Coronavirus (COVID-19), HR Management & Compliance

Vaccine Passports: Privacy Risks, Implementation Problems

Since the onset of the pandemic, the concept of COVID-19 “passports” has been a recurring and controversial component in the process of reopening the economy. While it has become perhaps commonplace in the hospitality industry, proving vaccination status may soon be a de facto requirement for millions more U.S. workers—not just those working in customer-facing roles. vaccination passport

The Private Sector Has Embraced Vaccine Mandates

Ever since COVID-19 vaccination rollouts began, the choice of remaining unvaccinated has been a highly contentious issue. While numerous private businesses wasted no time taking a strong pro-vaccination stance, efforts to encourage vaccination among individual workers have only recently evolved into more direct requirements.

Just in the last few months, companies from AT&T to Deloitte have made it clear they will mandate all medically eligible employees to prove vaccination status before reentering the office space. That goes for new hires also as vaccination status increasingly becomes a qualification requirement. The number of listings on jobsite requesting proof of vaccination increased by 90% between July and August alone.

Regardless of whether you agree with the approach, private businesses insisting on their staff being vaccinated is completely legal. According to the U.S. Equal Employment Opportunity Commission, U.S. employers can require employees to receive vaccinations against any “pandemic,” which COVID-19 currently qualifies as.

However, while this may not be legally troublesome for employers, requiring workers to provide proof of their vaccination may well be.

A Federal Vaccine Mandate Edges Closer to Reality

Critically, whether to enforce a workplace vaccine mandate may not be a question of choice for employers much longer. President Joe Biden recently stated his intent for the Occupational Safety and Health Administration (OSHA) to ensure that any individual in a workplace staffed with more than 100 employees is either vaccinated or undergoing continual testing. This latest proposed take on workplace vaccination by the federal government will supersede the current litany of state rules and regulations around vaccination law and impact around 80 million workers nationwide.

Of course, actual implementation of federally mandated regulations will be unlikely to happen seamlessly. Any forthcoming vaccine requirement for the workplace will face a battery of legal challenges, not the least of which will come from states themselves—a fact governors from Texas and Arizona have already made clear. Some organizations, such as state and local government employees, will also not fall under any jurisdiction covered by an order from OSHA.

For employers, however, it’s critical to note that while the federal government may require them to ensure employees are vaccinated, it so far has no intention to develop a national passport system. As a result, proving vaccination status will likely remain the responsibility of third-party vaccine passport providers for the foreseeable future, which, regrettably, will continue to make verification for businesses a particular challenge.

Verifying Vaccination Status Is a Digital Minefield

For businesses at large, the only sustainable method to prove employee vaccination status is to use some manner of digital verification. But implementation of digital verification has been fraught with controversy across the country. In fact, in as many as 22 states, including Florida and Texas, electronic vaccine verification has been banned outright.

Meanwhile, only seven states have introduced a state-led vaccine passport system that businesses can use. In most others, such as Connecticut, proving vaccination status means choosing from a number of private sector providers.

What this shows at the state level is that digital verification is a divisive issue and a complex matter, which means it will be even more so, unfortunately, for employers.

Managing vaccination monitoring and enforcement associated with third-party proof-of-health status providers will raise a host of privacy concerns, particularly data security. Currently, there is no data protection standard for vaccine passports in the United States. As a result, with countless providers using methods ranging from blockchain to centralized storage, likelihood of security fallibility is high.

To prove that no system will ever be unassailable, German security firm G Data Cyber​​Defense recently discovered several vulnerabilities within the European Union’s green pass vaccine passport. The firm also proved how easy it is for a fraudster to create a fake verification passport by successfully confirming a vaccination pass for an individual born in 1843.

By compelling employees to engage with third-party verification providers, employers expose both staff and themselves to these and other potentialities. From a legal perspective, a big unknown is the consequences of a data breach, leaking employee health information collected for or on behalf of an employer. With a growing number of state-level laws, such as the California Privacy Rights Act (CPRA) stipulating fines for data breaches that might expose this information, many businesses are unknowingly increasing their risk for legal backlash.

Health Verification May Be a One-Way Street

Although the measures currently proposed by the Biden administration will likely be authorized under “temporary emergency authority,” health verification—at least for COVID-19 vaccination status—may be around for the long term. As a result, employers will likely continue to face a multitude of challenges navigating employee privacy.

Vaccine passport privacy is something employees themselves are likely to be highly concerned about. When DeleteMe surveyed 1,100 U.S. adults in February and March of this year, regarding the attitude toward a potential use of “portable vaccine proofs” or health passports, it found that a significant 39% minority opposed their use.

But as vaccination verification potentially becomes obligatory, the only way to mitigate concerns is to establish a culture of privacy wherein employers transparently take positive and effective steps to protect employee information as much as possible. In practice, this means administering benefits like information removal, minimizing data collection, or training staff about how they might be compromising privacy in other areas of their lives, as well.

Entering an era in which verifying employee health information is standard practice requires employers to take more responsibility for prioritizing their privacy.

Rob Shavell is CEO of Abine/DeleteMe, an online privacy company. Shavell has been quoted as a privacy expert in The Wall Street Journal, The New York Times, The Telegraph, NPR, ABC, NBC, and Fox. He is also a vocal proponent of privacy legislation reform, including the California Privacy Rights Act (CPRA).