pseudonymised.
Two, there has been scant public information and education on the use of the Covid-19 mobile phone applications. For example, in Kenya, the Ministry of Health developed and deployed the ‘Jitenge’ mobile application. According to the Ministry’s website, ‘Jitenge’ allows users to either self-register or are registered by various ministry officials at the quarantine initiation point for home quarantine, at the quarantine facilities, and of the point of entries by port health officials.
Registered users are to receive daily reminders and prompts to report on their health status including symptoms or any other information. Unless one has been tested for Covid-19 or travelled into the country recently it is unlikely they will have interacted with the ‘jitenge’ app. There is no information publicly available on whether the Kenya government will use the IATA Travel Pass to screen travellers getting into the country, whether ‘jitenge’ will be upgraded or a Kenya specific Covid-19 digital pass will be developed. Notwithstanding, Kenyan travellers to destinations around the world will not avoid use of either the IATA Travel Pass or a country specific Covid-19 digital pass the same way one must have a yellow fever vaccination certificate to travel to and from certain countries.
The above is happening over the background of recently drafted guidance note on access to personal data during Covid-19 pandemic by the Office of the Data Commissioner.
Hopefully as the Office of the Data Commissioner is operationalised, we will have data protection regulations specific to different sectors. To illustrate, data processed in dealing with the Covid-19 pandemic is broadly sensitive personal data as it includes health data and requires more stringent protection under the Data Protection Act.
In fact, all institutions whether public of private wishing to collect, analyse, store or share Covid-19 data ought by now to have publicly published data protection impact assessment reports.
Regulations on sensitive personal data ought to be specific on whether the data is being processed for a private, public or commercial purpose. Further due to the inevitable sharing of Covid-19 data across borders, we require specific guidance on why the data is to be shared, who shares the data, who has access to the data, what protections would be available for the data.
-The writer is an advocate of the High Court of Kenya and a privacy and data protection specialist.