The rapid development and roll-out of vaccines to protect people from COVID-19 has prompted debate about digital ‘vaccine passports’.

This report presents the key debates, evidence and common questions under six subject headings. These are further distilled in this summary into six requirements that governments and developers will need to deliver, to ensure any vaccine passport scheme builds from a secure scientific foundation, understands the full context of its specific sociotechnical system, and mitigates some of the biggest risks and harms through law and policy. In other words, a roadmap for a vaccine passport system that delivers societal benefit.

Executive Summary

The rapid development and roll-out of vaccines to protect people from COVID-19 has prompted debate about digital ‘vaccine passports’. There is a confusion of different terms to describe these tools, which are also called COVID-19 status certificates. We identify them through the common properties of linking health status (vaccine status and/or test results) with verification of identity, for the purpose of determining permissions, rights or freedoms (such as access to travel, leisure or work). The vaccine passports under debate primarily take a digital form.

Digital vaccine passports are novel technologies, built on uncertain and evolving science. By creating infrastructure for segregation and risk scoring at an individual level, and enabling third-parties to access health information, they bring profound risks to individual rights and concepts of equity in society.

As the pandemic death toll rises globally, some countries are bringing down case numbers through rapid vaccination programmes, while others are facing substantial third or fourth waves of infection, and the mitigating effects of vaccination have brought COVID vaccine passports into consideration for companies, states and countries.

Arguments offered in support of vaccine passports include that they could allow countries to reopen more safely, let those at lower risk of infection and transmission help to restart local economies, and allow people to reengage in social contact with reduced risk and anxiety.

Could a digital vaccine passport provide a progressive return to a normal life, for those who meet the criteria now, while vaccines are distributed in the coming months and years? Or might the local and global inequalities and risks outweigh the benefits and undermine societal notions of solidarity?

The current vaccine passport debate is complex, encompassing a range of different proposed design choices, uses and contexts, as well as posing high-level and generalised trade-offs, which are impossible to quantify given the current evidence base, or false choices that obstruct understanding (e.g. ‘saving lives vs privacy’). Meanwhile, policymakers supporting these strategies, and companies developing and marketing these technological solutions, make a compelling and simplistic pitch that these tools can help societies open up safer and sooner.

This study disentangles those debates to identity the important issues, outstanding questions and tests that any government should consider in weighing whether to permit this type of tool to be used within society. It aims to support governments and developers to work through the necessary steps to examine the evidence available, understand the design choices and the societal impacts, and assess whether a roll-out of vaccine passports could navigate risks to play a socially beneficial role.

This report is the result of an international call for evidence, an expert deliberation, and months of monitoring the debate and development of COVID status certification and vaccine passport systems around the world. We have reviewed evidence and discussion on technical build, risks, concerns and opportunities put forward by governments, supranational bodies, collectives, companies, developers, experts and third-sector organisations. We are indebted to the many experts who brought their knowledge and evidence to this project (see full acknowledgements at the end of this report).

Responding to the policy environment, and the real-world decisions being made at pace, this study has, of necessity, prioritised speed over geographic completeness. In particular, we should caution that the evidence submitted is weighted towards the UK, Europe and North American contexts and will be more useful currently to policymakers in these areas, and in future to policymakers facing similar conditions – increased levels of vaccination and reducing case numbers – while navigating what are likely to be long-term questions of managing outbreaks and variants.

There are some factors for consideration that will be relevant to any conditions, for countries and states considering whether and how to use digital vaccine passports. These include the exploration of the current evidence on infection and transmission of the virus following vaccination, and some aspects of the technical design considerations and choices that any scheme will face.

A number of the issues – such as the standards governing technical development – will need to be considered at an international level, to ensure interoperability and mutual recognition between different countries. There are strong reasons why all countries should consider the potential global impacts of adoption of a vaccine passport scheme. Any national or regional use of vaccine passports that contributes to hoarding or ‘vaccine nationalism’ will produce extreme local manifestations of existing global inequalities – both in terms of health and economics – as the high rate of infection and deaths in India currently evidences. Prioritising national safety over global responsibility also risks prolonging the pandemic for everyone by leaving the door open to mutations that aren’t well controlled by existing vaccines.

Other requirements will be highly contextualised in each jurisdiction. The progress in accessing and administering vaccinations, local levels of uptake and reasons for vaccine hesitancy, legal regimes, and ethical and social considerations will weigh heavily on whether and how such schemes should go ahead. Even countries that seem to have superficially similar conditions may in fact differ on important and relevant aspects that will need local deliberation of what is justifiable and achievable practically, from the extent of existing digital infrastructure to public comfort with the use of technology, and attitudes towards increased visibility to the state or to private companies.

Incentives and overheads will look different as well. The structure of the economy – whether it is highly reliant on tourism for example, as well as the level of access to the internet and smartphones – will be important factors in calculating marginal costs and benefits of digital vaccine passports. And that local calculation will need to be dynamic: countries with minimal public health restrictions in place and low rates of COVID-19 face very different calculations in terms of benefits and costs to those in highly restrictive lockdowns with a high rate of COVID-19 in the community.

This report presents the key debates, evidence and common questions under six subject headings. These are further distilled in this summary into six requirements that governments and developers will need to deliver, to ensure any vaccine passport scheme builds from a secure scientific foundation, understands the full context of its specific sociotechnical system, and mitigates some of the biggest risks and harms through law and policy. In other words, a roadmap for a vaccine passport system that delivers societal benefit. These are:

1. Scientific confidence in the impact on public health
2. Clear, specific and delimited purpose
3. Ethical consideration and clear legal guidance about permitted and restricted uses, and mechanisms to support rights and redress, and to tackle illegal use
4. Sociotechnical system design, including operational infrastructure
5. Public legitimacy
6. Protection against future risks and mitigation strategies for global
   harms.

These requirements (with detailed recommendations below) set a series of high thresholds for vaccine passports being developed, deployed and implemented in a societally beneficial way. Building digital infrastructure in which different actors across society control rights or freedoms on the basis of individual health status, and all the myriad of potential benefits and harms that could arise from doing so, should face a high bar.

At this stage in the pandemic, there hasn’t been an opportunity for real-world models to work comprehensively through these challenging but necessary steps, and much of the debate has focused on a smaller subset of these requirements – in particular technical design and public acceptability. Despite the high thresholds, and given what is at stake and how much is still uncertain about the pathway of the pandemic, it is possible that the case can be made for vaccine passports to become a legitimate tool to manage COVID-19 at a domestic, national scale, as well as supporting safer international travel.

As evidence, explanation and clarification of a complex policy area, we hope this report helps all actors navigate the necessary decision-making prior to adoption and use of vaccine passports. By setting out the features to be delivered across the whole system, the benefits and risks to be weighed, and the harms to be mitigated, we hope to support governments to calculate whether they can be justified, or whether investment in vaccine passports might prove to be a technological distraction from the central goal to reopen societies safely and equitably: global vaccination.

Recommendations summary for governments and developers

1. Scientific confidence in the impact on public health

The timeframe of the pandemic means that – despite significant leaps forward in understanding that have led to more effective disease control and vaccine development –scientific knowledge is still developing about the effectiveness of protection offered through tests, vaccines or antibodies that most vaccine passport models rely on.

Most of the vaccines now available offer a high level of protection against serious illness from the currently dominant strains of the virus. It is still too early to know the level of protection offered by individual vaccines in terms of duration, generalisability, efficacy regarding mutations and protection against transmission.

This means that any vaccine passport system would need to be dynamic, taking into account the differing efficacy of each vaccine, known differences in efficacy against circulating variants, and the change in efficacy over time. A vaccine passport should not be seen as a ‘safe’ pass or a proxy for immunity, rather as a lowering of risk that might be comparable to, or work in combination with, other public health measures.

Calculating an individual’s risk based on providing test results within a vaccine passport scheme avoids some of the problems associated with relying solely on vaccination, including access, take-up and coverage. A good negative test indicates that an individual is not currently infectious and therefore not a risk to others. However, this type of hybrid scheme requires widespread access to highly accurate and fast turnaround tests, as well as scientific consensus as to the window in which someone can be deemed low risk (most use 24–72 hours).

Evidence of a negative test offers no ‘future’ protection after that window, making it less desirable for a move to another city or entry to another country. Given that most point-of-care tests (tests that give a result at home) have a lower level of accuracy than tests administered in clinical settings, the practical overheads of reliance on testing may make this highly challenging for any routine or widespread use. If consistently accurate point-of-care tests become available, that might make testing a more viable route for a passport system, but would also reduce the need for a digital record – as people could simply show the test at the point of access.

Almost all models of vaccine passport attempt to manage risk at an individual level rather than using collective and contextual measures: they class an individual as lower risk based on their vaccine or test status, rather than a more contextual risk of local infection numbers and R rate in a given area. Prioritising this narrow calculation above a more contextual one may undermine collective assessments of risk and safety, and reduce the likelihood of observing social distancing or mask wearing.

A further important dimension is how the use of a vaccine passport affects vaccine take-up by hesitant groups – it provides a clear incentive to disengaged or busy people, but could heighten anxiety from those who distrust the vaccine or the state, if it is seen as mandatory vaccination or surveillance by the back door.

2. Clear, specific and delimited purpose

It will be much easier to weigh the benefits, risks and potential mitigations when considering specific use cases (visiting care homes, starting university, or international travel without quarantine, for example) rather than generalised uses.

Based on the health modelling, there may be greater justification for some use cases of digital vaccine passports than others, such as settings where individuals work face to face with vulnerable groups. Countries are already coming under pressure to create certificates for international travel to selected destinations and this is likely to expand. There may also
be some uses that should be prohibited as discriminatory (examples to consider include accessing essential services, public transport or voting) and exemptions that should be introduced for those unable to have a vaccine or regular testing.

Developing clear purposes and uses should be carried out with consideration to public deliberation, and law and ethics (see below), and mindful of risks that could be caused in different settings, which might include liability for businesses or insurance costs for individuals, barriers to employment, as well as stigma and discrimination.

3. Ethical consideration and clear legal guidance about permitted and restricted uses, and mechanisms to support rights and redress and tackle illegal use

Interpretation and application of ethics and law will be particularly local to regions’ jurisdictions, and – as described above – this report does not attempt to do justice to a fully international picture. There are of course some global agreements, and in particular the Universal Declaration of Human Rights and its two covenants, that are universally applicable.
Based on the debates around ethical norms and social values we have been following in the UK, USA and Europe in particular, there are a number of areas of focus in terms of ethics and law.

Personal liberty has been a significant concern in the debate – that vaccine passports might represent the least restrictive option for individual liberties while minimising harm to others. There are important legal tests, in particular respecting a range of human rights, particularly
the right to a private life, which must be considered where people are required to disclose personal information.

Wider concerns raised are around impacts on fairness, equality and non-discrimination, social stratification and stigma at both a domestic and an international level. Specific concerns about harms to individuals or groups, through facilitating additional surveillance by governments or
private companies, blocking employment or access to essential services, will need to be addressed.

Legal and ethical issues should be weighed in advance of any roll-out, and adequate guidance, oversight and regulation will be required.

4. Sociotechnical system design, including operational infrastructure to make a digital tool feasible

Designing a vaccine passport system requires much more than the technical design of an app, and includes consideration of wider societal systems alongside a detailed examination of how any scheme would operate in practice.

When it comes to technical design, there are a number of models being developed that have different attributes and security measures, and bring different risks into focus. There are commonalities, for example QR codes are widely used with varying degrees of security, but the models are too disparate and varied to summarise in detail here. With some models bringing together identity information and biometrics information with health records, any scheme must incorporate the highest-level security.

Some risks can be minimised to some extent, by following best-practice design principles, including data minimisation, openness, privacy by design, ethics by design and giving the user control over their data. Governments also need to be careful not to allow rapid deployment
of COVID vaccine passport systems to lock in future decisions including around the development of wider digital identity systems (see requirement on future risks).

When it comes to the ‘socio’ part of sociotechnical design, governments need to decide what role they ought to play, even if they choose not to design and implement a system themselves (many developers described their role as ‘creating the highway’ and look to governments to decide the ‘rules of the road’).

Governments (alone, or acting through regional or international governmental institutions) are the only actor that can consider the opportunities and risks (identified above) in the round, and will need to offer legal clarity as well as monitor impact and mitigate harms, so should not step back from this question. They will need to ensure that the operational and digital infrastructure is in place across the whole system, from jab or test through to job or border.

Governments will also need to consider costs – including opportunity costs, maintenance costs and burdens on business – and impacts on other aspects of public health, including vaccination programmes, other public health measures, and public trust in health services and
vaccination.

5. Public legitimacy

Public confidence will be crucial to the success of a COVID vaccine passport system, and will be highly locally contextual. There are sensitivities involved in building technical systems that require personal health data to be linked with identity or biometric data for many countries. These combine with challenges in the wider sociotechnical system, including financial and other burdens on society, businesses and individuals, to produce concerns about potential harms. A system that is seen as trusted and legitimate could bolster hopes that it might encourage vaccination and updake of booster shots, or inspire more confidence in spaces that require vaccination or testing to enter.

Polling suggests public support for vaccine passports varies based on the particular details of proposed systems (including how they will establish status and in which settings), and concerns about discrimination and inequality. Polling to date only scratches the surface
of these new applications of technology, and deeper methods of public engagement will be needed to properly understand opinion, perceived benefits and risks, and the trade-offs the public is willing to make.

6. Protection against future risks and mitigation strategies for global harms

If governments believe they have resolved all the preceding tensions and determined that a new system should be developed, they will also need to consider the longer-term effects of such a system and how it might shape future decisions or be used by future governments.

Risks to mitigate include the concern that emergency measures become a permanent feature of society. The introduction of vaccine passports has the potential to pave the way to normalising individualised health risk scoring, and could be open to scope creep post-pandemic, including more intrusive data collection or a wider sharing of health information.
Governments should consider the risk of infrastructure passing to future governments with different political agendas, and how tools introduced for pandemic containment could be repurposed against marginalised groups or for repressive purposes. More prosaically there
are maintenance and continuous development costs to consider, as well as path dependency for future decisions generated by emergency practices becoming normalised.

Equally pressing is how one national scheme affects the global response to COVID-19. Despite international coordination, there are significant inequalities of access to vaccines resulting in extreme differences in local manifestations of the virus – both in terms of health and economics. A legitimate concern is that wealthier countries rolling out vaccine passports could further contribute to exacerbating global inequalities, by incentivising vaccine hoarding. For example, vaccine passport schemes could encourage well-vaccinated and contextually low-risk countries to prioritise retaining booster shots to allow their citizens to take international holidays, rather than incentivise global vaccination – which is the only definitive route to controlling the pandemic.

Introduction

The question of whether and how to implement COVID status certification schemes, or ‘vaccine passports’, has become an important topic across the globe. These schemes would allow differential access to venues and services on the basis of verified health information relating to an individual’s COVID-19 risk, and would be used to control the spread of
COVID-19.

There is a diversity of approaches being pursued across the world, for multiple purposes. Some countries and states are moving ahead unilaterally: Israel, Denmark and New York State are already rolling out COVID vaccine passports, and the United Kingdom is undertaking a
review into whether to implement a passport system.²

For use in international travel and tourism, groups like the Commons Project and the International Air Transport Association are developing applications for vaccine passports; the European Union has set out its plans for a Digital Green Certificate to enable travel within the bloc; and the World Health Organisation is developing a digital version of its International Certificate of Vaccination or Prophylaxis for use with COVID-19.

In this report, the Ada Lovelace Institute aims to clarify the key considerations for any jurisdiction considering whether and how to implement digital vaccine passports to control the spread of COVID-19.

Most of the evidence we received came from or focused on the United Kingdom, Europe and north America, so our requirements for socially beneficial vaccine passport schemes are likely to be particularly relevant to liberal democracies.

We use ‘vaccine passports’ as an imperfect umbrella
term to encompass digital certification schemes that use
one or more of vaccination record, test result or ‘natural immunity’

Defining ‘vaccine passports’

Finding the right phrase to describe these new forms of digital certification is difficult. ‘Passports’ may be more helpful than ‘certificates’ in that they imply that an individual’s status means something in terms of what they can access, rather than simply recognising that an event (a vaccination) has taken place. But they can also be confusing given conversations are happening about both international travel and domestic uses.

When schemes based on an individual having recovered from COVID-19 were first discussed, they were known as ‘immunity passports’ or ‘immunity certificates’. But the term ‘immunity’ was problematic for at least two reasons: proof of recovery from the disease was an imperfect proxy at best for immunity, with evidence still emerging about how protected a recovered patient might be; and the term ‘immunity’ itself has different meanings in individual and collective contexts (whether it protects an individual and to what extent, and whether it protects those they come into contact with).

Many countries and schemes, e.g. Israel’s domestic scheme and the European Union’s proposed scheme for travel, refer to ‘green pass’ or ‘green certificate’. This focuses on the authorisation part of the scheme – like a traffic light – rather than the health information aspect.

Most recently, ‘vaccine passports’ or ‘vaccine certification’ have become common. As described above, a variety of tests are now being used as part of existing and proposed systems, so the term can be misleading as it suggests that only vaccination will provide an individual with access and other benefits. Acknowledging this complexity, we have chosen to
use ‘vaccine passports’ as an imperfect umbrella term to encompass digital certification schemes that use one or more of vaccination record, test result or ‘natural immunity’.

For the purposes of this study, a digital vaccine passport as defined here consists of four component functions and purposes:

• health information (recording and communication of vaccine status or test result through e.g. a certificate)
• identity information (which could be a biometric, a passport, or a health identity number)
• verification (connection of a user identity to health information)
• authorisation or permission (allowing or blocking actions based on the health and identify information).

Modelling individual risk will always require simplification of a messier underlying reality that involves missing or inaccurate information

This definition extends the function and purpose beyond a digital vaccination record, to enable healthcare providers to know which vaccine doses to administer when. Sharing this verified health information through a vaccine passport is intended to provide information about an individual’s COVID-19 risk, both to themselves and to others, and to assess that information to make decisions about access and movement.

Modelling individual risk will always require simplification of a messier underlying reality that involves missing or inaccurate information, and uncertainty in how to interpret the information available. The question is whether those proxies for risk, despite their flaws, can enable individuals and third parties to distinguish between individuals who are more or less at risk of being infected with and spreading COVID-19.

Most models currently focus on displaying binary attributes (yes/no) of some combination of four different types of risk-relevant COVID-19 information:

• A status based on medical process, evidenced through:
  • vaccination records, including data, type and doses
  • proof of recovery from COVID-19, e.g. receiving a positive PCR
    test, completing the requisite period of self-isolation and being
    symptom free.
• A status based on direct observation of correlates of risk, evidenced
  through:
  • negative virus test results
  • antibody test results.

Other schemes might provide a more granular or ‘live’ assessment of risk by incorporating information such as background infection rates, demographic characteristics of users, or users’ underlying health conditions. These schemes are not covered in this report, although many of the points below can also relate to models that provide a stratified assessment of risk and subsequently more differentiated access.

However we choose to identify them, vaccine passports must be considered as part of a wider sociotechnical system – something that goes beyond the data and software that form the technical application (or ‘app’) itself, and includes: data; software; hardware and infrastructure; people, skills and capabilities; organisations; and formal and informal institutions.³

Identifying these components highlights how any successful system needs to consider not just the technical design questions within the app itself, but how it interacts with wider complex systems. Vaccine passports are part of extensive societal systems, like a public-health system that includes test, trace and isolate services, behavioural guidance on mask wearing and social distancing, or a wider biometrics and digital ID ecosystem.

How any sociotechnical system should be designed, what use cases are appropriate, what legal concerns need to be considered and clarified, what ethical tensions are most relevant, what publics deem acceptable and legitimate, and what future risks any system runs, are all questions that will need to be resolved within the particular context policymakers and developers are operating in.

A brief history of health-based, differential restrictions and vaccine certification

Discussions of vaccine certification are not unique to COVID-19. They have been around for as long as vaccines themselves – such as smallpox in pre-independence India.⁴ The idea of ‘immunoprivilege’ – that citizens identified as having immunity against certain diseases would enjoy greater rights and privileges – also has a long history, such as the status of survivors of yellow fever in the nineteenth-century United States.⁵

Yellow fever is the most commonly referenced example of existing vaccine certification for a specific disease. The International Certificate of Vaccination or Prophylaxis (ICVP), also known as the Carte Jaune or Yellow Card, was created by the World Health Organisation as a measure to prevent the cross-border spread of infectious diseases.⁶

Although it dates back in some form to the 1930s, it has been part of the International Health Regulations since 1969 (and was most recently updated in 2005). The regulations remove barriers to entry for anyone who has been vaccinated against the disease. Even when travelling from a country where yellow fever was endemic, showing a Yellow Card would mean someone could not be prevented from entering a country because of that disease.⁴

There are some important differences between yellow fever and COVID-19: yellow fever vaccines are highly effective and long lasting, while COVID-19 vaccines are still being developed and there is not yet evidence to show how long they are effective for. Transmission is also different: yellow fever spreads via vectors (infected mosquitoes) rather than directly from person to person, which is why there are no global outbreaks of yellow fever and it is easier to control the disease.⁸

In May 2021, yellow fever is the only disease that is expressly listed in the International Health Regulations, meaning that countries can require proof of vaccination from travellers as a condition of entry. But there have been others, including smallpox (removed after the disease was eradicated), cholera and typhus, both removed when it was decided vaccination against them was not enough to stop outbreaks around the world. The certificate has, historically, been paper-based, but there had been proposals and advocacy to digitise the system even before
COVID-19.⁹

A brief history of COVID status certification

At the start of the pandemic, a number of countries demonstrated interest in some form of ‘immunity passport’ based on natural immunity and antibodies after infection with COVID-19 to restore pre-pandemic freedoms (including Germany and the UK, and a pilot in Estonia), but a
lack of evidence about the protection acquired through natural immunity meant few schemes were used in real-world scenarios.¹⁰

The WHO has shifted its stance by announcing plans to develop a digitally enhanced International Certification of Vaccination

In April 2020, the World Health Organisation (WHO) put out a statement saying there was ‘not enough evidence about the effectiveness of antibody-mediated immunity to guarantee the accuracy of an ‘immunity passport’ or “risk-free certificate”’, and that ‘the use of such certificates may therefore increase the risks of continued transmission’.¹¹

The approval and roll-out of effective vaccines re-energised the idea of restoring personal freedoms and societal mobility based on COVID vaccinate passports. Israel implemented a domestic ‘Green Pass’ in February 2021,¹² the European Commission published plans for a Digital Green Certificate in March 2021,¹³ and Denmark began using a domestic ‘Coronapas’ in April 2021.¹⁴

The WHO has shifted its stance by announcing plans to develop a digitally enhanced International Certificate of Vaccination and has established the Smart Vaccination Certificate consortium with Estonia. However, as of April 2021, it remains of the view that it ‘would not like to see the vaccination passport as a requirement for entry or exit because we are not certain at this stage that the vaccine prevents transmission’.¹⁵

IBM has launched Digital Health Pass,¹⁶ integrated with Salesforce’s employee management platform Work.com,¹⁷ and has worked with New York State to launch Excelsior Pass.¹⁸ CommonPass, supported by the World Economic Forum, and the International Air Transport Association (IATA)’s Travel Pass are both being trialled by airlines.¹⁹

The Linux Foundation Public Health’s COVID-19 Credentials Initiative and the Vaccination Credential Initiative, which includes Microsoft and Oracle, are pushing for open interoperable standards.²⁰ A marketplace of smaller, private actors has also emerged offering bespoke solutions and infrastructures.²¹

In the UK, the Government initially appeared reluctant, saying it had ’no plans’ to introduce a scheme, and that such a scheme would be ’discriminatory’.²² Other ministers left the door open to digital passporting schemes when circumstances changed,²³ and and the Government appeared to be keeping its options open by funding a number of startups piloting similar technology, tendering for an electronic system for citizens to show a negative COVID-19 test, and reportedly instructing officials to draw up draft options for vaccine certificates for international travel.²⁴

There are intuitive attractions to the idea of a COVID vaccine passport scheme

As part of its roadmap out of lockdown in February, the Government announced a review into the possible use of certification.²⁵ This was followed by a two-week consultation and an update in April announcing trials of domestic COVID status certification for mass gatherings, theatres, nightclubs and other indoor entertainment venues.²⁶

For a comprehensive overview of international developments, see the Ada Lovelace Institute’s international monitor of vaccine passports and COVID status apps.

The hopes for vaccine passports

There are intuitive attractions to the idea of a COVID vaccine passport scheme, and particularly in the hope that a better balance could be found between economic activity and community safety, by allowing a more fine-grained and targeted set of restrictions than sweeping measures of national lockdowns. Such hopes are particularly located in the prospect of a silver bullet that may help return life to something resembling normal, after more than a year of social anxiety and economic damage.

A number of arguments have been put forward for the usefulness of
COVID vaccine passports, including:

• Public health: Those who are certified as unable to transmit the virus are allowed to take part in activities that would normally present a risk of transmission. Being able to take part in such activities, see family and friends and visit hospitality and entertainment venues will have a positive effect on wellbeing and mental health.
• Vaccine uptake: The use of certification to provide those who have been vaccinated with greater access to society could incentivise vaccination among those who are able to be safely immunised.
• Personal liberty: Enhancing the freedoms of those who have a passport to do things that would otherwise be restricted due to COVID-19 (always noting that granting permissions for some will, in relative terms, increase the loss of liberty experienced by others). This could have a particularly profound benefit for those facing extreme harm and isolation due to the virus, for example those suffering domestic abuse, or in care homes and unable to see relatives.
• Economic benefits: supporting industries struggling in lockdown (and the wider economy) by enabling phased opening, for example in entertainment, leisure and hospitality.
• International travel: a passport scheme will allow people to travel for business and pleasure, with economic benefits (particularly for the tourism industry) and social advantages (reuniting families or holidays).

Science and public health

The first question to ask of a COVID vaccine passport system is whether an individual’s status conveys meaningful information about the risk they pose to others

The foundation of any COVID status certificate or ‘vaccine passport’ is that it allows stratification of people by COVID-19 risk and therefore allows a more fine-grained approach to preserving public health, keeping the community safer with fewer restrictions. Vaccine passports allow only those who pose an acceptably lower risk to others to take part in activities that would normally present a risk of transmission, e.g. working in care homes, travelling abroad, or entering venues and events such as pubs, restaurants, music festivals or sporting fixtures.

Therefore, the first question to ask of a COVID vaccine passport system is whether an individual’s status, for example that they have been vaccinated, conveys meaningful information about the risk they pose to others? Does the scientific evidence base we have on COVID-19 vaccines, antibodies and viral testing, support making that link, and if so, how certain should we be about an individual’s risk based on those proxies?

The development and deployment of a significant number of viable vaccines in just over a year is a remarkable scientific achievement. Tests have also rapidly improved in quality and quantity, and scientific understanding of COVID-19 infection and transmission has improved greatly since the beginning of the pandemic. In spite of these inventions and innovations, unfortunately the novelty of the disease means the answers to significant questions are still uncertain.

Vaccination and immunity

Our knowledge of COVID-19 vaccine efficacy against different its strands and immunity following an infection continues to evolve. Key questions about vaccines include:

• What are the effect of vaccines on those vaccinated?
• What are the effect of vaccines on spreading the disease to others?
• What is the efficacy of vaccines against different emerging variants?
• What is the efficacy of vaccines over time?

Our expert deliberative panel expressed concern about developing any system of COVID vaccine passport based on proof of vaccination while so much is still unknown – as systems could be built on particular assumptions that would then change. Any system that was developed would have to be flexible enough to deal with emerging evidence.

One certainty is that no vaccine is currently entirely effective for all people. Although evidence is encouraging that the current COVID-19 vaccines offer strong protection against serious illness, vaccination status does not offer conclusive proof that someone vaccinated cannot become ill.

The evidence is even more emergent on the effect of vaccines on the transmission of COVID-19 from one person to another. Any public health argument in favour of introducing vaccine passports relies on evidence that someone being vaccinated would protect others, but this remains unclear.²⁷

A vaccine can provide different types of immunity:

• Non-sterilising immunity, where an infected individual is protected from the effects of the disease but can still transmit it (and may instead have an asymptomatic case where previously they would have displayed symptoms).²⁸
• Sterilising immunity, where a vaccinated person does not get ill themselves and cannot transmit the disease.

Experts in our deliberation identified a ‘false dilemma’ in discussions about the efficacy of these different types of immunity: even a population vaccinated with ‘non-sterilising’ immunity should still prevent the disease spreading, as infected individuals will have weaker forms of it and fewer ‘virions’ (infectious virus particles) to spread. Emerging evidence suggests that ‘viral load’ is lower in vaccinated individuals, which may have some effect on transmission, and one study (in Scotland) found the risk of infection was reduced by 30% for household members living with a vaccinated individual, but much remains unknown.²⁹

An issue raised in the deliberation was that focusing on individual proof of vaccination might underemphasise the collective nature of the challenge. Vaccination programmes aim at (and work through) a population effect: that when enough people have some level of protection, whether through vaccination or recovery from infection, the whole population is protected through reaching herd immunity. Even following vaccination, the UK Government’s Scientific Advisory Group for Emergencies offers caution: ‘Even when a significant proportion of the population has been vaccinated lifting NPIs [non-pharmaceutical interventions, like social distancing] will increase infections and there is a likelihood of epidemic resurgence (third wave) if restrictions are relaxed such that R is allowed to increase to above 1 (high confidence)’. This pattern of vaccination and infection may be occurring in Chile, where high vaccination rates have been followed by a surge in cases.³⁰

Different vaccines have different levels of efficacy when it comes to protecting both the person receiving the vaccination and anyone they come into contact with. This is partly due to vaccines having different levels of effectiveness, based on differently underlying technologies.

As of May 2021, 12 different vaccines are approved or in use around the world, utilising messenger ribonucleic acid (mRNA), viral vectors, inactive coronavirus, and virus-like proteins:³¹

Vaccines approved for use, May 2021

Different levels of efficacy will also be partly due to different individuals responding differently to the same vaccine – the same vaccine may be effective in protecting one recipient and less so in protecting another.

The efficacy of the vaccines may change with different variants of the disease. There are concerns that some vaccines, for example the current Oxford-AstraZeneca vaccine, may be less effective against the so-called South African variant.³² There will continue to be mutations in COVID-19, such as the E484K mutation which has been found in the Brazilian, South African and Kent strains of the disease (this is an ‘escape mutation’ which can make it easier for a virus to slip through the body’s defences) and the E484Q and L425R mutations present in many cases in India.³³ Such mutations make understanding of vaccination effects on individual transmission a moving target, as vaccines must be assessed against a changing background of dominant strains within the population.

Booster vaccinations against variants may help manage the issue of strains. It is possible these may be necessary, as the efficacy of vaccines against any strain may change over time; the WHO has said, it is ‘too early to know the duration of protection of COVID-19 vaccines’.³⁴ With the disease only just over a year old and the vaccines having deployed only in the last few months, it will be some time before conclusive evidence is available on this.

Any vaccine passport system would need to be dynamic – taking into account the differing efficacy of different vaccines, known differences in efficacy against certain variants and the change in efficacy over time – as well as representing the effect of the vaccine on the individual carrying a vaccine passport.

There are also questions about any lasting immunity acquired by those recovering from COVID-19. The WHO has noted that while ‘most people’ who recover from COVID-19 develop some ‘period of protection’, ‘we’re still learning how strong this protection is, and how long it lasts’.³⁵

Inclusion of testing

A number of COVID vaccine passport schemes in development (and the UK Government’s review into what it calls COVID status certification) may allow a combination of three characteristics to be recorded and used in addition to vaccination: recovery from COVID-19, testing negative for COVID-19, or testing positive for protective antibodies against
COVID-19.

We can group these characteristics into statuses based on medical process, and those based on medical observation.

Status based on medical process includes vaccination status and proof of recovery from COVID-19. In both cases, a particular event – recovering from an infection or having a vaccination – that might have some impact on an individual’s immunity is taken as a proxy for them posing less risk. As described above, the potential efficacy of this must be understood in the context of what remains unknown about an individual’s ability to spread the disease, their own immunity and the change in their immunity over time.

Status based on medical observation – or direct observation of results correlating to risk – includes two forms of testing: a negative test result for the virus, or a positive test result for antibodies that can offer protection against COVID-19.³⁶ Incorporating robust tests might provide a better, though very time-limited, measure of risk (the biggest challenges to this would be practical and operational). Status based on test results would also avoid the need for building a larger technical infrastructure, particularly one involving digital identity records. But current testing mechanisms do have drawbacks.

There are two main kinds of diagnostic tests that could be used for negative virus test certification:

1. Molecular testing, which includes the widely used polymerase chain reaction (PCR) tests, detect the virus’s genetic material. They are generally highly accurate at detecting negative results (usually higher than 90%), but their exact predictive value depends on the background rate of COVID-19 infection,³⁷ and depends on the point in the infection that the test is taken.³⁸ These tests often detect the presence of coronavirus for more than a week after an individual stops being infectious. They also need to be processed in a lab – during which time an individual may have become infected and infectious.
2. Antigen testing, which includes the rapid lateral flow tests used in the UK Government’s mass-testing programmes, detect specific proteins from the virus. If someone tests positive, the result is generally accurate – but as these types of test only detect high viral loads, positive cases can be missed (a ‘false negative’) particularly when self-administered. Certificates based on antigen tests are likely to have a high degree of inaccuracy – tests might be useful in screening and denying (a ‘red light’), rather than allowing (a ‘green light’ test), entry to individuals at a specific point in time. They are unlikely to be useful for any kind of durable negative certification.

Antibody tests, meanwhile, confirm that an individual has previously had the virus. There are two sources of variability from these tests. First, people may have variable antibody response when they are infected with COVID-19 – while most people infected with SARS-CoV-2 display an antibody response between 10 and 21 days after being infected, detection in mild cases can take longer, and in a small number of cases antibodies are not detected at all.³⁹ Second, the tests themselves are not completely accurate, and the accuracy of different tests varies.⁴⁰

It also remains unclear how an individual antibody test result should be interpreted. The European Centre for Disease Prevention and Control advises that it is currently unknown, as of February 2021, whether an antibody response in a given infected person confers protective immunity, what level of antibodies is needed for this to occur, how this might vary from person to person or the impact of new variants on the protection existing antibodies confer.⁴¹ The longevity of the antibody response is also still uncertain, but it is known that antibodies to other coronaviruses wane over time.⁴²

Questions remain as to how viable rapid and highly accurate testing is, particularly those that can be completed outside a lab setting. Although a testing regime allowing entry to venues could avoid a number of the challenges associated with using vaccination status (extensive technical infrastructure and access to health data, possible discrimination against certain groups) it also provides practical and logistical challenges – from administering such tests for access to a sporting event or hospitality venue, to the feasibility of regularly testing children – as well as there being uncertainty around the accuracy of tests.

Risk and uncertainty

At a time when uncertainty – about vaccine efficacy, when life will return to ‘normal’ and much else besides – is endemic, it is natural that politicians, policymakers and the public alike are grasping for certainty. There may be a danger in seeing COVID vaccine passports as a silver bullet returning us quickly to normality, with passports suggesting false binaries (yes/no, safe/unsafe, can access/cannot access) and false certainty, at a time when governments need to be communicating uncertainty with humility and encouraging the public to consider evidence-based risk. Our expert panel raised concerns that the UK Government saying it was ‘led by the science’ brought disadvantages, encouraging a simplistic view of it being infallible and squeezing out space for nuance and debate.

Conveying a proper sense of uncertainty and risk will be important as individuals make decisions about their own health that may also have an impact on collective public health. For example, if I have been vaccinated, but know there is a chance it may not be fully effective, how does that change how I assess the risk to me in engaging in certain behaviours?
What information will I need to also assess my risk of spreading the disease to others? Is it useful for a venue that admits me to understand that a passport may provide a false sense of certainty that I do not have or cannot easily spread the disease?

Any reliance on proof that the process of vaccination has been completed will also require careful consideration about the actual change in risk as a result of that system: experts raised the risk that use of passports could increase the spread of the disease, as individuals who believe themselves to be completely protected engage in riskier behaviour. A review of the limited evidence so far suggests vaccine passports could reduce other protective behaviours.⁴³

While vaccine passports could make people more confident in some areas, for example by providing reassurance to vulnerable people who have been isolating, it could also slow down the return to normality by suggesting to some that their fellow citizens are a permanent threat.
Creating categories of ‘safe’ and ‘unsafe’ that could continue to keep risk salient in people’s minds even once the risk is reduced (for example a risk closer to that of flu: dangerous but not overwhelmingly so) could be counterproductive to reopening and restarting society and the economy.

Recommendations and key concerns

If a government wants to roll out its own COVID vaccine passport system, or permit others to do so, there are some significant risks it needs to consider and mitigate from the perspective of public health.

The first is that vaccine passport schemes could undermine public health by treating a collective problem as an individual one. Vaccine passport apps could potentially undermine other public health interventions and suggest a binary certainty (passport holders are
safe; those without are risky) that does not adequately reflect a more nuanced and collective understanding of risk posed and faced during the pandemic. It may be counterproductive or harmful to encourage risk scoring at an individual level when risk is more contextual and collective – it will be national and international herd immunity that will offer ultimate
protection. Passporting might foster a false sense of security in either the passported person or others, and increase rather than decrease risky behaviours.³⁵

The second is the opportunity cost of focusing on COVID vaccine passport schemes at the expense of other interventions. Particularly for those countries with rapid vaccination regimes, there may be a comparatively narrow window where there is scientific confidence about the impact of vaccines on transmission and enough of a vaccinated population that it is worth segregating rights and freedoms. Once there is population-level herd immunity or COVID-19 becomes endemic with comparable risks to flu, it will not make sense to differentiate and a vaccine passport scheme would be unnecessary.

COVID vaccine passport schemes bring political, financial and human capital costs that must be weighed against any benefits. They might crowd out more important policies to reopen society more quickly for everyone, such as vaccine roll-out, test, trace and isolate schemes, and other public health measures. Focusing on vaccine passports may give the public a false sense of certainty that other measures are not required, and lead governments to ignore other interventions that may be crucial.

 

Purpose

It is important that governments state
the purpose and intended effect of any COVID vaccine
passport scheme

It is important that governments state the purpose and intended effect of any COVID vaccine passport scheme, to give clarity both to members of the public as to why the scheme is being introduced and to businesses and others who will need to implement any scheme and meet legal requirements in frameworks like data protection.

It is hard to model, assess or evaluate vaccine passports at a general level so governments will need to state the purpose of any system, what it will be used for and, crucially, what will not be included in any such system, i.e. if particular groups will be exempt, or if particular settings will
be off-limits.

Use cases

In debates, particular use cases have focused on international travel, indoor entertainment venues and employment.

International travel

Some organisations, like the Tony Blair Institute, have argued that the way to navigate allowing people to travel internationally again will be for travellers to show their current COVID-19 status – either a proof of vaccination or testing status.⁴⁵ Already, many countries require proof
of vaccination, proof of recovery or negative COVID-19 test results as a requirement for entry. Much of the industry focus for vaccine passports has been on airports and international travel.

International travel already has existing norms around restricting entry to places at specific checkpoints, based on information contained in passports, and the infrastructure to support such a system. Further, passports are already linked to biometrics and sometimes to digital
databases, as with the USA’s ESTA visa.

In these circumstances, countries will have an obligation to provide their citizens with proof of vaccination in order to allow them to travel to countries that require it. Once a system is in place to allow proof of vaccination for travel to some countries, the marginal cost for further
countries to require proof lowers, and there is a normalised precedent set by other travellers. It is easy to see international COVID vaccine passport schemes come into place even if initially only a small number of countries strongly support them.

The WHO maintains that they do not recommend proof of COVID-19 vaccination as a condition of departure or entry for international travel.⁴⁶ However, the WHO is consulting on ‘Interim guidance for developing a Smart Vaccination Certificate’.⁴⁷ The question of COVID vaccine passport systems for international travel seems now to be resolving around standard-setting, ensuring equity and establishing the duration of the scheme, rather than whether such schemes should exist at all.

Indoor entertainment venues

Indoor entertainment venues such as theatres, cinemas, concert venues and indoor sports arenas all have similar characteristics. with large groups of people coming together and remaining seated or standing in close proximity for hours. This means they are both higher risk and discretionary activities, which many countries have focused on as an opportunity to allow opening, or to reassure customers in attending.

Examining the use case of opening theatres only to those with some form of COVID status certification highlights how many of the logistical issues might play out in a particular context. First, there will be other activities related to the theatre trip – particularly using public transport
to reach the venue, or meeting in a pub beforehand. One of the UK Government’s scientific advisory bodies considered these may pose a higher transmission risk than the activity itself.⁴⁸

Second, there will be practical and logistical challenges at the theatre. Because tickets are sold through secondary sellers as well as by the venue, it is likely that status could only be checked at the theatre on arrival. Any certification system would need to be available to all visitors,
including international ones. If tests at the venue could also be used to permit entry, there would be logistical challenges (for example, where would the tests be administered, and by whom?) that could make the cost prohibitive for theatres.

The increasing role many theatres and arts organisations play in their community could also suffer. Disparities in vaccine uptake, particularly between communities of different ethnicities, could mean COVID vaccine passports are counterproductive to theatre’s goals of inclusivity and acting as a shared public space. According to one producer, ‘the application of vaccine passports for audiences are likely to fundamentally alter a relationship with its local community.’⁴⁹

Others in the arts,⁵⁰ sport and hospitality acknowledge these challenges but believe they can be overcome. In the UK, a number of leading sports venues and events – including Wimbledon (tennis), Silverstone (motor racing), the England and Wales Cricket Board and the main football and rugby leagues – have welcomed the Government’s review and would welcome early guidelines to support planning.⁵¹

Employment (and health and safety)

Employment-related use cases discussed in the media include proposals that frontline workers, particularly in health and social care, would have to be vaccinated to work in certain settings (especially in care homes). Other employers – such as plumbing firm Pimlico Plumbers in the UK – have suggested they may only take on new staff who have been vaccinated.⁵² Staff may feel more comfortable returning to work, knowing that colleagues have been vaccinated. Therefore it’s an important use case for governments to address (and may have to grapple with themselves, given they are also employers).

The situation will vary from jurisdiction to jurisdiction. In the UK, the Health and Safety at Work Act (1974) requires employers to take care of their employees and ensure they are safe at work. Given that, employers might think it prudent to ask themselves whether vaccination could play a role in that process.

The ‘hierarchy of controls’ applies in workplace settings in the UK, and may also be a helpful guide for other jurisdictions.⁵³ Controls at the top of the hierarchy are most effective in protecting against a risk and should be prioritised:

• Elimination: Can the employer eliminate the risk by removing a work activity or hazard altogether? This is not currently possible in the case of COVID-19. Vaccination and even testing could not guarantee this, given the still-emerging scientific evidence on vaccine impact on transmission, and possible false negatives in testing.
• Substitution: Can the hazard be replaced with something less hazardous? Working from home rather than at the place of work would count as a substitution.
• Engineering controls: This refers to using equipment to help control the hazards, such as ventilation and screens.
• Administrative controls: This involves implementing procedures to control the hazards – with COVID-19, these might include lines on the floor, one-way systems around the workplace and social distancing.
• Personal protective equipment (PPE): This is the last line of defence, to be tried only if measures at all other levels have been tried and found ineffective. Even if one argued that a vaccine counted as PPE, it would only be a last line of defence, and no substitute for employers taking other actions first.

In most settings, it is likely to be difficult for an employer to argue that vaccination could be a primary control in ensuring the safety of most workplaces. Other measures, such as social distancing, better ventilation and allowing employees to work from home, are higher up the hierarchy and likely to deliver some benefits.

There may be some workplace settings where different considerations might apply – for example, in healthcare. The UK Government has suggested that care home staff might be required by law to have a COVID-19 vaccination, and is consulting on the issue.⁵⁴ Many have
cited hepatitis B vaccination as a precedent. However, this is not legally required in the way many people have understood – it is a recommendation of the Green Book on immunisation that many health providers have considered proportionate and therefore require their staff
to have as part of their health and safety guidance.⁵⁵ This will vary across workplaces: if an employer carried out a risk assessment that found that employees had to have a vaccination, proportionality would depend on the quality of the risk assessment.⁵⁶ There may be other examples of measures being considered proportional in some work settings but not in others – for example, regularly testing staff working on a film or television production might be sensible, given that any outbreak would shut the production down at huge cost, but not in an office, where other measures can be taken.

What would happen if an employer tried to implement a ‘no jab, no job’ policy, where someone could not work without a vaccine? The UK’s workplace expert body, ACAS (the Advisory, Conciliation and Arbitration Service), recommends that employers should:

• not impose any such decision, but discuss it with staff and unions (where applicable)
• support staff to get the vaccine, rather than attempting to force them to do so
• put any policy in writing and ensure it is in line with existing organisation policies (for example, disciplinary and grievance policies), and probably do so after receiving legal advice.⁵⁷

Discussions with employees should also surface any other concerns. These may include scope creep – employees might be concerned that employers will want further information – including why an employee might not be able to receive a vaccine – which might require disclosing personal information (pregnancy for example) or perhaps other personal data (such as venues an employee had checked into). Once an employer has invested in a system, there may be concerns as to what else they might want to use it for – there are concerns about growing workplace surveillance in general,⁵⁸ especially given the changes made to working patterns by the pandemic. There may also be concerns that if an employer tried to require vaccination, they could also require (for example) that employees return physically to the office rather than being able to work from home.

If any certification system is more than temporary, other concerns include new forms of discrimination opening up – what if an employee cannot have the vaccine, is therefore banned from business travel, and is passed over for promotion opportunities as a result?

A ‘no jab, no job’ employer could face the risk of legal action in the UK, particularly on discrimination grounds – because not everyone can make particular choices to have the vaccine. The UK Government’s equalities body, the Equality and Human Rights Commission, has suggested such a policy may not be possible.⁵⁹ Creating a COVID vaccine passport that was used to relax other health and safety measures could also pose rights concerns, particularly for staff in high contact face-to-face services such as hospitality or education.⁶⁰ If evidence reveals that COVID vaccine passport schemes have a limited impact in controlling the spread of the virus, those who have become infected as a result of vaccine passport use, and then developed serious or even fatal illness may have had their right to life (Article 2 ECHR) or right to respect for private and family life (Article 8 ECHR) violated.

The European Court of Human Rights has previously ruled that if a government knowingly failed to take measures to protect workers from workplace hazards, there would be a violation of the right to life (if the worker died from the hazard) or the right to respect for private and family life (if the worker developed a serious disease).⁶¹ In this case, the workplace hazard would be the risk of infection from other members of staff and their customers. Of course, if the certification scheme demonstrably improved the safety of staff compared to existing COVID-19 mitigation measures, there is the possibility of a reversed scenario, where government and employers have an obligation to introduce such schemes to protect their employee’s right to life and right to respect for private and family life.

All this underlines the importance of having clear scientific evidence about the impact of vaccinations on an individual’s risk to themselves and their risk of transmission to others, before schemes are implemented. This would allow concerns to be properly weighted, legal
clarification to be given, and risks to be clearly communicated. It also underlines the need for employers to be given legal clarity and guidance from governments on what they can and should (and cannot and should not) do. Otherwise, the burden of decision and implementation will fall on many workplaces already stretched by the pandemic, and leave employees relying on the decisions made by their employers.

Exemptions and exceptions

It is also important to consider what use cases are undesirable and unacceptable and thus should be explicitly prohibited by governments.

Places

Some places are essential to an individual’s participation in society. For example, many countries judged supermarkets so essential that they remained open even during the tightest lockdown restrictions. Essential venues may include but are not limited to:

• supermarkets and other essential retail, e.g. pharmacies or home repair
• medical establishments, e.g. GPs, hospitals, other clinics
• the justice system, including courts and police stations.

Public support for certification in these and similar settings tends to be lower than for what might be considered more ‘discretionary’ activities, such as international travel, sporting events, gyms and entertainment, and hospitality venues (see Public legitimacy). But there are trade-offs to be made when considering these venues, too, such as mental health and economic benefits.

People

As well as particular places, there may be particular groups of people who could be considered for exemptions, with medical or other reasons making it difficult or impossible for them to be vaccinated. Recommendations are changing for some vaccines, but currently these might include, but are not limited to:

• pregnant women
• children
• the immunocompromised
• those with learning disabilities who are unable to be vaccinated or
  tested regularly.

In Israel, children under the age of one were excluded from their vaccine passport scheme, but those between the age of one and sixteen were unable to access the Green Pass system via vaccination and could  only use it if they could provide proof of recovery from COVID-19.⁶² In contrast, the Danish Coronapas system, which does provide a testing alternative for those who are not yet vaccinated, has chosen to exempt children under 15 from the scheme.⁶³

Law, rights and ethics

The introduction of any vaccine passport system inevitably intersects with a wide range of legal concerns

The introduction of any vaccine passport system inevitably intersects with a wide variety of legal concerns, including equality and discrimination, data protection, employment, health and safety, and wider human rights laws. Any scheme will also have to make clear trade-offs between ethical and societal commitments, and this will be complicated by intersections between legal concerns and broader ethical and societal concerns. These are likely to manifest in the domain of rights; on questions of individual liberty, societal equity and fairness; risks of new forms of stratification and discrimination, both within societies and across borders; and new geopolitical tensions.

In this chapter we examine these legal, ethical and rights concerns in context.

Legal systems are inherently specific to their jurisdictions. There is some commonality across legal regimes, arising from shared histories, international agreements, and from many jurisdictions’ responses to similar issues over time. For example, the International Bill of Human
Rights and its constituent parts, the Universal Declaration of Human Rights (UDHR), the International Covenant on Civil and Political Rights (ICCPR) and the International Covenant on Economic Social and Cultural Rights (ICESCR) form an international framework that informs and underpins the legal protection of human rights in jurisdictions around the
world.⁶⁴

As described above – much of the evidence compiled in this report represents laws operating in the UK and Europe. Comparing the legal dimensions of certification schemes across jurisdictions is beyond the scope of this report, but given the international alignment on human rights, some analysis may be transferable to jurisdictions not directly considered here.

Similarly, the view below represents a broadly Western set of ethical and social values. The findings may be useful to other jurisdictions, recognising that alternative conditions and cultures may represent substantially different concerns, or take universal issues and interpret or weight them differently.

Further, counterfactual possibilities are an important consideration in ethical analysis of COVID status certification systems. These systems will only represent one policy intervention in a full complement of public health, economic and social policy that governments can make to mitigate the effects of the pandemic. The feasible alternatives to COVID vaccine passports that are under consideration by governments – for example whether to continue full lockdowns, implement slower general reopening or propose a full reopening against different background risks from COVID-19 – are therefore important in any analysis of their ethics,
in evaluating the marginal economic, societal and health benefits and harms.⁶⁵

Principal areas of debate have focused on personal liberty, privacy and other human rights, fairness, equality and non-discrimination, societal stratification and international equity.

Personal liberty

Over the last year, civil liberties have been restricted in the form of lockdowns and other public health restrictions. During a pandemic, this is justified by the fact that an infected person can cause harm and death to others. For COVID-19 in particular, widespread transmission in
communities and high rates of transmission without symptoms means that an individual’s risk to others is difficult to determine, and therefore universal restrictions are justified to prevent harm to others.³⁵

Some bioethicists have argued that there are strong ethical arguments in favour of COVID status certification systems that use antibody tests and/or proof of vaccination.⁶⁷ They argue that these COVID status certification systems represent the least restrictive option for individual liberties, without causing additional harm to others, when compared to other pandemic responses such as lockdowns. They argue that those
who can demonstrate that they are highly unlikely to spread COVID-19 no longer pose a risk to others’ right to life, and so it is unjustified to restrict their civil liberties.

The argument centres on an individual being able to prove that they are not a substantial risk to others, through proof of vaccination or antibodies, to lift restrictions on that individual’s liberty. This argument does not necessarily require vaccination or natural immunity to COVID-19 to be perfect: we commonly accept a level of risk in our everyday lives, for example infectious diseases like flu are considered to be a tolerable risk, to be managed without additional restrictions.

This argument requires a vaccine or natural immunity to reduce risk to an acceptable level to remove the justification for restrictions. The strength of this argument therefore turns on what level of risk is acceptable for a given society, the impact vaccinations and antibodies have on
transmission and therefore risk to others, and the degree of certainty we are willing to accept in the evidence on transmission.

If all those conditions can be met, then COVID status certification is argued to represent a ‘pareto’ improvement on lockdown measures for some people without others’ situation worsening, i.e. they expand the number of people who can exercise their personal liberty without infringing on the liberties of others or increasing the risk of harm to others.

Any COVID status certification scheme should also ensure it does not arbitrarily interfere with individual human rights, in particular the right to respect for private life, the rights to freedom of assembly and movement and the right to work.

State sanctioned systems which require the collection and disclosure of personal information fall within the scope of the right to privacy guaranteed by provisions such as Article 8 of the ECHR and implemented in national laws, e.g. in the UK, under the Human Rights Act
1998.⁶⁸ Vaccine passport systems which rest on the generation, collation and dissemination of sensitive personal health information, and which may also permit monitoring of individuals’ movements by a range of actors, will be permissible when they are in pursuit of legitimate aims that justify interference with the right, including ‘the protection of health’ and ‘the economic well-being of the country’. However, even if these aims are clearly being pursued, any interference with this right must satisfy the cumulative tests of legality, necessity and proportionality:⁶⁹

• The legality test requires that COVID status certification schemes interfering with the right to respect for private life must have a basis in domestic law and be compatible with the rule of law.
• The necessity test demands that the measures adopted address a pressing social need.
• The proportionality test requires that the measures taken by public authorities are proportionate to the legitimate aims pursued and entail the least restrictive viable solution.

COVID status certification schemes may well be able to meet these tests, given the scale of physical and mental harms caused by the COVID-19 pandemic, directly and indirectly, and the economic damage that has resulted. However, again, decision-makers will need to demonstrate they have sufficient scientific evidence to justify the necessity and proportionality of these schemes. Further, the requirement of proportionality necessitates transparently weighing these schemes against alternatives, such as greater investment in test, trace and
isolate schemes (e.g. additional support payments and sick pay) and considering the marginal protection to health, benefit to economic wellbeing, and restrictiveness of certification schemes.

Other human rights, including the right to work, and the freedoms of assembly and movement, may also be engaged by vaccine passport systems, and restrictions on those rights must similarly be justified in accordance with the tests for permissible limitations. The implications
of vaccine passports for the right to freedom of assembly deserve particular scrutiny, in light of the protests that have occurred since the start of the pandemic, and the responses to protests such as Black Lives Matter in summer 2020. During moments of exceptional societal
upheaval, peaceful assembly and protest remain critical tools for ensuring justice and demanding democratic accountability. Although the protection of public health constitutes a legitimate purpose to limit the exercise of such rights, there is a legitimate concern that restrictions on assembly and protest may be disproportionately applied in the name of
pandemic prevention.⁷⁰ Consideration should be given to the potential for misuse of a vaccine passport system by a government with ulterior motives, or repurposed in future by subsequent administrations.

Fairness

Arguments for and against vaccine passports centre around fairness: some have argued that until everyone has access to an effective vaccine, any system requiring a passport for entry or service will be unfair.⁷¹ Responses to this have suggested introducing proof of vaccination requirements only once vaccines are widely available, and exempting those who are not eligible to be vaccinated from the need to prove their vaccination status. (Note that, epidemiologically speaking, a system would cease to be useful once herd immunity had reached a level sufficient to protect against transmission.)⁷²

Others have argued that while it is true that COVID status certification is ‘unfair’ in the sense that only some people will be able to access them, that differential access is not arbitrary and is instead based on a genuine reduction in risk associated with those individuals who have
been certified.⁷³ Therefore, there is a legitimate reason to afford them a different treatment.

It is further argued that pandemics are necessarily unfair and responses to them, such as lockdowns, have differential effects even if the same rule is applied to all. Some can work from home in secure jobs, while others lose their jobs and businesses, and those providing healthcare and essential services are required to expose themselves to risk. This, it is argued, is unfair under another view of fairness. The debate is given further complexity by introducing choices between different kinds of unfairness and questioning whether that unfairness has a legitimate underpinning.

Some argue that benefits of COVID status certifications schemes could also spill over to those not eligible. For example, greater economic activity would allow the continued existence of hospitality, leisure and cultural venues that might have otherwise been forced to close, and
would preserve them for others to access once they become eligible for certification or once restrictions are lifted for all.

On the other hand, certification schemes may exacerbate inequalities between those who might be free to return to work or seek certain kinds of employment, and those uncertified who cannot. Existing distrust of the state, identity infrastructure and vaccines could put some groups at a particular disadvantage. Globally, access to digital technology, forms of identification, tests and vaccines is already unequal, and COVID status certification schemes may unintentionally mirror and reinforce existing inequalities without wider programmes for addressing health inequalities.

Many therefore argue that COVID status certification schemes must be accompanied by a redistribution of the resources and benefits they create, for example by providing additional support to ease the costs to those still facing restrictions, to maximise the fairness and equity of any scheme.⁷⁴

Equality and non-discrimination

COVID status certification systems discriminate on the basis of COVID-19 risk by design. The relevant legal question is therefore whether the law protects against this kind of discrimination, either directly or indirectly, and if so, whether that discrimination is proportionate (and
therefore permissible) in pursuit of other legitimate aims.

Article 1 of the Universal Declaration of Human Rights (UDHR) recognises that ‘all human beings are born free and equal in dignity and rights’. International treaties on human rights such as the ECHR operationalise the right to equality by establishing guarantees against discrimination (Article 14 ECHR).⁷⁵

In the UK, the Equality Act 2010 provides a single legal framework for the protection of equality and the right to non-discrimination. Relevant to issues of COVID status certification are protections against discrimination on the basis of:⁷⁶

• age
• disability
• pregnancy and maternity
• religion or belief
• race.

For example, a vaccination requirement allowing differential access could be challenged on grounds of indirect discrimination on the basis of age, at least until all adults have had fair opportunity to have a coronavirus vaccination. UK Government policy prioritises primarily on the basis of age, meaning that a vaccination requirement would systematically disadvantage younger members of the population. Similar legal concerns around discrimination are likely to arise in other countries with age-based vaccination prioritisation.

Even once all eligible adults have been offered a vaccine, those groups where vaccination is not recommended may still be able to claim that a vaccination requirement is discriminatory under the Equality Act 2010.

Others might be able to claim discrimination on the basis of religion or belief that requires vaccine refusal. Faith leaders across many major organised religions have endorsed COVID-19 vaccination,⁷⁷ but this won’t cover religious communities with different beliefs or interpretation of religious texts, so may legitimately claim their religious convictions require vaccine refusal and therefore argue that vaccine requirements constitute discrimination.

Finally, vaccination hesitancy has been shown to correlate with ethnic background in some communities,⁷⁸ due to distrust of the state arising from longstanding, evidenced practices of racism and injustice.⁷⁹ Requiring vaccination may therefore compound existing discrimination. This indirect discrimination is apparently one of the concerns raised with the UK Government by its equalities watchdog, the Equality and Human Rights Commission.⁸⁰

These concerns are relevant to both private- and government-provided systems. The Government may also have human rights obligations to prevent discrimination by private providers, even if the discrimination is not directly imposed by the state and instead the state simply fails to ‘protect individuals from such discrimination performed by private
entities.’⁶⁰

Some of these potential forms of discrimination would be ameliorated once there is widespread access to vaccination and if evidence emerges that vaccination is appropriate for groups currently advised against it for medical reasons. However, some discrimination will be present in any scheme based on vaccination requirements. The question for any scheme reliant on vaccine certification then becomes: if discrimination can be established on any of these grounds, is this discrimination ‘a proportionate means of achieving a legitimate aim’ under the provisions of the Equality Act 2010?⁸²

Many of these discrimination concerns can potentially be avoided if appropriate alternatives to vaccination certification are available, for example by exempting certain groups or through providing a negative viral test alternative.

Some schemes could prove discriminatory against minority ethnic communities and women with darker skin tones in particular because of the way they verify identity.⁷⁵ It has been suggested that some COVID vaccine passport schemes could use facial recognition to verify an individual’s identity.⁸⁴ Research demonstrates that commonly used commercial facial recognition products do not accurately identify Black and Asian faces, especially when trying to recognise women with darker skin types.⁸⁵ This could also lead to unlawful discrimination on grounds of race, if the products are inaccurate and there are not alternative ways to verify identity.

Societal stratification

Some bioethicists have highlighted that marginalised groups as a whole may face more scrutiny, as the creation of new checkpoints to access services and spaces may perpetuate disproportionate policing.⁸⁶

Labelling people on the basis of their COVID-19 status would also create a new categorisation by which society could be stratified, i.e. the ‘immunoprivileged’ and the ‘immunodeprived’, potentially creating circumstance for novel forms of discrimination.³⁵ This could happen informally without any certification schemes, as individuals already have access to and can share their own vaccination status, but certification schemes could increase the salience of those distinctions and amplify those distinctions by creating social situations that can only be accessed by those in possession of ‘immunoprivilege’.

This kind of immunological stratification is not without precedent. In nineteenth-century New Orleans, repeated waves of yellow fever generated a hierarchy of ‘immunocapital’ where those who survived became ‘acclimated citizens’ whose immunity conferred social, economic and political power, and ‘unacclimated strangers’ – generally those who had recently migrated to the area – were treated as an underclass. This stratification also helped to entrench existing ethnic and socioeconomic inequality.⁸⁸

International equity and stratification

There are many low-income countries that do not currently have the economic capacity to acquire all the doses needed to immunise their whole population. Even with the support of COVAX – an international scheme designed to improve access to vaccines – many countries will only be able to vaccinate their most vulnerable citizens in the near future. Furthermore there are stark inequalities in access to cold chains and transportation, as well as capacity to administer vaccines.⁸⁹

Adding to these health inequalities, people from such countries are disproportionately likely to have their freedom of movement restricted if an international vaccinate passport scheme is put in place. This will particularly affect stateless, undocumented migrants, refugees (whether
internationally or internally displaced), and similar groups who lack or even fear formal connections to governmental public health bodies.

Citizens of these low-income countries may already be discriminated against. As Dr Btihaj Ajana puts it, ‘the amalgamation of borders, passports, and biometric technologies [that] has been instrumental in creating a dual regime of circulation and an international class
differentiation through which some nations can move around and access services with ease while others are excluded and made to endure an “excess of documentation and securitisation”.’⁹⁰

For example, health practitioners and researchers from low-income countries already struggle to conduct research, share their work at conferences and undertake consultancy work in high-income countries, because of existing difficulties obtaining visas and meeting entry
requirements. International COVID vaccine passports could worsen this imbalance, making diversity and inclusion an even more difficult task in the field, and side-lining valuable expertise of academics in low-income countries.⁹¹

It is easy to see how similar problems could arise in other fields and industries, meaning that COVID vaccine passports could add another layer of discrimination to this existing system and have consequences beyond the official end of the pandemic. (We return to the future risks these systems pose in a later chapter).

The structure of the global economy may push countries whose citizens might be excluded by international COVID vaccine passport schemes into supporting their development. Many low-income countries are dependent on tourism, and thus are incentivised to support schemes in
order to restart the flow of visitors. These differential incentives play out in supranational administrations like Europe, where the main supporters of the European Union Digital Green Certificate have been countries like Greece and Spain, which are more reliant on tourism than their northern neighbours.

None of this is to condemn countries for responding to those incentives. For countries reliant on tourism, and especially lower-income ones with a comparatively younger population and fewer economic alternatives, taking on the risks of virus transmission and discrimination may be worth it for the net economic and wider health benefits. Countries should not be condemned for responding to those incentives, but the analysis of how their decisions are shaped and constrained by existing global inequities is informative.

There is already pressure on governments to acquire vaccine supplies, which in turn triggers a form of ‘vaccine nationalism’ – where richer countries are able to buy up supplies of vaccines where poorer ones can’t. Tying movement to vaccine certification could entrench existing
global inequalities, making international cooperation on any schemes even more important. International friction is especially unhelpful when vaccination is, ultimately, a global public good. Any individual country’s fate is tied to reaching international herd immunity, as we are already seeing with new strains emerging. In the present moment we are seeing tensions play out as calls are made for countries to donate the vaccines they have acquired to India as it faces a growing crisis,⁹² and debates intensify about temporarily suspending vaccine patents.⁹³

Oversight and regulation

Enforcement of existing legal protections will be carried out principally by the courts and through litigation. However, regulators and independent bodies with relevant remits, through the enforcement of existing regulation and issuance of context-specific guidance, will also have a role in legal accountability and oversight of COVID status certification systems, both before they are implemented and during any roll-out. Many use cases will also necessarily cut across multiple remits, as workplace schemes might engage data protection, contract law, equalities, and workplace health and safety concerns.

Regulators like the United Kingdom’s Information Commissioner’s Office have said they would approach a detailed COVID status certification scheme proposal in the same way they would approach any other initiative by government.⁹⁴ International forums of data protection and privacy authorities have also begun to issue pre-emptive guidance on certification systems.⁹⁵

Relevant regulators and independent bodies may include:

• data protection authorities
• national human rights institutions
• occupational Health and Safety regulators
• medical products regulators
• centres for disease control and prevention, and other public health bodies.

Certain types of domestic laws can be changed in certain countries, and international law contains derogation clauses for specific purposes. However, Governments should be on guard not to needlessly tear down Chesterton’s Fence.⁹⁶ If governments want to change a law or make a special carve-out for status certification schemes, they should know why the laws preventing it were enacted in the first place and be able to explain clearly why legal changes are necessary and proportionate, acknowledging potential unintended consequences.

Sociotechnical design and operational infrastructure

Designing any technical system requires comprehensive thinking about the human or societal as well as technological elements of a system

Designing any technical system requires comprehensive thinking about the human or societal as well as technological elements of a system, and how humans and technology interact as part of that system. For example, a car is a piece of technology – a machine made of an engine, wheels, materials and electronic systems – but its operation also involves a driver, the rules of the road, traffic safety laws and planning decisions that allow roads to be built (and much more).

Thinking about a digital vaccine passport system requires doing the technical design ‘right’, and there are many factors that contribute to that empirical judgement. There is currently no single or dominant model for these technologies, and different attributes bring distinct design options and incorporated risks into focus. New infrastructure and databases may be required, depending on existing capacity in the national context.

With some models bringing together identity information, biometrics information, health records and contact tracing data, technical design must incorporate the highest security. Some risks can be minimised to some extent by following best-practice design principles, including data minimisation, openness, privacy by design, ethics by design, giving the user control over their data, and adopting the highest standards of governance, transparency, accountability and adherence with data protection law.

But successful design and delivery will involve thinking about much more than the technical design of an app – it should involve detailed consideration of how a technical solution would fit into a broader societal context, including the full range of public health interventions. For example, it might be theoretically possible to build an app that in itself protects the privacy of the user and helps them access particular rights and freedoms, but that nonetheless causes wider societal harms through increasing stigma or new opportunities for oversurveillance of minority groups.

Whatever we call the applications themselves, COVID vaccine passports are part of a wider sociotechnical system. That is, they are part of a wider COVID status certification system that goes beyond the data and software that form the technical application itself, including:⁹⁸

• Data such as the vaccination records, identity proxies, health and location data of individuals.
• Software such as apps, verification systems, interoperability middleware, biometric systems, testing systems, databases, linkages across multiple databases and multiple jurisdictions, encryption systems.
• Hardware and infrastructure such as verification kiosks or scanners, servers and cloud storage, mobile phones, linkages to testing and vaccination procedures.
• People, skills and capabilities such as skilled operators, medical experts and their expertise, compliant individuals and populations, regulators, enforcement services such as border control and the police, IT professionals, standards bodies, infrastructure firms, services firms, marketing and public information, democratic engagement and deliberation, legal professionals.
• Organisations such governments, global governance organisations, firms, lobby groups, unions.
• Formal and informal institutions such as laws, regulations, standards and enforcement mechanisms, accountability structures.

At another level, these COVID vaccine passport systems are part of wider societal systems. For example, they are one part of a wider public health system, where consideration needs to be given to how they interact with other interventions and mitigation measures, for example
their behavioural impacts on mask wearing and social distancing, or diversion of attention and resources away from other parts of the vaccination programme or from test, trace and isolate schemes.

If introduced, vaccine passports would also be part of a wider emerging system of digital identification and the roll-out of biometrics into everyday life around the world. In this context, they need to be considered in relation to how their implementation might accelerate the
development and implementation of these schemes without sufficient public engagement or response to public concerns, and the risks that accompany embedding technologies that are hard to roll back into everyday life.

Finally, they will require practical and operational overheads to work – whether that’s scanners to read QR codes at venues, additional staff at the door to check passports, access to wifi at vaccination centres, or adequate testing capacity so that test results can be turned around
quickly enough to be of practical use.

In a multipurpose system and in the face of such complexity – that everything is connected to everything else, and that any intervention will have uncertain and unpredictable outcomes – it might be tempting to assume evaluation of any individual intervention will be almost impossible.³ Instead, those considering implementing or condoning these systems, and governments in particular, must investigate the nature and the strengths of these connections, gather empirical evidence, and then assess whether that evidence justifies policy action
while being transparent about the uncertainties involved.

We will look at technical and sociotechnical design in turn, and form recommendations and key concerns in response to both technical design and the context of the wider societal system.

Technical design

There are currently several options for the technical design and roll-out of vaccine passports, and this makes decision-making particularly difficult. Where the debate about contact tracing apps focused on two very different models – decentralised systems (where data stayed on
individuals’ phones) and centralised systems (involving central servers), there is no equivalent binary choice in the vaccine passport debate. What is emerging is a range of solutions being proposed and developed, and divergent approaches to delivery (see our international monitor for specific models under development around the world).¹⁰⁰

Vaccine passport taxonomies

Any vaccine passport system will have the following common components:

1. health information (recording and communication of vaccine status or test result through e.g. a certificate)
2. identity information (which could be a biometric, a passport, or a health identity number)
3. verification (connection of a user identity to health information)
4. authorisation or permission (allowing or blocking actions through based on the health and identify information).

That brings into focus the number of distinct roles operating within the system, including:

• the issuer of the credential – for example, the authority that holds the health data and could confirm that a vaccine or test had been administered (the NHS in the UK)
• the holder of that information – for example, an individual with the credential on their phone
• the verifier of all the necessary information – for example, a venue checking that the correct credential applied to the individual in front of them
•  technical providers – for example, the developer of a particular vaccine passport app.

Each component of the vaccine passport system could be digital or non-digital. For example, an entirely non-digital system would involve:

Digital and non-digital components of a vaccine passport system

Health information and identity data

Schemes will be technically distinct across different countries, depending on a number of factors, including the extent to which health records are digital, whether health systems have existing central databases or are fragmented across providers, whether countries have
digital identity infrastructure or whether digital apps already exist in health systems. In Denmark, for example, the government has worked closely with private vendor Netcompany, and the app operates in the context of an existing digital identity system. Other countries like the UK have a centralised health system but no digital identity system so have to grapple with different routes to providing identity – none of which will be perfect.

Most systems relying on identity verification will be likely to require ‘anchor’ documents such as a passport or driving licence to be used somewhere in the process, but that won’t enable access for all individuals: in 2015, one in four people eligible to vote in England and Wales were estimated to lack either a passport or driving licence, with certain groups, such as young people, even more excluded.¹⁰⁴ Ensuring complete registration and access are challenges that exist already in all health systems, and these are often linked to age and class inequalities in access, both in physical and digital health systems, and more pronounced in many low- and middle-income countries.⁹⁸

Depending on design and country context, schemes will have different implications for data infrastructure. Some call back to existing databases (checking with existing medical records or checking acceptable QR codes, for example). Others create a digital credential or token that might be stored on your phone. Vaccine passport schemes might require the creation of new databases, which include biometrics records. Each of these pose different risks and benefits, depending on the wider systems they interface with.

In the UK, the preferred route to implementing vaccine passports seems to be building the functionality into the existing NHS app (not to be confused with the NHS contact tracing app or GP apps). This app is regulated by the Medicines and Healthcare products Regulatory
Agency (MHRA) to hold digital health records, and to act as an interface between patients and health services to book appointments and manage prescriptions. A strength of this approach is that it develops an existing infrastructure, rather than building a new one, which already operates to high-level data security standards (see data security section).

Building the tool under the auspices of the NHS brings built in-trust, however it also raises the stakes: if something did go wrong, or this was perceived as a tool that wasn’t in-keeping with the NHS values, it could have an impact on wider trust in the NHS. It is also will have to deal with
coverage issues: currently the NHS app is available only in England rather than across the UK and currently has only two million verified users.¹⁰⁶

Verification

A critical element of a passport scheme is verification: how the relying or verifying party, e.g. the venue or the airline, can check that the credential that confirms an individual has been vaccinated or tested actually belongs to that individual.⁸⁹

Many applications being developed rely on QR codes, which are issued as digital or printed cards when an individual is vaccinated, and can be scanned by a venue. Some of these systems would produce a binary (yes/no) response to indicate whether a person could or could not enter, without revealing what method (vaccination, test or exemption) allowed them to do so. Others might be more specific, such as the Danish Coronapas that shows how much time remains in the 24–72 hour window provided by a negative test result.¹⁰⁸

Apps have different security protocols: some providers stress that, under their systems, the ‘digital ceremony’ of verification takes place only between the individual and the venue with no databases having to be called – the cryptography within the apps is enough. Others say there
would be a record of the code in the cloud or on a blockchain to verify it was genuine, but this would be separated from any personal data stored on-device.

Israel’s Green Pass app has a QR code that can be scanned, while also providing a physical alternative (Green Pass plus ID document to verify identity). Denmark’s Coronapas system – which includes an August 2021 sunset clause, except for tourism and travel¹⁰⁹ – allows citizens to sign into the app with their existing national digital ID (and use the photo from their passport) and display a QR code based on tests, antibody tests or vaccination.

Others are using more complex technologies to verify identity. The Mvine/iProov project funded by the Innovate UK research agency to be trialled in the UK, for example, makes use of facial recognition technology: once an individual has been vaccinated, a medical professional takes a picture and issues the individual with a digital certificate (including a QR code). The certificate number and biometric face scan are stored online by iProov; although the facial biometric is not available to third-parties, this storage could still raise privacy risks. A venue would scan the QR code and the holder’s face, to verify that they were the person to whom the credential belonged. Anyone without a smartphone could have a card with a QR code and still have their face scanned as verification.¹¹⁰

Using facial recognition data in the passport could get around the issue of having no state digital identity system, provided a trusted medical professional was able to link the health credential to the facial biometrics, but it brings in other challenges. In the past facial recognition has been shown to be less accurate for certain demographics – in particular women, and people from minority ethnic backgrounds – which could amplify discrimination and reduce inclusivity.

Conflating COVID vaccine passports with another controversial technology could undermine public trust and confidence – many people are uncomfortable with biometric data about their faces being gathered by private companies or government, and are concerned about how
such data is governed. The Ada Lovelace Institute’s Citizen Biometrics Council recently called for better standards and stronger regulation of biometric data.¹¹¹

Authorisation or permission

The point of verification by a venue of an individual’s identity may also create practical challenges. It might be a simple, non-digital process – a human examining a digital health record that displays a green tick and a photo, for example, and then waving the individual through. Or it might have a further technical component, by scanning a QR code or further
biometric verification, requiring infrastructure that brings in additional security risks that require further consideration. For example, would venues be required to keep an audit of everyone they have allowed to enter – with related privacy and practical implications of storing a great deal of personal data – or would the fact they have followed a (more minimal) process be sufficient?¹¹²

Regardless of how the scheme is delivered, any vaccine passport system should be compliant with data protection, adopt best-practice design principles, offer high data security, be clear how it links or expands existing state data systems, in particular digital identity, and offer a non-digital route. We go into each of these aspects in more detail below.

Data protection and health data

Any vaccine passport system will involve secure access to an individual’s health data, which in many regions will be subject to particular conditions under data protection laws.

In the UK, data protection is guaranteed by the Data Protection Act 2018, which enshrines the EU GDPR, and which in the short term is likely to remain aligned with the EU GDPR.¹¹³ (GDPR – the General Data Protection Regulation – was introduced across Europe in 2018 and aims to
standardise the approach to privacy and data protection across Europe. It has also provided a model for other countries, such as Brazil.)

Health data – such as the results of COVID-19 tests and vaccination records – constitutes sensitive data under Article 9 of the GDPR, meaning the collection and further use of that data needs to be justified with one of the exemptions in Article 9-2.⁷⁵ One of these exemptions is the necessity ‘for reasons of public interest in the area of public health, such as protecting against serious cross-border threats to health’.

Any use of personal data for public health reasons should be necessary – that is, targeted and proportional to achieving the desired purpose – and be of benefit to the wider public and society, rather than just individual health. One evidence submission we received suggested this means that governments and developers will need to demonstrate that a vaccine passport will have a meaningful impact on public health.⁶⁰ European authorities have also underlined that any arrangements justified by the current public health emergency should not continue afterwards.¹¹⁶

Even if such a justification can be established, Article 9-2(i) of the GDPR requires adequate and specific measures to safeguard the rights and freedoms of individuals to be put in place even when pursuing public health interests.⁷⁵ Given that COVID vaccine passport systems will contain sensitive personal information, app providers will need to comply with the principles of lawfulness, fairness and transparency, purpose limitation, data minimisation, accuracy, storage limitation, integrity, confidentiality and accountability, as outlined in Article 5 of the GDPR.³⁵

Even if explicit consent or public health interests allow for the collection, storage and processing of test results and vaccination records, providers would still need to build data protection into the design of these technologies by default under Article 25-1 of the GDPR. For
example, providers proactively need to take technical and organisational measures to address potential data privacy-invasive situations, including the transfer of data to parties not covered by GDPR, which might occur if services are offered by international private providers.¹¹⁹

Providers should also ensure individuals are informed as to how their data is being utilised, by whom and for what purpose, providing clear and accessible information, recognising the geographical, cultural and linguistic diversity of the societies they are providing this service to.¹²⁰

Given this, the Data Protection Act will almost certainly require providers, public or private, to carry out a data protection impact assessment (DPIA). National data protection authorities, which in the UK context means the Information Commissioner’s Office (ICO), will have a duty to
monitor, investigate and enforce the application of these rules under Articles 57 and 58 of the GDPR.⁷⁵

More broadly, the Global Privacy Assembly – an international body composed of information and privacy commissioners – has said that while the processing of health data to enable international travel may be justified on public health grounds, governments and other organisations should take heed of principles including:

• Embedding ‘privacy by design and default’ into the design of any system, including conducting a ‘formal and comprehensive assessment’ of the privacy impact on individuals (see design principles below).
• Ensuring personal data is used according to a clearly defined purpose, under relevant legal authority, and only where it is necessary and proportionate.
• Protecting the data protection rights of individuals unable to use or access electronic devices or access vaccines and consider alternatives to prevent them suffering discrimination.
• Informing individuals as to how their data is being used.
• Collecting only the minimum health information from individuals ‘necessary for their contribution to protection of public health’.
• Building sunset clauses into the design of such schemes, ‘foreseeing permanent deletion of such data or databases, recognising that the routine processing of COVID 19 health information at borders may become unnecessary once the pandemic ends’.¹²²

Design principles

Anyone developing a COVID certification scheme should consider a series of design principles at all stages of developing a system that will help to minimise harms and the risk of unintended consequences, and maximise the chances of a system working and commanding public
confidence. These principles may include, but are not limited to:

• Data minimisation, the principle that only the personal data needed to fulfil a specified purpose should be held.¹²³ This would suggest that, for the purposes of letting someone into a venue, the only relevant information is whether a person is permitted to enter or not, rather than fuller details of why (have had a vaccination, a negative test or are exempt, for example) or unnecessary personal information.
• User control, the idea that the individual should have control of their data at all times and choose who to share it with.
• Not unrelated is the idea that the credential should ‘act like paper’, as with a paper credential, there is no need for the system to ‘call back home’ and refer back to other databases.
• Privacy-enhancing technology, operating to international privacy standards, should be used where possible to protect personal data, and developers should take a ‘data protection by design’ approach. All of this also points towards solutions that do not make use of other controversial technologies, such as facial recognition or verification
  that don’t operate locally and securely on user-controlled devices.
• Openness, not just in explaining to the public exactly how systems are operating (including key details like who is responsible and accountable, the legal protections and ethical standards being applied, and what data is being used and how), but in taking an open-source approach to code that will help keep it up to date and open to scrutiny.
• Transparency about who is responsible and accountable, what legal protections are in place, what ethical standards are being applied, and what data is being used and how.
• High standards of governance, accountability, the application of other principles and adherence with data protection law (including the GDPR in Europe) will be essential to protecting the individual, but also ensuring public trust – as the UK Information Commissioner has written, a failure in one scheme could lead to a loss of trust across all attempts to use data and digital technology to combat COVID-19.¹²⁴ The ICO is clearly conscious about the issue of ‘scope creep’ – that data collected for one purpose could be used for others.¹²⁵
• Adherence to international standards, for the sake of interoperability and quality. Among those currently being utilised are W3C’s Verifiable Credentials (although the use of this standard has been critiqued on privacy grounds)¹²⁶ and the HL7’s Fast Healthcare Interoperability Resources (FHIR) for sharing healthcare data.¹²⁷
• Piloting proposed solutions at small scale, with full details of any such trials made public, and thorough evaluation and iterative improvements before rolling out any schemes on a larger scale.
• Undertake consequence scanning¹²⁸ to explore what potential use cases are desirable or undesirable, and make design choices accordingly.
• Analyse plans from a security perspective. Key questions include how many potential security threats are being created by implementing these infrastructures, what new power the system gives to different actors (venue owners, etc.) and how that power could be misused, whether these new powers contravene existing norms,
  whether they raise a risk of unequal treatment in society and how these risks can be mitigated.
• Engage members of the public – particularly those from marginalised communities – in the design and piloting of these systems. (See the Public legitimacy chapter for more detail).

Data security

Some COVID status certification services would require robust security – particularly if they are bringing together sensitive information. Higher technical security may pose a trade-off for accessibility which will need to be weighed carefully. For example, the NHS offers three levels of identity verification:¹²⁹

• Low level, where a user has verified ownership of an email address and mobile phone number but has not proven who they are or provided any other details.
• Medium level (P5), where additional information (date of birth, NHS number, name, postcode) has been checked against patient records on the NHS Personal Demographics Service. This allows users to access services like contacting their GP but not to access health records (and so is unlikely to be sufficient for sharing vaccination or testing data).
• High level (P9), which requires a full identity verification process including comparison between the user and photo ID, either at a GP surgery or submitting a photo of their ID and a short recording of their face.

Any process requiring access to personal health data should use high-security level. But the verification of photo ID may exclude vulnerable people or add a burden to GP services, who would need additionally to resource verification of patient identity.¹³⁰ Alternatives would need to be provided for non-digital access, given a mobile phone is required for an NHS login, and for groups without an NHS number including foreign tourists.

Where countries are building their own solutions tied to state infrastructure, the alternative is for third-party apps, run by private providers, to be given permission to access health records. In the UK there are already private companies who are regulated to store health records and act as an interface between the public and NHS services. Particular consideration needs to be given to exactly how this would work in relation to COVID vaccine passports, what standards providers would need to meet in accessing and using this extremely sensitive data and
how accountability might be assured. In addition, given the high levels of verification necessary, there must be due consideration of whether and how such a standard could be met by private providers. (Also see security and fraud section below).

Developing digital identity infrastructure

It is essential that it is clear whether digital vaccine passports will create or expand existing infrastructure, in particular as regards to digital identity.

In the UK there have been at least two decades of debate about digital identity (the UK currently does not have a single digital identity system), and reaching consensus about identity verification has been challenging. In March 2021, the UK Government confirmed the end of the Verify scheme (although it has been given a final short extension),¹³¹ long criticised for failing to meet expectations of users, or in terms of the number of government services using it.¹³², ^{133 134} In September 2020, the Government published its response to a consultation on digital identity; in February 2021, it published a draft framework for digital identity. Any organisations currently developing vaccine passport systems in the UK will need to ensure that they fit within this framework.

In India, which has an existing identity system called Aadhaar, the roll-out of a contact tracing app has been used to populate other databases linked to Aadhaar, without further scrutiny and amid claims that it violates purpose limitation (the idea that data collected for one purpose
cannot be used for others without a user’s consent). Concerns have been raised from countries such as Argentina and Kenya, that existing digital identity systems lack transparency and oversight.⁸⁹

Governments that do not currently use digital identity systems should ensure they do not rush into them because of vaccine certification without due thought, debate and deliberation to explore the potential benefits (greater interoperability of identity, joined-up services, etc.) as
well as the practical and privacy concerns. Creating new infrastructure that is primarily designed to meet the needs of the pandemic might restrict future choices.

Non-digital route

To be inclusive any technical vaccine passport system will need to have an analogue or paper-based alternative to protect against exclusion. This will bring risks, in particular relating to fraud and exclusion (see below). A non-digital route might not need to be an entirely separate system, for example one of the pilot projects funded by the UK Government, involving app developers Mvine and iProov, reports that their combination of a printed QR code and facial verification allows people without smartphones to be part of the system.¹³⁶

As discussed above, the technical design of a digital vaccine passport is part of the wider sociotechnical system. This means that even if the technical build is done in a way to (for example) minimise the sharing of personal data and enhance privacy, this will not eradicate all harms. The act of certification discriminates between different groups of people – that will be the case whatever the technical design.¹³⁷ Therefore it is critical to consider the sociotechnical design as at least as important as technical design.

Sociotechnical design

We now turn to questions of what the wider system around any technical implementation will need to look like, and what will need to be considered in the creation of such systems.

The role of government

The first question asked in relation to domestic vaccine certification systems is often who will provide them: government itself (as in Israel) or other actors, including private companies (many of whom are developing solutions) and non-profit foundations (such as Linux Foundation Public Health). However, the important question to start with is: what will
government’s role be?

Governments have the ability to consider the whole sociotechnical system, including any mitigations against harm that might be required, in ways that other actors cannot, and as such have an essential role to play. Some countries – such as Israel – are already rolling out their own
schemes where their Green Pass is issued by the state. But governments that decide not to roll out their own scheme while permitting others to build them are still taking a decision that carries responsibilities. In many nations governments will be the only legitimate standard setters, and in countries with national health systems they will be responsible for administering vaccinations and certifying that they took place.

Even if governments opted to prohibit the use of vaccine certification – something our expert deliberation felt would be difficult – informal uses are possible, so even here governments should play a role in public communication or guidance. If they do not, key public policy questions around discrimination and ethics will effectively be outsourced to private
companies. In most countries, private companies are likely to have some involvement even in state-run schemes. The question then is not whether government has responsibilities relating to vaccination certification, but what those responsibilities are.

There may be advantages to a system being the responsibility of government. They may already own key parts of the infrastructure that could be used. Many countries have existing ID systems, which can help with identity verification. In the UK, the NHS is responsible for
administering the vaccine and it has been suggested the existing NHS app (not the contact tracing app) could be modified to allow citizens to access their vaccination records. Adapting existing systems may negate the need to build entirely new ones, saving time, cost and reducing risks like scope creep and path dependency.

On the other hand, adapting existing systems to accommodate vaccine passports brings risks. If existing systems, especially identity ones, are flawed, existing problems may become further entrenched. In the UK, the NHS enjoys higher public trust than most institutions and higher
data trust than anyone else,¹³⁸ but this could be damaged if expectations for vaccine passports were not met, for example through continued outbreaks of COVID-19 (as people falsely assume vaccination or testing will stop all transmission).

Existing apps for citizens may exclude certain groups. The NHS app, which is reliant on registration with the NHS in England, may not cover all eligible UK citizens and would also not work for many individuals visiting or resident in the UK. This could prevent those who have been vaccinated by, and are registered with foreign healthcare providers, from accessing domestic leisure venues during a holiday, or exclude undocumented migrants, asylum seekers and refugees who were not able to be vaccinated in their home country from access to systems in the UK. In Israel, many foreign students, diplomats, asylum seekers and
other non-citizens were excluded from the Green Pass system for weeks after the scheme launched, despite having been vaccinated in Israel.¹³⁹

Allowing private companies to develop solutions could encourage competition and innovation and provide users with a choice, as no solution is likely to work perfectly in all settings.¹⁴⁰ There are risks to relying on a single system (including security risks),¹⁴¹ and a competitive market could help push out untrustworthy players.

Our expert deliberation raised concerns about market-led approaches:

• That a market-led system could be dominated by big players who were not experts in the field, even leading to a monopoly or monopsony.
• That risk might be heightened by only certain technology companies being big enough to adapt any system to rapidly changing scientific evidence (for example, on transmission).
• That the rush to dominate the market quickly could lead to vital discussions of equality and ethics being missed, not leave enough time for user research and evaluation, and bring insufficient engagement with health authorities.
• That there is uncertainty and a lack of transparency about the business model for any private sector solution, and that data acquired through provision of the app (even if anonymised) may be monetised by private providers.

Other risks include that allowing different systems to be developed could fragment a public policy problem into a series of private problems that would be harder to govern; that private companies would have less of an incentive to think about the wider societal context and possible harms unless government had put standards and rules in place; and that multiple solutions may not be interoperable, which would lead to some being recognised in some settings (e.g. by some venues or restaurant chains) but not by others.

Whether apps are supported and developed by government or other, private providers, there are some facts that should be made public clearly, including who is responsible and accountable, what legal protections are in place, what ethical standards are being applied, and
what data is being used and how.

Duration of a COVID vaccine passport system

Another important consideration will be the duration any system is operational. If a system is intended to be a temporary response to avoid prolonging lockdowns and to ease other public health restrictions, its lifecycle would depend to a significant degree on the background rate
of COVID-19, the speed of vaccination within a jurisdiction, and the subsequent impact of health measures on the risk posed by COVID-19.

Some countries have moved quickly in vaccinating their population. As of 12 April 2021, Israel had provided more than 60% of its population with at least one dose of a vaccine, the UK nearly half its population and the US more than a third.¹⁴² The percentage of the population that is fully vaccinated in Israel is over 50%, the US over 20% and the UK over 25%.¹⁴³

A vaccine passport scheme may have some utility when a sizeable minority of the population has had two doses, but before a nation has achieved herd immunity. It may have less utility when only a very small percentage of the population is vaccinated (existing lockdowns would
be likely to continue, there may not be enough economic incentive for businesses to reopen), or with a large percentage of the population having been vaccinated (herd immunity will have some effect).

The speed at which Israel, the US and the UK are vaccinating their populations, for example, suggest that there may only be a very limited window where vaccine passports could be of any use, and there would still be strong scientific reasons (listed above) and other societal reasons
(explored through the rest of this report) not to introduce them.

Mass vaccination would likely bring the risk to society of COVID-19 down to the level of other illnesses already circulating in society, such as seasonal flu. In the UK, the average number of annual deaths from the flu was around 15,000 from 2014/15 to 2018/19,¹⁴⁴ but there is no expectation of a passport or testing regime for the flu. Our expert deliberation panel assumed a COVID-19 passport system might have some appeal in the transition from a pandemic to steadier conditions – when, as with the flu, the disease was endemic but vaccination, herd immunity and better treatment had made it less deadly – but then questioned how far it would be possible to switch off a temporary, transition measure once it was in place.

The UK prime minister has suggested that a third wave of COVID-19 could yet ‘wash up on our shores’.¹⁴⁵ Would vaccine passports offer any support against such waves globally? Following mass vaccination, the hope is that any future waves would have a more tolerable impact on health, perhaps comparable impact to annual flu seasons unless the virus mutated into a variant against which existing vaccines are not effective. It is not clear how passports would offer significant public health benefit in a situation of low transmission and high population immunity.

The potential scenario of a vaccine-resistant mutation complicates the role of a passport. Those who had previously been considered lower risk would no longer be, and if people behaved as though they were protected because they had a passport, that could potentially accelerate the spread of the disease. On the other hand, if only one vaccine (Pfizer, for
example) was ineffective against a new variant, vaccine passports could be used to allow a subset of the population to continue movement, or government guidance could pivot to a system that was reliant on testing rather than vaccinations.

The end of the COVID vaccine passport lifecycle occurs when it is deemed no longer necessary – but what criteria would need to be met for it to be turned off, and under whose authority? Possible end points could include cases falling below a certain level (though consideration would need to be given as to whether some trigger – an increase in cases, or the
emergence of particular variants – would require them to be switched back on), or the WHO declaring an end to the pandemic. Some have argued that a benefit of passports would be encouraging boosters, which might indicate more long-term use.

Denmark’s plans for its Coronapas contain an August 2021 ’sunset clause’ (other than for tourism and travel), with decisions about any continued scope and use to be informed by the experiences of its domestic use.¹⁴⁶ Our expert panel were sceptical about the ease of turning a system off once implemented, and worried about scope creep. Others have argued for disease surveillance systems remaining in place and becoming part of normal health infrastructure, to protect against future pandemics.¹⁴⁷

Opportunity costs and overheads

The opportunity cost of focusing on COVID vaccine passports

There will be opportunity costs to focusing on COVID vaccine passports rather than other interventions. Certification schemes will involve political, financial and human capital costs that a government will need to weigh against their benefits. These costs and benefits should not be
considered in isolation. Given that governments have finite resources and attention, focusing on certification schemes should be reviewed in comparison to the costs and benefits of further investment in alternative public health measures intended to lift restrictions, such as investing in greater vaccine supply and roll-out or attempting to improve test, trace and isolate schemes.

As we have seen, there will be a discrete time period where there is scientific confidence about the impact of vaccines on transmission and a large enough vaccinated population to warrant segregating rights and freedoms, before population-level herd immunity, or endemic and low-risk COVID-19 makes vaccine passports unnecessary. In some countries, like the UK, this window might be very narrow.

This window will vary from country to country, and affect the relative balance of costs versus benefits, which will depend on the intended duration of any COVID status certification. High up-front infrastructure and business costs and significant opportunity costs would need to
be weighed in the decision to set up a temporary scheme. Schemes intended to have a long duration also need to be mindful of ongoing costs of maintenance and any costs borne continuously by users, for example in acquiring tests.

Maintenance

Any vaccine passport system will require maintenance, repair and updating in order to remain functional and continue to serve its intended purpose as conditions change around them. The question of who is responsible for maintaining these systems and the costs associated with
continued upkeep should be factored into any cost-benefit analysis of the viability of these systems.

If a vaccine passport system is intended to be temporary, then its obsolescence should be designed in from the start. Legislation and plans should contain sunset clauses, and the costs of closing the system down factored into budget planning. Care should also be taken not to develop other systems that are reliant on it.

Designing in obsolescence may be relatively novel in software development, but not in other fields: nuclear power stations are designed with maintenance, the end of their lifespan and decommissioning in mind. If governments and other providers have not thought about how to close a technical system down, it implies that either they believe it will not be a
temporary measure or have not given the issue sufficient consideration,  both of which may be damaging to public confidence.

If a system is to be more than temporary, then maintenance and upgrade costs will need to be planned in. The prospect of ‘technical debt’ – the idea that limited systems built in haste will require future development spending – is also higher if governments and other providers rush to build systems in weeks or months rather than thinking longer term.

Financial burden on businesses

Businesses that require vaccinations for customers or employees will need systems and additional resource for reviewing vaccine passports, which could create a financial burden for businesses already struggling with depleted financial reserves as they try to reopen.
In certain contexts, like health and social care, there may be existing systems in place which have tracked and verified vaccinations, but many firms in other sectors are likely to be starting from the ground up and having to procure new systems, train staff, and employ ‘security’ staff to administer their use.

There are other possible costs businesses will need to consider. For example, it is unclear what liabilities a venue would face if customers became infected with COVID-19 despite using vaccine passports, if the scheme allowed the venue to (say) reduce the space between theatre seats or between restaurant tables.

There may be related risks for businesses in terms of reputational damage, should such a situation occur. For example, if there is an outbreak traced back to e.g. a cinema using the  scheme to remove maskwearing and spacing requirements, those cinemas might be, fairly or
unfairly, seen as more risky venues.

Costs to users

While almost all countries have chosen to make vaccinations freely available to all as they become eligible, schemes that rely on testing could impose additional costs on users of the system. The more widespread a scheme is, the more burdensome any repeat costs could
become on those who must rely on testing that is not freely available.

In the UK, testing is widely and freely available for most people, and the Government has a service that allows citizens to request free lateral flow tests. But, even in the UK context, testing companies are charging customers for PCR tests required for international travel.¹⁴⁸

Interaction with the wider public health system

Effect on vaccine uptake

One possible public health reason for introducing a COVID vaccine passport system would be to encourage uptake of COVID-19 vaccines, in order to reach herd immunity faster. This calculation will be specific to different countries, as rates of vaccine hesitancy vary greatly and the strength of incentivisation may also vary substantially. In England it is not clear there would be much additional benefit by further incentivising vaccination through a vaccine passport system, as more than 95% of people aged 60 and over have already been vaccinated with a first dose,¹⁴⁹ and nearly 90% of unvaccinated adults say they would be taking a vaccine if available.¹⁵⁰

Some preliminary studies show a mixed picture as to whether vaccine passports would incentivise people to get vaccinated;¹⁵¹ further evidence and investigation will be necessary for any given local context.¹⁵² There may be a downside risk that certification could reduce trust and increase vaccine hesitancy if the scheme is seen as introducing mandatory vaccination by the back door.¹⁵³ This may be particularly acute in some minority ethnic communities that have been oversurveilled historically, leading to a further deterioration in trust.¹⁵⁴ This is an area where further research is needed.

Placing an additional burden on the public health system

As well as raising opportunity costs in relation to the wider vaccination effort, these systems could place a direct administrative burden on  vaccine programmes, and on healthcare staff administering vaccinations and handling medical records, who are already overstretched from
additional workloads imposed by the pandemic.¹⁵⁵ While some digital systems may be able to reuse existing vaccination records with minimal additional work on the part of frontline health staff, non-digital solutions and obtaining proof of exemption (and authorising some digital schemes) could place additional strain on general practitioners and family doctors,
worsening other health outcomes, unless there are easy and clearly signposted alternative routes or additional resources are made available to general practitioners.

This may be particularly acute in countries still developing digital infrastructure. In their evidence, Access Now give the hypothetical example of a vaccination drive in a village in India. The administrator of the vaccine is required not only to vaccinate the people there, but to authenticate their identity, create their unique identity on the government’s platform and log their vaccination status. But the internet goes down – the vaccinations are halted until it is restored – a lack of technological infrastructure means people are left unvaccinated that
day despite people and vaccines being present. Similar cases, in the distribution of rations and other social benefits, have been recorded in India.⁸⁹

Setting interoperable global standards

Standards are important for complex technological systems to function properly. In a globalised world, standards act as an important process for establishing shared rules, practices, languages, design principles and procedures. They allow a diversity of actors taking a multiplicity of approaches in a local context to nevertheless maintain coherence for individuals interacting with a technology, work together to avoid duplication of effort, and avoid as much as possible a lack of interoperability between different systems in different places.⁹⁸ COVID vaccine passport schemes will require interoperable standards, particularly in the context of international travel and border control, and especially if governments allow private actors to develop a diversity of certification applications.

Who is responsible for setting standards

Designing and setting standards is not a neutral process.³⁵ Given the impact they have, standards will often be contested by different countries and interest groups, as they can codify and project particular world views. Standard-setting is not a one-off process, as standards require maintenance and iteration to remain useful and consistent. The process of setting new standards can sometimes be remote from those on the receiving end of novel technologies. The development of COVID vaccine passport systems will need inclusive processes for the creation and maintenance of standards.³⁵

What they should include

As discussed in the Science and public health chapter, there are a number of possible pieces of COVID-19 risk-relevant health information that could be included in a COVID vaccine passport scheme. Decisions will need to be made about:³⁵

• the risk factors within the system that will be represented in models
• how to measure or approximate the values of these variables/factors
• where to define the boundaries of the system, and how to assign confidence to data and components inside and outside these boundaries.

Those responsible for standard setting in COVID vaccine passport systems will need to decide which tests, vaccinations and dosing regimens will be accepted within a specific, and often geographically contained, certification system.

In particular, many high-income countries have primarily relied on vaccines developed in the United States and Western Europe, and have not approved vaccines developed in Russia and China.¹⁶¹ Travellers from low- and medium-income countries, who have primarily relied on Russian and Chinese vaccines, could be denied access to countries recognising only European or North American vaccines or be required to undertake self-isolation or even (costly) hotel quarantining to access those countries. It could also lead to domestic discrimination against migrants from low- and medium-income countries, if access to venues and services is conditional on vaccines used in those high-income countries and migrants are vaccinated with ‘invalid’ vaccines.

Security and fraud

Any digital vaccine passport scheme that successfully restricts and permits access to certain rights and freedoms will inevitably prompt attempts to defraud it. The greater the differentials in access, the stronger the incentive will be. Steps will need to be taken to ensure any vaccine passport scheme is not vulnerable to fraud or accusations of fraud. The Global Privacy Assembly, a global forum for privacy and data protection authorities, emphasises that the cyber security risk of any digital COVID vaccine passport system or app must be fully assessed, taking full account of the risks that can emerge from different actors in a global threat context.¹⁶²

Within the first week of Israel’s Green Pass scheme, it was reported that a black market for forged passes had emerged on the messaging app Telegram¹⁶³ and subsequently that the police were looking for hundreds of individuals who had bought counterfeit certificates.¹⁶⁴ In February 2021, Europol issued an Early Warning Notification on illicit sales of false negative COVID-19 test certificates, citing multiple incidents across the continent and saying that, as long as travel restrictions remained in place, ‘it is highly likely that production and sales of fake test certificates will prevail. Given the widespread technological means available, in the form of high-quality printers and different software, fraudsters are able to produce high-quality counterfeit, forged or fake documents.’¹⁶⁵

Counterfeit vaccine passports could undermine the public health rationale for certification by allowing those at a potentially high risk of transmission to engage illegitimately in riskier activities, creating a situation similar to if there were no certification at all. It could even be
worse: those unaware of counterfeit vaccine passports might make inaccurately low risk assessments of situations and not use other, more informal mitigations (such as social distancing). Widespread counterfeits could also undermine public confidence in vaccine passports if individuals no longer trust any other individual’s certification to be valid and become more suspicious of others’ claims to be vaccinated, recovered, or otherwise at a relatively lower risk to themselves and others.

Public legitimacy

Another consideration for any COVID vaccine passport scheme is its perceived legitimacy

Another consideration for any COVID vaccine passport scheme is its perceived legitimacy. Illegitimate systems are undesirable both because they lack a sufficient political justification and because an illegitimate system will be likely to face significant resistance to its implementation. Legitimacy is a contested concept, and different attributes will be required for a system to be legitimate in different cultures and under different moral and political philosophies. Here, we are concerned with legitimacy in democratic pollical systems.

In part, legitimacy in democratic political systems can come from following due process. This includes debate by representatives in a legislature and subsequent legislation, or by ensuring proportionality and respect for human rights in accordance with existing legal and constitutional frameworks, as we have discussed in previous chapters. However, another important of legitimacy in democratic political systems is the consent of citizens and public support for particular measures. This means understanding what the public are willing to endorse and continuously involving the public at each stage of development.

Polling

One approach to public legitimacy of vaccine passports would be through surveys and polls. Polls conducted in the UK suggest that public support for COVID vaccine passports varies depending on the availability of vaccinations, the particular use cases, and the providers of
certification:

• An academic study of UK public opinion during March–April 2020, the height of the first wave of COVID-19 in the UK, found most people did not object to immunity passports (introduced as ‘imply[ing] that you are now immune and therefore unable to spread the virus to other people’) and 60% of people wanted one (to varying degrees), although 20% thought them unfair and opposed them completely.¹⁶⁶
• Polling by Deltapoll in January and February 2021 found support for restrictions at an international level. At a domestic level, January polling found narrow support (42–39%) for vaccinated people being allowed to do things (meeting friends, eating in restaurants, using public transport) that others could not.¹⁶⁷ Support had risen 12 points by the end of February, although passports and certificates were not explicitly mentioned.
• Polling published by YouGov in March 2021 found support for a vaccine passport system, but with greater opposition in younger age groups, varying levels of support for different use cases (from 72% in favour of use at care homes, to 31% at supermarkets) and opposition to private companies being allowed to develop their own systems. Support was higher for passports once everyone had been offered a vaccine, compared to during vaccine rollout – which, as discussed above, is when the scientific case for using them is weaker.¹⁶⁸ Somewhat contradicting the general support for certification is a separate YouGov poll from early March. This found that 79% of respondents thought those vaccinated should still be subject to the same COVID-19 restrictions as others, until most people had been vaccinated.¹⁶⁹
• Ipsos MORI polling in March 2021 found support for ‘vaccine passports’ was highest for international travel (78%) or visiting relatives in a care home (78%) or hospital (74%), but also high for theatres and indoor concerts (68%), visiting pubs and restaurants (62%) and using public transport (58%, though 25% were opposed). Nonetheless, one in five of those polled thought the ethical and legal concerns outweighed any potential benefits to the economy, with the young and ethnic minorities more concerned.¹⁷⁰
• Research conducted by Ipsos MORI at the end of March 2021, for King’s College London and the University of Bristol, found 39% of those polled thought unvaccinated people would face discrimination (28% did not), with 44% worried that vaccine passports would be sold on the black market. Half of those polled didn’t think passports would have a negative impact on personal freedoms, though a quarter thought they would reduce civil liberties. Just over a fifth of people thought passports would be used for surveillance by the Government, while more than two fifths did not, but concern was much higher among minority ethnic groups.¹⁷¹
• A survey by De Montfort University, Leicester, found 70% agreed with the need for vaccine passports to travel internationally, but only 34% agreed with such a need for pubgoers or diners (compared to 45% against).¹⁷²
• Cultural sector consultancy Indigo found around two-thirds of people would be comfortable with passports or testing to attend live events (with a fifth and close to a third uncomfortable, respectively), but that 60% of people would be uncomfortable if this meant that other public health measures or restrictions inside the venue were dropped.¹⁷³
• Polling for the Serco Institute found broad support for passports across different settings, assuming there were ‘appropriate protections and exemptions for people who are precluded from taking the vaccine due to medical conditions’.¹⁷⁴

The Ada Lovelace Institute’s own polling, with the Health Foundation, found more than half (55%) of those polled thought a vaccine passport scheme would be likely to lead to marginalised groups being discriminated against. 48% of people from minority ethnic backgrounds and 39% of people in the lowest income bracket (£0-£19,000) were concerned that a vaccine passport scheme would lead to them being discriminated against. While twice as many respondents (45%) disagreed with a ban on vaccine passports compared to those agreeing there should be a ban (22%), a third of respondents (33%) were undecided.

Taken together, these polls point to a lack of societal consensus on the way forward for vaccine passport schemes. Publics in the United States and in France show similar divisions.¹⁷⁵

Deeper engagement

Surveys and polls are a powerful tool for measuring mass trends in attitudes, establishing broad baselines in opinion, or understanding what proportion of the public agree with particular statements. The information they provide helps us to understand the pulse of a population’s attitudes. But these methods fail to give comprehensive understanding of people’s perspectives on complex topics, such as the ethical and societal challenges of COVID vaccine passports and related digital technologies, and risk boiling these complex issues down into
statements which can be answered with ‘yes’ or ‘no’, ‘strongly disagree’ or ‘not sure’. Framing questions as simply about vaccine certification schemes also risks focusing on one possible measure rather than taking a holistic view of other measures that governments could deploy.

If governments want to understand what the public thinks about these issues and what trade-offs they might be willing to make in a deeper way, they need to provide a space for them to do so through more deliberative means.

Citizens’ juries and councils enable detailed understanding of people’s perspectives on complex topic areas. For example, the Ada Lovelace Institute has recently undertaken a year-long Citizens’ Biometrics Council to understand public preferences on the use and governance of biometrics technologies.¹⁷⁶ Focus groups or engagement workshops can better capture the nuance in people’s opinions and creates complex data to analyse and describe in reports and recommendations. Qualitative and deliberative methods complement the population-level insights provided by polling by offering greater detail on why people hold certain opinions, what values or information inform those views, and what they would advise when informed.

This will be particularly important given the access to government decision-makers that other groups – lobbyists for particular industries, private companies building vaccine passport solutions – may have already had.³ In the UK, lobbying and corruption is currently towards
the top of the news agenda: given the importance of public trust to making government plans for lifting lockdown work, and in deploying new technology, it is vital that governments understand the position of different publics and hold their trust.

Future risks and global consequences

The focus of most discussions of COVID vaccine passport schemes (including previous chapters of this report) has been on the immediate and near-term questions of practicality, legality, ethics and acceptability of systems being developed right now, looking at opportunities and concerns over the next year or two. These discussions focus on schemes being launched within months, including those already operational in Israel and before summer 2021 in the European Union, and their operations over the next year or two, as mass vaccination campaigns roll out around the world.

Even if a country is able to establish that all design questions have been answered, that the societal, legal and ethical tensions have been resolved, that there is no way of adapting existing systems and that a new system needs to be built, the long-term effects of building such systems and how they could shape the future must be considered. In particular, consideration should be given to whether these systems will:

• Become a permanent fixture of future pandemics?
• Be expanded to cover a wider and more granular set of health statuses, outside the pandemic context?
• Change norms and expectations about the bounds of sharing personal health data?
• Create wider path dependencies that shape the adoption of other technologies in future?

This section is also vital to any public engagement. The public may not see all the unintended consequences and may discount effects on their future selves and future generations, especially with the prospect of escaping a cycle of lockdowns faster. States with longer time horizons and broader duties to all their citizens, need to consider the future risks alongside the immediate pressures on their publics, and encourage their public to do so through deliberative and open engagement.

Permanent emergency solutions

Once time, resources and political capital have been invested in their construction, it is unlikely that these systems and their underlying infrastructure will be rolled back once the crisis that initially justified their creation has passed. There are arguments for maintaining such systems:
for example, the Tony Blair Institute suggests in its case for digital health passports, that ‘Designed properly and integrating testing status, a health passport would also help us manage the virus and prepare for new strains and future pandemics.’¹⁷⁸

It is likely that SARS-CoV-2 (the virus that causes COVID-19) will become endemic, like seasonal flu and other infectious disease-causing pathogens (or better contained, like measles, or even eliminated), at which point it will no longer require the emergency and intrusive measures justified by its present transmissibility and fatality. Accepting this as a reasonable scientific expectation for the near future raises concerns about the longevity of emergency apparatus, and that such infrastructure – once built – will not be stripped back.

In response, it has been suggested that sunset clauses should be built into any COVID vaccine passport scheme, with primary legislation clearly setting out the date or conditions by which a scheme will come to an end, and procedures designed into the system to allow that to happen, e.g. a process for the permanent deletion of any data, databases or apps that compromise the technical system.¹⁶²

Clauses could be included in any use of emergency powers or particular legislation setting out government powers during the COVID-19 pandemic, and include time horizons like the end of a particular year or the end of the crisis according to set criteria (a declaration by the WHO, or cases of infection at a certain level for a specified time period). The clause could also include any process by which a scheme may be explicitly reapproved and continued. In the UK, it has been suggested that a majority vote in both Houses of Parliament could be required to continue any system.¹⁸⁰ The Danish Government’s plan for the use of its Coronapas includes an August 2021 ’sunset clause’ for the use of the app other than for tourism and travel, with discussions about the experience of using the system in May and June 2021, to decide on its continued scope and use.¹⁸¹

These will not always be enough to guarantee the system does not become a permanent fixture. Take for example, the European Union’s Digital Green Certificate.⁹⁵ In one way, it is clearly a time-limited proposal with a clear-end point, albeit with quite a high bar: ‘the Digital Green Certificate system will be suspended once the World Health Organization (WHO) declares the end of the international public health emergency caused by COVID-19.’ However, as a reminder of how these systems become a permanent fixture of life, they note immediately afterwards that ‘Similarly, if the WHO declares a new international public health emergency caused by COVID-19, a variant of it, or a similar infectious disease, the system could be reactivated.’

This creates a kind of path dependency: once this system is built, it becomes a tool for future emergencies, including any future outbreak of COVID-19 or other respiratory pandemics. This in itself does not pose too many additional concerns, beyond those raised in previous chapters. If it can be justified in our current emergency circumstances, there are good reasons to think it could be justified in similar future emergencies, and a pre-existing system could allow it to be spun up much faster. But many of these systems are being discussed as if they are one-off temporary solutions. If the plan from the start is for them to form the basis for future respiratory pandemic preparedness, they should be honestly presented to the public in these terms. They will also require ongoing investment and maintenance.

Scope creep

There is another version of this path dependency: if the purpose and design of the system expands beyond the narrow focus on an emergency response to become business as usual. The digital nature of the system particularly lends itself to iteration, gradual expansion and ‘scope creep’. Some forms of expanded functionality might be in keeping with a public
health purpose, for example, collecting data for disease surveillance and epidemiological research for COVID-19, and perhaps integrating symptom tracking systems with vaccination status.

Other forms may be more sweeping. Other kinds of health status such as physical and mental health records and genetic-test results could also be incorporated to provide more sophisticated risk scoring or even inclusion and exclusion on the basis of health risks beyond COVID-19, moving from COVID status certification to health status certification.³
medConfidential suggest a thought experiment for provocation: any solution under consideration should be tested against whether we would accept the same system of health information verification and differential access for a mental health condition or for HIV.¹⁸⁴

Some have pointed to the history of biometric technologies as an analogous example of scope creep, with the initial uses of biometrics limited to exceptional circumstances, such as detention centres and crime investigations, before gradually expanding into everyday tasks,
such as unlocking our phones or logging into our bank accounts. Technologies that seemed intrusive when introduced become commonplace step by step, first by their use in extremes and then each use setting a precedent for the next.¹⁸⁵ That is not to say that the gradual
expansion of biometrics is inherently problematic – they are clearly useful in many applications – but often technologies are developed and rolled out before there is sufficient engagement with the public about what use cases they find acceptable and what criteria for effectiveness
and governance they would set.

Similarly, the continued use and expansion of a COVID vaccine passport system could possibly be justified if the tensions in previous chapters are resolved and COVID-19 remains a long-term danger or we deem the systems useful enough to be repurposed for other health concerns. The key concern is that conversations and public engagement need to happen at each stage of continued use and expansion. Each use needs to be evaluated on its own terms at the time of deployment, informed by lessons learned from the previous operation of any similar systems, and driven by informed decisions rather than allowed to continue through software updates without transparency or accountability to citizens.

There is a risk that these important conversations about continued use may not happen or lose salience when the immediate danger is passed, and citizens have to focus their minds on rebuilding post-pandemic.

Others have suggested the system could be expanded beyond the health context, such as for identity verification for other purposes and generalised surveillance.¹⁸⁶ However, the greatest impact of developing COVID vaccine passport systems may not be that the core of the system
is directly expanded into a permanent form of digital identity. Rather, the implementation of the system might set precedents and norms that influence and accelerate the creation of other systems for identification and surveillance.

Wider path dependencies

Just as path dependencies in terms of existing infrastructure, legal mechanisms and social and ethical norms will shape any adoption of COVID vaccine passport systems, so will those systems shape the paths available to decision-makers at future junctures.

Decisions made today may have implications for many years to come. For example, if we put in place widespread facial recognition systems to verify identity under these schemes, will we then re-evaluate the appropriateness of using facial recognition for other purposes e.g. age verification in hospitality venues? Or will we be locked into a path, once the capital has been invested, of installing and ironing out the operational issues in these systems? In this scenario, venues find themselves with a very different cost-benefit calculation than they did before the pandemic.

Comparisons were drawn during our expert deliberation to post9/11 security infrastructure at airports, and the once limited but now essentially mandatory Aadhaar identity system in India. There was pessimism about the likelihood of COVID vaccine passport technologies being ‘switched off’ once the crisis has passed, and the tendency to lead to path dependency: ‘Once a road is built, good luck not using it,’ as one participant in our expert deliberation put it. This might be a particular issue if the status of other health conditions were to be added.

Continuous development

If we recognise that these technologies are not intended to disappear once the immediate danger has passed, then we must think of these technologies as perpetually unfinished. This is especially true of the software aspects, which will require constant updates to remain
compatible and consistent with other software systems, legislation and standards.

Therefore, ethical evaluations of COVID status certification systems will require acknowledgment of uncertainty, risk and the inherent unfinished nature of the technology. Where significant uncertainty exists, some suggest that decision-makers can learn from precautionary and anticipatory approaches in sustainable development and other fields.³

Wider information flows and changing expectations

Even if the scope of statuses and purposes in the systems themselves remains limited, concerns were raised during our expert deliberation about how information in the system might be used more broadly than intended.

Even with the most privacy-preserving technology, health data could come into contact with different actors, including those in healthcare settings, employers, clients, police, pubs and insurance companies, who may have different levels of experience and trustworthiness in handling personal data. Private companies who offer COVID vaccine passports may also have commercial incentives to monetise any personal data they collect. Both risk data being shared with third-parties and being repurposed in future for uses the individual did not consent to. This concern is likely to be less significant if high standards on privacy-preserving design are followed in the design phase, and if data protection law is adequately enforced.

Finally, the implementation and existence of a system of health data-sharing in exchange for differential access to services could change social norms about the acceptable circumstances for health data-sharing in future, particularly if the system has any durability beyond the immediate emergency circumstances.³⁵ This is not to prejudge what those changes will be – an ineffective and mismanaged system could damage public trust in digital identity systems and health data-sharing, while an apparently successful one might embed those ideas as a normal part of daily life. Either way, it will have an effect on the social norms and ethical reality in which we evaluate the system retrospectively, for good or ill, and it will shape the attitudes we take into future systems with similar properties.

Conclusion

In this report the Ada Lovelace Institute sets out detailed recommendations under six requirements for policymakers, developers and designers to work through, to determine whether a roll-out of vaccine passports could navigate risks to play a socially beneficial role.

The six requirements for policymakers, developers and designers are:

1. Scientific confidence in the impact on public health
2. Clear, specific and delimited purpose
3. Ethical consideration and clear legal guidance about permitted and restricted uses, and mechanisms to support rights and redress and tackle illegal use
4. Sociotechnical system design, including operational infrastructure
5. Public legitimacy
6. Protection against future risks and mitigation strategies for global harms.

This report draws on a wide range of evidence:

• Evidence submitted as part of an open call during January and
  February 2021, which can be found on the Ada Lovelace Institute
  website.
• A rapid deliberation by an expert panel, summarised in the February 2021 report What place should COVID-19 vaccine passports have in society? The deliberation was chaired by Professor Sir Jonathan Montgomery with leading experts in immunology, epidemiology, public health, law, philosophy, digital identity and engineering.
• A series of public events on the history and uses of vaccine passports, their possible economic and epidemiological impact, their ethical implications, and the socio-technical challenges of building a vaccine passport system.
• An international monitor of the development and use of vaccine passport schemes globally.
• Desk research and targeted interviews with experts and developers.

The report concludes that building digital infrastructure that enables different actors across society to control rights or freedoms on the basis of individual health status, and all the potential benefits and harms that could arise from doing so, should:

1. Face a high bar: to build from a secure scientific foundation, with understanding of the full context of the sociotechnical system, and mitigate some of the biggest risks through law and policy.
2. Not prove a technological distraction from the only definitive route to reopening societies safely and equitably: global vaccination.

At the current point in the pandemic response, there hasn’t been enough time for real-world models to work comprehensively through these challenging but necessary steps, and much of the debate has focused on a smaller subset of these requirements – in particular technical design and public acceptability.

Despite the high thresholds, and given what is at stake and how much is still uncertain about the pathway of the pandemic, it is possible that the case can be made for vaccine passports to become a legitimate tool to manage COVID-19 at a domestic, national scale, as well as supporting safer international travel.

As the pandemic response continues around the globe. evidence will continue to emerge, and more detail will come into the public domain about possible models and pilot schemes. We hope the structures developed here remain valuable for decision-makers in industry and government and support efforts to ensure that – if vaccine passports are developed and deployed – that happens in a way that supports a just, equitable society.

Acknowledgements

We are indebted to the many experts and organisations who contributed evidence, spoke at events and briefings, demonstrated tools, and took part in the expert deliberation. We’d especially like to thank Professor Sir Jonathan Montgomery for chairing the expert deliberation, and Gavin Freeguard who has made substantial contributions as a consultant to
delivering this project.

This project has been supported by the European AI Fund, a collaborative initiative of the Network of European Foundations (NEF). The sole responsibility for the project lies with the organiser(s) and the content may not necessarily reflect the positions of European AI Fund,
NEF or European AI Fund’s Partner Foundations.

Participants in the expert deliberation:

Sir Jonathan Montgomery (chair) is Professor of Health Care Law at University College London and Chair of Oxford University Hospitals NHSFT. He was previously Chair of the Nuffield Council on Bioethics and Chair of the Health Research Authority.

Professor Danny Altmann is Professor of Immunology at Imperial College London, where he heads a lab at the Hammersmith Hospital Campus. He was previously Editor-in-Chief of the British Society for Immunology’s ‘Immunology’ journal and is an Associate Editor at ‘Vaccine’ and at ‘Frontiers in Immunology.’

Professor Dave Archard is Emeritus Professor of Philosophy at Queen’s University Belfast. He is also Chair of the Nuffield Council on Bioethics, a member of the Clinical Ethics Committee at Great Ormond Street Hospital and Honorary Vice-President of the Society for Applied Philosophy.

Dr Ana Beduschi is an Associate Professor of Law at Exeter University. She currently leads the UKRI ESRC-funded project on COVID-19: Human Rights Implications of Digital Certificates for Health Status Verification. Professor Sanjoy Bhattacharya is Professor in the History of Medicine, Director of the Centre for Global Health Histories and Director of the WHO
Collaborating Centre for Global Health Histories at the University of York

Dr Sarah Chan is a Chancellor’s Fellow and Reader in Bioethics at the Usher Institute, University of Edinburgh. She is also Deputy Director of the Mason Institute for Medicine, Life Sciences and Law, a Associate Director of the Centre for Biomedicine, Self and Society and a member of the Genomics England Ethics Advisory Committee.

Dr Tracey Chantler is Assistant Professor of Public Health Evaluation & Medical Anthropology at the London School of Hygiene and Tropical Medicine. She is also a member of the Immunisation Health Protection Research Unit, a collaborative research group involving Public Health England and LSHTM.

Professor Robert Dingwall is Professor of Sociology at Nottingham Trent University. He is also a Fellow of the Academy of Social Sciences and a member of the Faculty of Public Health. He sits on several government advisory committees, including NERVTAG (New and Emerging Respiratory Virus Threats Advisory Group) and the JCVI (Joint Committee on Vaccination and Immunisation) sub-committee on Covid-19.

Professor Amy Fairchild is Dean and Professor at the College of Public Health, Ohio State University. She is also Co-Director of the World Health Organization Collaborating Center for Bioethics at Columbia’s Center for the History and Ethics of Public Health.

Dr Matteo Galizzi is Associate Professor of Behavioural Science at the London School of Economics. He is also Co-Director of LSE Behavioural Lab and coordinates the Behavioural Experiments in Health Network and the Data Linking Initiative in Behavioural Science.

Professor Michael Parker is Director of the Wellcome Centre for Ethics and Humanities and Director of the Ethox Centre at the University of Oxford. He is also a member of the Government’s Scientific Advisory Group for Emergencies, the Chair of the Genomics England Ethics Advisory Committee and a non-executive director of Genomics England.

Dr Sobia Raza is a Senior Fellow at the Health Foundation within the Data Analytics team. She is also an Associate and previous Head of Science at the PHG Foundation.

Dr Peter Taylor is Director of Research at the Institute of Development Studies. He was previously the Director of Strategic Development at the International Development Research Centre.

Dr Carmela Troncoso is Assistant Professor, Security and Privacy Engineering Lab at the École Polytechnique Fédérale de Lausanne. She was a leading researcher on DP-3T and is also a member of the Swiss National COVID-19 Science Task Force’s expert group on Digital Epidemiology.

Dr Edgar Whitley is Associate Professor of Information Systems at the London School of Economics. He is co-chair of the UK Cabinet Office Privacy and Consumer Advisory Group and was the research coordinator of the LSE Identity Project on the UK’s proposals to introduce biometric identity cards.

Dr James Wilson is Professor of Philosophy and Co-Director of the Health Humanities Centre at University College London. He is also an Associate editor of Public Health Ethics and Member of the National Data Guardian’s Panel and Steering Group.

The following individuals and organisations responded to our open call for evidence:

• Access Now
• Ally Smith
• Dr Baobao Zhang, Cornell University
• BLOK BioScience International
• Dr Btihaj Ajana, King’s College London
• Consult Hyperion
• The COVID-19 Credentials Initiative, Linux Foundation Public Health
• Professor Derek McAuley, Professor Richard Hyde and Dr Jiahong
  Chen, Horizon Digital Economy Research Institute, University of
  Nottingham
• Dr Dinesh V Gunasekeran, National University of Singapore
• eHealthVisa
• The Electronic Frontiers Foundation
• James Edwards
• Professor Julian Savulescu and Dr Rebecca Brown, Oxford Uehiro
  Centre for Practical Ethics, University of Oxford
• Marcia Fletcher
• medConfidential
• The PathCheck Foundation
• Patrick Gracey, Patrick Gracey Productions Ltd
• Robert Seddon
• SICPA
• Susan Mayhew
• techUK
• The Tony Blair Institute for Global Change
• The UK Pandemic Ethics Accelerator
• Yoti
• ZAKA
• Zebra Technologies.

This report was authored by Elliot Jones, Imogen Parker and Gavin Freeguard.

---

Preferred citation: Ada Lovelace Institute. (2021). Checkpoints for vaccine passports. Available at: https://www.adalovelaceinstitute.org/report/checkpoints-for-vaccine-passports/