For almost a year and a half the way we live and do business has been turned upside down by the COVID-19 pandemic and its consequent curfews, stay at home, work from home, changes to gathering limits, travel protocols and much more.
The first vaccine was administered in Jamaica on March 10, 2021, and reports are that almost 140,000 vaccinations have been administered in Jamaica since then. As the number of individuals taking the vaccine increases the hope is that we will begin the journey to our new normal. For now, we now grapple with the idea of what’s next. What will a post-pandemic world look like?
As vaccination programs are underway all over the world, our efforts to transition to life in a post COVID-19 world has introduced the concept of what is being informally referred to as a ‘COVID-19 passport’.
On March 17, 2021 the European Commission proposed a ‘Digital Green Certificate’, a certificate, available both digitally and in paper format, that would quickly verify that a person has been vaccinated against COVID-19, received a negative COVID-19 test or recently recovered from the virus. The Commission pronounced its intention to include, in the certificate, a QR code to ensure security and authenticity of the certificate and build a gateway to ensure all certificates can be verified across the European Union. A QR or Quick Response code is capable of storing lots of data and when scanned, the QR code should allow the user to access information instantly.
The certificate is expected to contain the individual’s name, date of birth, date of issuance, relevant information of vaccine/test/recovery and a unique identifier of the certificate. The certificate is not intended to be a permanent fixture however and the intention is that its use will come to an end once the World Health Organization declares the end of the COVID-19 pandemic. The European Data Protection Board and the European Data Protection Supervisor have however indicated that if the certificate is used beyond this pandemic the scope of it must be clearly published to data subjects and consent obtain where necessary. Other parts of the world such as Israel, France have already implemented a vaccine passport for domestic use with discussions already underway for use in international travel. Countries such as China, Denmark, New Zealand and even New York City have also announced the intention of implementing similar concepts and programs with the hopes of utilizing them as a feature of ‘safe’ reopening of travel, entertainment and even the workplace. While this initiative has recently gained much traction, the World Health Organization suggested an ‘e-vaccination certificate’ at the end of 2020 and even started a pilot project for a digital vaccine certificate in Estonia in October 2020.
The hope is that the Certificate will allow for an ease of travel and movement across all EU members states and even some non-EU countries such Norway, Iceland and Switzerland and potentially access to other areas of society to allow for businesses, particularly those hit hardest by the pandemic such as travel, entertainment and tourism, to begin to re-open or expand opening arrangements, safely.
Naturally, the idea of ‘digital vaccine credentials’ being used to access areas of society raises questions about data privacy and protection given that vaccine data is particularly delicate. Any consideration of a COVID-19 passport or certificate must take account of the principles of data privacy and protection in order to bring people on board.
COVID-19 PASSPORT AND DATA PROTECTION
The Data Protection Act of Jamaica (“DPA”) was passed last year, however is not yet in force and we await the effective date. The DPA governs the processing of personal data and is based on the data protection principles contained in the European Union’s General Data Protection Regulations (“GDPR”). These principles include that personal data be processed fairly, lawfully and transparently, which includes obtaining the appropriate consent where applicable, and it is processed and stored using appropriate technical and organizational measures.
In looking at the implementation of a COVID-19 passport, in any industry, one must determine who is the data controller and data processor where applicable. The DPA defines a data controller as a person or public authority who either jointly or in common with others determines the purposes for which and the manner in which any personal data are, or are to be, processed and where personal data are processed only for purposes for which they are required under any enactment to be processed, the person on whom the obligation to process the personal data is imposed by or under that enactment. A data processor is defined by the DPA as any person, other than an employee of the data controller, who processes the data on behalf of the data controller. Therefore, if a Company A implements a COVID-19 Passport program and chooses to utilize a mobile app offered by Company B to store and verify the COVID-19 Passport, Company A would be the data controller and Company B would be the data processor.
In its current form, the DPA imposes obligations on the data controller and not the data processor. Therefore, data controllers should carefully consider who they employ as a data processor and the contractual terms between the data controller and the data processor. The DPA requires where personal data is processed by a data processor on behalf of a data controller, the data controller must choose a data processor who provides sufficient guarantees in respect of the technical and organizational security measures governing the processing to be carried out and the reporting of security breaches to the data controller and takes reasonable steps to comply with those matters.
All contracts between a data controller and data processor must be made or evidenced in writing and the contract must require the data processor to comply with obligations equivalent to those imposed on the data controller. These should cover service levels and suitable technical and organisational measures such as pseudonymisation and encryption of personal data. Pseudonymisation means the processing of personal data in such a way that the personal data can no longer be attributed to specific data subject without the use of additional information, whereby the additional data is kept separately and not subject to technical or organizational measures.
COVID-19 PASSPORT AND THE WORKPLACE
In industries such as travel, tourism and entertainment and food service, the execution of a COVID-19 Passport, along with adequate data protection of same, may not only become necessary at some point but may even act as competitive advantage not only in the domestic space but internationally as well.
In the Jamaican context, while the DPA is not yet in force it is still good practice for businesses of all industries to take the step towards adequate data protection because to do otherwise can lead to a loss of goodwill and consumer trust. It is important for persons to appreciate that even though the DPA is not yet effective companies operating in Jamaica that process the personal data of EU residents are already caught by the GDPR and should be mindful of the obligations under the GDPR, not least of which may include health related personal data.
What will happen next, no-one knows, but discussions of the COVID-19 passport are proof that our world continues to move deeper and deeper into the digital space. Be sure to consult with an attorney-at-law to explore how you or your business may be affected by this transition to the digital space and what you can do to prepare for its seamless implementation in your business!
Joanna Marzouca is an Associate at Myers, Fletcher and Gordon, and is a member of the firm’s Commercial Department. She may be contacted at firstname.lastname@example.org or through the firm’s website www.myersfletcher.com. This article is for general information purposes only and does not constitute legal advice.