CNIL opinion on health passes for COVID-19 vaccination and screening, touching on several aspects of its implementation and use. 

Since the world’s introduction into this COVID-19 health crisis, well over a year ago, there have been various measures implemented to facilitate people working, socializing, and living what can be considered a “normal” life. In the strive to return to what was once considered normal, vaccination campaigns have been launched all over the world. Vaccination efforts have been underway for several months now, and while different countries are at different points in that process right now, one thing is similar in most cases – we are entering a phase where vaccination requirements, and proof thereof, is becoming non negotiable in allowing people access to certain places, experiences and opportunities. There has been backlash from citizens all over the world, who have concerns about their rights, whether human rights in general, or privacy in particular. However, CNIL of France has issued an opinion on the matter. 

The parameters of the health pass have extended and CNIL deemed it necessary to issue an opinion. 

The health passes are not an entirely new concept, however, their application has now expanded to include several aspects of daily life from restaurants and other establishments, to spaces of employment likely to be affected by the virus. This has inspired quite some concern from members of the workforce, as well as the general public. In addition to this, the data attached to the health passes has just undergone a slight increase in its retention period, to facilitate the production of recovery certificates. In addition, due to the vaccination obligation in certain professions, regional health agencies now have access to the vaccination data of all health professionals under their control. 

The CNIL opinion on health passes remains generally consistent with previous opinions issued, with focus on specific amendments made. 

CNIL believes that the implementation of a health pass is an ethical choice, justified by the exceptional nature of the health situation as stated in its previous statements made on May 12th and June 7th. However, the CNIL opinion on the health passes this month stresses that the current health context can only justify exceptional measures if they remain limited in time and if they are necessary to fight against the pandemic. As a result, the CNIL has stated that the impact of the various digital devices on the overall health strategy must be studied and documented regularly, based on objective data, to ensure that the use of these devices ends as soon as their need disappears.

The CNIL would like the Government to review the draft decree on several aspects of the health pass. 

The measures of control for the health pass, which the CNIL voted on on June 7th are now subject to a few changes. There are new alternative systems in place to control the health pass which can be managed online. These systems include the “TousAntiCovid Verif” application, the data accessible to controllers has been extended to include information relating to the screening examination or the vaccine carried out and certain information may be stored temporarily by these devices. As a result of the perceived sensitivity of those systems, the CNIL has called for the Government to review several aspects of the draft decree.

In the CNIL opinion on health passes, there has been specific focus on ensuring that health professionals are able to exercise their data protection rights. CNIL urges the Government to limit temporary storage to the sole result of the verification carried out, remaining in accordance with the principle of data minimization. In addition, the CNIL reiterates the need to have foreign vaccination records secure with regard to the Government’s dedicated portal, connected to the “certificate converter”, allowing the generation of a health pass valid in France. 

Does your company have all of the mandated safeguards in place to ensure compliance with the GDPR, Law Enforcement Directive and Data Protection Act 2018 in the context of the COVID-19 pandemic? Aphaia provides both GDPR and Data Protection Act 2018 consultancy services, including data protection impact assessments, and Data Protection Officer outsourcing. We can help your company get on track towards full compliance. Contact us today.