CNIL opinion on health passes

CNIL opinion on health passes for COVID-19 vaccination and screening, touching on several aspects of its implementation and use. 


Since the world’s introduction into this COVID-19 health crisis, well over a year ago, there have been various measures implemented to facilitate people working, socializing, and living what can be considered a “normal” life. In the strive to return to what was once considered normal, vaccination campaigns have been launched all over the world. Vaccination efforts have been underway for several months now, and while different countries are at different points in that process right now, one thing is similar in most cases – we are entering a phase where vaccination requirements, and proof thereof, is becoming non negotiable in allowing people access to certain places, experiences and opportunities. There has been backlash from citizens all over the world, who have concerns about their rights, whether human rights in general, or privacy in particular. However, CNIL of France has issued an opinion on the matter. 


The parameters of the health pass have extended and CNIL deemed it necessary to issue an opinion. 


The health passes are not an entirely new concept, however, their application has now expanded to include several aspects of daily life from restaurants and other establishments, to spaces of employment likely to be affected by the virus. This has inspired quite some concern from members of the workforce, as well as the general public. In addition to this, the data attached to the health passes has just undergone a slight increase in its retention period, to facilitate the production of recovery certificates. In addition, due to the vaccination obligation in certain professions, regional health agencies now have access to the vaccination data of all health professionals under their control. 


The CNIL opinion on health passes remains generally consistent with previous opinions issued, with focus on specific amendments made. 


CNIL believes that the implementation of a health pass is an ethical choice, justified by the exceptional nature of the health situation as stated in its previous statements made on May 12th and June 7th. However, the CNIL opinion on the health passes this month stresses that the current health context can only justify exceptional measures if they remain limited in time and if they are necessary to fight against the pandemic. As a result, the CNIL has stated that the impact of the various digital devices on the overall health strategy must be studied and documented regularly, based on objective data, to ensure that the use of these devices ends as soon as their need disappears.


The CNIL would like the Government to review the draft decree on several aspects of the health pass. 


The measures of control for the health pass, which the CNIL voted on on June 7th are now subject to a few changes. There are new alternative systems in place to control the health pass which can be managed online. These systems include the “TousAntiCovid Verif” application, the data accessible to controllers has been extended to include information relating to the screening examination or the vaccine carried out and certain information may be stored temporarily by these devices. As a result of the perceived sensitivity of those systems, the CNIL has called for the Government to review several aspects of the draft decree.


In the CNIL opinion on health passes, there has been specific focus on ensuring that health professionals are able to exercise their data protection rights. CNIL urges the Government to limit temporary storage to the sole result of the verification carried out, remaining in accordance with the principle of data minimization. In addition, the CNIL reiterates the need to have foreign vaccination records secure with regard to the Government’s dedicated portal, connected to the “certificate converter”, allowing the generation of a health pass valid in France. 


Does your company have all of the mandated safeguards in place to ensure compliance with the GDPR, Law Enforcement Directive and Data Protection Act 2018 in the context of the COVID-19 pandemic? Aphaia provides both GDPR and Data Protection Act 2018 consultancy services, including data protection impact assessments, and Data Protection Officer outsourcing. We can help your company get on track towards full compliance. Contact us today.


Ireland’s DPC issues guidance

Ireland’s DPC issues guidance on vaccination statuses in the context of employment

Ireland’s DPC issues guidance on the collection of data regarding vaccination statuses  in the context of employment. 


As the world slowly opens up again, and employees are being encouraged, in certain industries to move back into the workplace setting, employers are seeking guidance on what approach is best taken with regard to employee vaccination and employee data. Can, or should employees be required or encouraged to get vaccinated? Can employers lawfully collect and process employee vaccination statuses? What can be done with any information on employee vaccination status? As vaccination programmes develop throughout the EU and several persons are at least partially, or fully vaccinated, public health authorities and data protection authorities are giving guidance to employers on whether they require specific information, how much information they can lawfully collect and what exactly they are allowed to do with this information. DPC, the Irish supervisory authority, has recently issued a statement, guiding employers on how best to deal with employee vaccination data. 


The processing of health data should be in line with governmental public health policies. 


The processing of health data should be guided by the government’s public health policies. The work safety protocol suggests that there are very few circumstances in which vaccination should be offered as a health and safety measure in the workplace. This is set out in the Health and Welfare at Work Regulations of 2013 and 2020. There are exceptions to this, for example in healthcare, for frontline workers, vaccination can be considered necessary for safety. In these situations,employers are lawfully allowed to process vaccine data for employees. Regardless of the vaccine rollout however, in a general workplace setting, measures like physical distancing, wearing masks, and working from home unless absolutely necessary should remain in place. These should all be considered and enforced before considering whether the knowledge of employees’ vaccination status is a necessary measure. The principle of data minimisation suggests that these measures should be implemented, avoiding the need to process employee data unless absolutely necessary. 


Under the GDPR, health data is considered special category data, and afforded protection. 


Long term efficacy of vaccination is currently not clear. With the possibility of new variants being spread, or the possible necessity for regular, or semi regular vaccine top-ups to maintain immunity, the processing of data concerning vaccine status cannot currently be considered necessary across the board at this time. In addition, a person’s vaccination status is part of their personal health record, and considered special category personal data as per the GDPR. This category of information is afforded certain protection under EU data protection law. The requirement for processing of personal data by an employer may create a situation where there is an imbalance between the data subject and data controller, with the controller being an employer, with control over the data subject’s employment status. Employees should not be asked to consent to having their vaccine data processed, as in this instance, this data is not likely to be freely given. 


Even in situations where certain information may be required from employees in the context of the pandemic, personal health data remains protected. 


There are certain situations in which an employer, or a medical officer may need to request certain categories of health data from employees. In the COVID-19 context, for example, if an employee were to travel in this current climate, an employer may need to know when an employee may be available to work following their trip. In some cases, a period of isolation or quarantine will be required following travel. The information to be requested or recorded from employees in this instance is not limited or specific to their vaccination status, however. Employees should instead be asked to indicate the date on which they would be available to return to the workplace. As public health advice and information regarding the nature of the virus is updated, protocols may change. However, in sectors where the collection of vaccine information may be necessary, employers should remain up to date on public health guidance. 

Does your company have all of the mandated safeguards in place to ensure compliance with the GDPR and Data Protection Act 2018 during the COVID-19 pandemic? Aphaia provides both GDPR and Data Protection Act 2018 consultancy services, including data protection impact assessments, and Data Protection Officer outsourcing. We can help your company get on track towards full compliance. Contact us today.

CNIL authorizes experimental concert

CNIL authorizes experimental concert in Paris

CNIL authorizes experimental concert in Paris after a request for authorization, due to the processing of sensitive data. 


As governments worldwide endeavour to reopen and boost economies affected by the COVID-19 pandemic, attempts are being made at hosting mass crowd events, something which has been disallowed in many countries since the start of the pandemic. Last month, we wrote about the CNIL of France’s opinion on the use of “vaccine passports” for admission into mass crowd events. The Authority addressed the aspects of privacy and protection of personal data, much of which would need to be processed in order to make this operation functional or successful. Due to the volume of personal data to be processed, authorization was sought from the CNIL, by the AP-HP for the hosting of an experimental concert, studying the risk of spread of COVID-19. The CNIL has given its support to the execution of this exercise for research purposes, reiterating the importance of ensuring compliance with the GDPR and Data Protection Act. 


This experimental concert is part of a clinical trial studying the risk of contamination of COVID-19 in crowd settings.


This clinical trial consists of two groups of people, an experimental group of 5000 people who would be in attendance at the concert and a control group of 2500 people who would not be at the concert. The aim of this study is to analyze the transmission of COVID-19 in a large-scale gathering or mass crowd event in an enclosed room, with the application of specific health protocols. The concert, which was scheduled for May 29, is seen as the first attempt at the return of standing concerts in France. Similar concerts have taken place in other European countries like Spain, and these events are expected to give researchers and officials an idea of how safe it truly is to reintroduce mass crowd events to everyday life in a post pandemic society. 


Due to the volume of personal data to be processed in the execution of this clinical trial, CNIL was asked for authorization. 


The research conducted by the hosting of this experimental concert involved the processing of sensitive data from a large number of participants. During the study, the participants had to take several COVID-19 screening tests, the results of which were centrally stored. Participants had the option of uploading proof of a recent and negative screening test result online, or of presenting a hard copy. In addition participants from the experimental group attending the concert were filmed throughout the process, using smart cameras, in an effort to assess the circumstances under which concert attendees were less likely to respect mask mandates. Each participant was individually informed on the manner in which the study would be carried out, and their consent was obtained in writing, in advance of the study, ensuring that their consent was free, specific and informed. Participants were specifically expected to consent to participating in the research in general, and also to being recorded. This consent could have been withdrawn at any time without justification.


CNIL was in full support of this initiative, giving authorization the very day the request was received. 


CNIL, considering the challenges that have been faced by entertainment professionals in France for the duration of the pandemic, has given its support to this experimental concert. The authority reiterated the importance of compliance with the GDPR, and data protection regulations, as well as guarantees for the protection of individual rights and freedoms. This concert is one of many research projects which have benefited from legal and technical support from the CNIL during this health crisis. Many of these projects have been authorized in less than two days in order to meet specific deadlines, with a total of 117 medical research authorizations issued by the CNIL on COVID-19 during the pandemic.


Does your company have all of the mandated safeguards in place to ensure compliance with the ePrivacy, GDPR and Data Protection Act 2018 in handling customer data? Aphaia provides ePrivacy, GDPR and Data Protection Act 2018 consultancy services, including data protection impact assessments, EU AI Ethics Assessments and Data Protection Officer outsourcing. We can help your company get on track towards full compliance.

The CNIL issues it’s opinion

The CNIL issues it’s opinion on vaccine passes for mass gatherings

The CNIL issues it’s opinion on the implementation and use of vaccine passes for admittance to mass crowd events in France. 


 As the world aims to resume somewhat normal activity during the global COVID-19 pandemic, France is considering the use of the vaccine passes or  green passes for admission to mass gatherings of at least 1000 persons. This suggestion comes in an effort to re-open certain establishments and resume certain activities, while minimizing the risk of contamination from the virus. These green passes, as with the ones for travel, will include information related to the COVID-19 vaccine, a negative COVID-19 test, or proof of recovery from the virus. While they were originally developed to facilitate travel with more ease during the pandemic, the Government of France seeks to take the opportunity to use them for access to mass crowd events, in an effort to resume those activities much sooner. 


The CNIL makes it clear that these passes are not to be used beyond the health crisis. 


The CNIL wishes that it be made clear that these passes are intended only for use during the pandemic and it will definitely be of a temporary nature. In acknowledging the unprecedented nature of an initiative like this and the implications that it may have for the lives of individuals, the Authority wants it to be made clear that this measure is meant for the specific purpose of dealing with the current health crisis and should only be used for as long as its purpose is applicable to the COVID-19 pandemic. In addition, the CNIL requests that the impact of this system on the health situation be monitored, studied and documented at regular intervals and on the basis of objective data, in order to determine whether public authorities should continue its use. 


The CNIL would like guarantees that the use of these passes is limited to mass crowd events. 


While the authority acknowledges the functionality of these passes for admittance into mass crowd events, CNIL would like to make it clear that in the interest of respect for the fundamental rights and freedoms of persons, these passes should be limited to those mass crowd events for which they are intended. The Authority wants to ensure that the use of these passes excludes places that relate to the daily activities of the population like restaurants, workplaces, shops, etc. In addition these passes should not be used for admission to any venue linked to certain usual manifestations of fundamental freedoms (in particular the freedom to demonstrate, to organize political or trade unionists and to freedom of religion). The CNIL notes that the particular exclusion of these passes and the prohibition of their use in these spheres is likely to minimize any implications of the use of this system on the rights and freedoms of individuals. CNIL also believes that there should be further clarification and transparency on the qualification of the events where the use of these passes would be considered appropriate, and measures ensuring that the passes are not used in places and events which do not meet those qualifications. 


The CNIL would like to ensure that the use of these passes does not result in discrimination, and protects the personal data of individuals. 


In order to avoid discrimination, the CNIL is stressing the need that these passes be accessible to all. This includes ensuring that passes are available on paper as well as in digital format. It is also important to ensure that there is no discrimination based on the type of evidence presented in these passes, whether it be evidence of vaccination, a negative COVID-19 test, or recovery from the virus. Due to the sensitive nature of the information used for these passes, it is very important to make special considerations for limiting the disclosure of health information of individuals. The CNIL therefore suggests the implementation of a solution which would make it possible to limit access to persons authorized to verify the certificates. In addition, the Authority believes that these verifications should result in a color code (green or red color), along with the identity of their holder, so as not to reveal whether the individual has been vaccinated, tested, or recovered from a previous infection with COVID-19.


Does your company have all of the mandated safeguards in place to ensure compliance with the ePrivacy, GDPR and Data Protection Act 2018 in handling customer data? Aphaia provides ePrivacy, GDPR and Data Protection Act 2018 consultancy services, including data protection impact assessments, EU AI Ethics Assessments and Data Protection Officer outsourcing. We can help your company get on track towards full compliance.