Using COVID-19 health data as travel requirement calls for ‘privacy by design’ approach

The Global Privacy Assembly (GPA) is urging government and organizations around the globe to embed a privacy by design approach in using COVID-19 health data as a travel requirement amid the pandemic.

In a statement submitted to the executive committee of the GPA by COVID-19 Working Group Chair Raymund Liboro of the National Privacy Commission, embedding privacy by design will build public trust in such methods and contribute to governments’ public health strategy.

Governments and organizations worldwide are looking into implementing measures to curb the spread of COVID-19 through the sharing of health information of domestic and international travelers as a prerequisite of travel. Examples of such measures are a negative COVID-19 test result, vaccination status, and digital health passports.

The joint statement views the potential sharing of health data on a mass scale across borders and entities as unprecedented or never known before.

“Admittedly, using health data for domestic or international travel purposes is justifiable to curb the spread of COVID-19. However, this must be done with the utmost care and consideration to the individual’s privacy from the outset, also called as privacy by design,” Liboro said.

Any measure adopted by governments and organizations that involve processing of personal data must be guided by effectiveness, necessity, and proportionality. Assure individuals that their health data is handled securely and for travel purposes only; that “the data demanded from them is not excessive; they have clear and accessible information to understand how their data will be used; there is a specific purpose for the processing; and their data will be retained for no longer than is necessary,” the joint statement further read.

Liboro, representing the Philippines as the lead of the GPA COVID-19 Working Group, submitted the joint statement to the executive committee of the GPA. The working group built on the successes of the COVID-19 Task Force, which Liboro also chaired.

Good data protection principles in travel

The joint statement lists the following global data protection practices that governments and organizations can adhere to when they require COVID-19 health data from travelers:

  • Consider the privacy risks of processing a traveler’s COVID-19 health data to from the beginning. Before starting any processing of health data of travelers, conduct a formal and comprehensive assessment of its impacts on the privacy of individuals. Governments and organizations should seek advice or guidance from data protection and privacy authorities.
  • Personal data collected, used, or disclosed to lessen the public health effects of COVID-19 require a clearly defined purpose.
  • All government authorities and organizations must operate under relevant and appropriate lawful authority and ensure that their processing of health data is necessary and proportional.
  • Protect the data protection rights of vulnerable individuals who are unable to use or may not have access to electronic devices. Consider alternative solutions that these individuals do not experience discrimination. Similarly, protect those who cannot be vaccinated due to their age, possible health risks, or other underlying conditions.
  • Inform individuals on how their data will be used, by whom and for what purpose. Provide clear and accessible information recognizing the geographical, cultural, and linguistic diversity of people who wish to travel.
  • Only collect the minimum health information from individuals.
  • Employ measures to address the risks of directly sharing information from health records for travel purposes.
  • Assess the cybersecurity risks of digital systems and apps, especially risks that may emerge in a global threat context.
  • Consider how long the data should be retained. Design a retention period that safely deletes information once it is no longer needed.
  • The design of such schemes should be capable of foreseeing permanent deletion of data or databases. This should also recognize that the routine processing of COVID-19 health information at borders may become unnecessary when the pandemic ends.

Read the joint statement here: