This information is provided as a resource, but it is not legal advice. You are encouraged to speak to legal counsel to learn more about how “vaccine passports” and data privacy/security may affect your organization as it relates to passenger travel information.
- Most “vaccine passports” are operated by non-profit organizations such as The Commons Project’s CommonPass and the International Air Transport Association’s (IATA) Travel Pass.
- Regarding data security and privacy frameworks or policies, it is important to recognize that how a legal entity is structured and operates matters regarding data/privacy. While non-profits are often held to similar regulations as for-profit entities or corporations, there are some local laws or policies, such as the California Consumer Protection Act (CCPA), that may include some exemptions for non-profits, subject to the organization’s structure, and its current data and user privacy/security handling procedures.
- Any information or data collected by “vaccine passports” or technologies such as “exposure notifications” are usually designed in a “privacy-friendly” manner. “Exposure notifications,” like technologies through Apple and Google’s joint COVID-19 effort, rely on each user’s device’s Bluetooth short-range radio frequency band. Bluetooth keys or beacons do not reveal user identity or location. However, solutions that rely on cookies, IP information, and/or biometrics may disclose a user’s individual web browser or device through an IP Address, browser version, operating system, and other information, such as biometrics, and users who log in to or engage with such related software accounts may be individually identifiable to these related applications using session cookies or biometrics.
The IATA Travel Pass is intended to be designed so that it is convenient and relevant for everyone. The IATA Travel Pass is intended to enable passengers to (1) create a “digital passport,” (2) verify their test/vaccination meets the associated regulations, and (3) share test or vaccination certificates with authorities to facilitate travel.
The available or published Privacy Policy for IATA appears to be inadequate based on the E.U.-U.S. Privacy Framework (though we realize IATA is based in Canada) and key requirements for organizations processing an individual’s data. For instance, details regarding free and accessible dispute resolution information are not provided. Transparency about enforcement actions and privacy commitments are also not fully defined. (These requirements are also included in the GDPR).
While most travel or “vaccine passport” apps promote high-level data and security practices, including statements that “there is no central database holding passenger information,” this sensitive, personal data is inevitably likely aggregated and/or associated with a guest’s contact details and/or travel itinerary during the process of integrating with airlines, governments, or third-party integration services, like Timactic.
In today’s tech-heavy, mobile-first, business environment, the boundaries between personal and business data and information are increasingly becoming more difficult to distinguish. Considering the current global pandemic, including health and safety concerns of both businesses and employees, companies should strive to protect the privacy of employees' medical information to the greatest possible extent. Here are some guidelines organizations might consider following regarding the confidentiality of medical information, such as vaccine information as it relates to travel:
While industries including meetings, sports, entertainment, etc. are seeking to help mitigate risks by allowing attendees to verify and confirm their IDs, and “validate” vaccine information to operate in safe and secure ways, data privacy is a top concern. It is important to keep in mind that while national or global databases exist for clinical trials, a reason a national vaccine database for non-clinical trials does not exist correlates with the care of this trusted, sensitive, personal data. How might software companies provide more assurance or offer the meetings and events industry a higher-level of confidence than health organizations, such as CDC?
At GruupMeet, we believe it is our duty to stay at the forefront of what is next and what is effective and efficient for influencing successful strategic meeting and event experiences. Though the concept of vaccine passports is likely to be a success for individual or transient travelers (once these tools are fully developed across multiple devices and/or launched for global scale to guests other than U.S. citizens), business meetings and events of all sizes may be tasked with several challenging unknowns. Besides striving to meet today’s high customer expectations, vaccine passports must also enhance and simplify the event or meeting experience for attendees too. But can they?
This article was written by Russell Wyman, Co-Founder and CEO of GruupMeet, Inc., a leading event logistics management solution. GruupMeet is the “super-simplified" version of ALL event management tools. Some of GruupMeet’s unique features include two-way texting automation, continuous group flight tracking, historical/estimated baggage claim data, and event analytics. Visit www.gruupmeet.com to learn more, or email Russell directly via [email protected].
The available or published Privacy Policy for IATA appears to be inadequate based on the E.U.-U.S. Privacy Framework (though we realize IATA is based in Canada) and key requirements for organizations processing an individual’s data. For instance, details regarding free and accessible dispute resolution information are not provided. Transparency about enforcement actions and privacy commitments are also not fully defined. (These requirements are also included in the GDPR).
While most travel or “vaccine passport” apps promote high-level data and security practices, including statements that “there is no central database holding passenger information,” this sensitive, personal data is inevitably likely aggregated and/or associated with a guest’s contact details and/or travel itinerary during the process of integrating with airlines, governments, or third-party integration services, like Timactic.
In today’s tech-heavy, mobile-first, business environment, the boundaries between personal and business data and information are increasingly becoming more difficult to distinguish. Considering the current global pandemic, including health and safety concerns of both businesses and employees, companies should strive to protect the privacy of employees' medical information to the greatest possible extent. Here are some guidelines organizations might consider following regarding the confidentiality of medical information, such as vaccine information as it relates to travel:
- "Medical information" is any information, data, or documentation relating to an employee's mental or physical condition. The term includes, but is not limited to, oral, written, or digital information concerning an employee's mental or physical condition; medical records; dental records; disability records; workers' compensation records; medical leave records; genetic information; health insurance information; and/or information concerning visits or payments to any health care professional, hospital, emergency room, or another type of short-or long-term health care facility.
- Any medical information concerning employees will be maintained in separate, confidential medical files apart from regular personnel records. Only authorized employees may ever have access to such files.
- Employees are hereby notified that medical information concerning employees is confidential under state and federal laws and may not be discussed at any time with any person under any circumstances unless an employee needs to do so to carry out his or her job duties, or unless the person discussing the information is talking or otherwise communicating with the subject of the information at that person's invitation. If an employee is concerned about a possible medical condition on the part of a coworker, the employee must not discuss such concern with anyone other than the company’s CEO, and/or the company’s General Counsel.
- Any employee who is found to have discussed medical information about another employee with anyone else in violation of this policy, or who is found to have released such information without authorization, will be subject to severe disciplinary action, up to and possibly including immediate termination from employment. Also, state and federal laws may subject such an employee to both civil and/or criminal action in a court of law.
While industries including meetings, sports, entertainment, etc. are seeking to help mitigate risks by allowing attendees to verify and confirm their IDs, and “validate” vaccine information to operate in safe and secure ways, data privacy is a top concern. It is important to keep in mind that while national or global databases exist for clinical trials, a reason a national vaccine database for non-clinical trials does not exist correlates with the care of this trusted, sensitive, personal data. How might software companies provide more assurance or offer the meetings and events industry a higher-level of confidence than health organizations, such as CDC?
At GruupMeet, we believe it is our duty to stay at the forefront of what is next and what is effective and efficient for influencing successful strategic meeting and event experiences. Though the concept of vaccine passports is likely to be a success for individual or transient travelers (once these tools are fully developed across multiple devices and/or launched for global scale to guests other than U.S. citizens), business meetings and events of all sizes may be tasked with several challenging unknowns. Besides striving to meet today’s high customer expectations, vaccine passports must also enhance and simplify the event or meeting experience for attendees too. But can they?
This article was written by Russell Wyman, Co-Founder and CEO of GruupMeet, Inc., a leading event logistics management solution. GruupMeet is the “super-simplified" version of ALL event management tools. Some of GruupMeet’s unique features include two-way texting automation, continuous group flight tracking, historical/estimated baggage claim data, and event analytics. Visit www.gruupmeet.com to learn more, or email Russell directly via [email protected].