Companies should avoid requiring or even asking employees to adopt digital travel health passports until they have conducted extensive data-privacy impact assessments, according to the global head of privacy for travel management company CWT.
Health data is treated under the European Union's General Data Protection Regulation as "sensitive data," which may be processed only if a clear legal basis has been established to do so. Such a legal basis has yet to be clarified for travel health passports, said Christel Cao-Delebarre, who added that GDPR is emerging as a global standard for data-privacy practice. Companies also will need to carry out due diligence on the security of the different passport products under development and establish whether they, as employers, would face liability in the event of any breaches.
One travel manager who already has investigated health passports told BTN his company is very wary of introducing them. "Our head of privacy reconfirmed that we must find a way this is never mandated as the company might be liable for data breaches," said the travel manager, requesting anonymity. "If employees adopt a passport voluntarily, because it makes their life easier, that's OK."
A survey of business travelers published earlier this month by BCD Travel found their No. 1 criterion for acceptance of health passports was satisfactory data protection.
Health passports carry a digital record of whether holders have been tested or vaccinated for Covid-19. Almost every country worldwide currently requires evidence of a negative Covid test before gaining admission, and discussion has started about whether a vaccination certificate should be made a prerequisite for border entry or boarding aircraft. At least 10 passport schemes actively are being promoted, and in some cases are already being trialed.
"Every new proposal to help people get out of their homes we'll welcome and we'll look at in compliance with privacy, but it needs to be done in compliance with fundamental privacy rights to ensure trust," Cao-Delebarre said. "There's more work to do right now before the passports can be issued.
"In terms of corporate communication, employers can actively promote their position towards vaccination campaigns, and engage staff in a constructive discussion. However, asking or insisting that employees sign up to health passports would carry legal risk."
For travel managers and the companies they work for, said Cao-Delebarre, "Don't rush into it before making sure you have carried out an in-depth privacy impact assessment. What are the consequences if you have mandated health passes as an organization? What are you really saying to your employees? It has bigger implications in terms of potential discrimination or categorizing your employees. I would really encourage them not to rush into this until there is much more certainty from governments and policymakers, and make sure that privacy and local employment law matters are checked and rechecked."
Cao-Delebarre added that travel managers should collaborate with their in-house legal and privacy teams. She also urged travel managers to take the matter to board level to resolve the balance of legal and privacy risks with the business continuity risk presented by not resuming travel.
Several obstacles block the path to finding a legal basis for either mandatory or compulsory enrollment of travelers. The first, said Cao-Delebarre, is that "as a general rule, the legal basis for employees to be required to be vaccinated and obtain a health passport lies in substantiating an employer's obligation to invoke or comply with a specific law, regulation, governmental approach or decree, applicable in the field of employment. Currently, in most countries, governments have not made it a legal obligation to be vaccinated against Covid-19."
A related topic is whether employers can ask employees to disclose they have obtained a health passport and whether employers could, as a result, process this information. The answer varies, said Cao-Delebarre. Under Europe's GDPR, consent must be given freely, but it generally is considered impossible for employees to give free consent to employers owing to fear of the potential consequences of refusal. In the Asia-Pacific region, however, it generally is allowed for employers to ask for this data.
"All in all, it is unlikely there will be scope for a global policy, which can make it challenging for global employers," Cao-Delebarre said. "Privacy risk assessments will be on a case-by-case basis, taking into account, in addition to local law, the sector in which employers have their activity and the specific employment duties and role of a particular employee."
If companies succeed in identifying an appropriate legal basis, significant due diligence still would be required to avoid liability if employees' sensitive data were breached or mistreated in other ways, such as through unauthorized sharing. The impact assessment would consider which parties, including the employer, airlines, governments, booking platforms and the digital passport provider, would bear responsibility as controllers or processors of the data.
The assessment also would have to vet the competence of the digital passport provider to protect sensitive data adequately, a task not helped by the number of competitors on the market, each offering a different approach. Schemes including the International Air Transport Association's Travel Pass, or ICC AOKpass—whose backers include the International Chamber of Commerce and assistance and risk management company International SOS—claim they avoid many privacy pitfalls by not maintaining a central database to store traveler data.
AOKpass, for example, places each record on its own blockchain. "It's scientifically impossible to go backwards from the hash to the information," said co-founder Dr. Chester Drum. "That process allows us to manage signatures instead of the information itself and that provides the authentication backbone.
"In theory, you could have a server that takes all this information from around the world and have one hard drive, and everybody recognizes that server as the authenticated data, but that would be very dangerous. One of the biggest dangers to compromising privacy is when you take a lot of sensitive information and put it in one place," said Drum.
For hackers, Drum argued, the considerable effort required to breach a system is only worthwhile if a large cache of information can be stolen, but not if the breach only results in accessing the data of a single person. "That's why decentralization by itself is one of the most powerful security measures you can take," he said.
Drum acknowledged there remains an initial challenge of finding a legal basis for employers to move employees onto travel health passports. But, he said, "the flip side of the coin is that companies have an obligation to protect employees," including the use of medical testing to further their safety. "There's a tradeoff."
The travel manager who had been advised to avoid mandatory health passport enrollment for his company's travelers noted that, to the best of his knowledge, there has been little or no consultation by passport developers with the corporate travel management sector.
Cao-Delebarre said better cooperation is essential. "Sharing and tracking health data really requires an in-depth privacy assessment, and for the travel ecosystem it would be a good idea to come together and decide who is doing what," she said. "It's not an overnight thing. It has to be well thought through to make sure the liabilities that could take place following a hacking or other security event are very well identified and distributed, and at the end of the day that the traveler is protected."