Data privacy – do I really care?
28 January 2021
Today is Data Privacy Day and I have to confess that my heart sank at the thought of writing an article on data protection - in the middle of a pandemic – when all anyone is thinking about is the vaccine and the tantalizing possibility that at some stage in the future, life might revert to normal.
If the real test of a society's values is whether, having made laws in moments of calm, it follows them in times of crisis, then now is the perfect opportunity to reflect and to see whether we really do measure up to our professed values.
The press is full of reports about the vaccine and its game-changing impact. Travel companies are now bombarding us with emails encouraging us to book flights and holidays and apparently, over 50s are booking with alacrity, presumably in the expectation that when the departure date arrives, they will have received the vaccine and will have whatever vaccine passport is required to get on the plane.
The idea of a vaccine passport is interesting. If everyone has to have one to get on the plane, then perhaps passengers might draw some comfort from this and become more confident about travelling. But a plane is a train is a bus; what if you were to need a vaccine passport to use public transport? Or to go into a shop? Is it any different to having to wear a mask which seems to be broadly accepted? And what's data protection got to do with any of this?
Whilst having to have a vaccine passport to travel to a foreign country may seem fine, I have to confess that I feel uneasy about a vaccine passport being used to stop people accessing ordinary services such as local bus services or shops, particularly when the vaccine roll out is at such an early stage. Whether someone has or has not had the vaccine is a matter of chance and to use that status as a basis to discriminate seems wrong. Feelings of unease are one thing, the law is quite another and that's where I think data protection, and in particular, the Data Protection (Jersey) Law 2018 (the "Law"), comes in.
Under the Law, data must be processed lawfully, fairly and in a transparent manner; it must be limited to what is necessary, accurate and kept for no longer than is necessary. A person's vaccine status is called "special category data" because it is so sensitive and that limits the grounds upon which it can be processed (and that includes reading, inspecting or storing it).
On the basis of what we read in the press, the vaccine should slow the spread of the virus; were I to catch Covid, I would be less likely to die or to require hospital treatment; it does not (as far as we currently know) stop the ability of a person to spread the virus. And that for me is the crux of this issue.
The need for hospital treatment and the severity of illnesses is something that concerns governments; they need to ensure that they have sufficient facilities that are not going to be overwhelmed with patients who are seriously ill. Governments have a legitimate interest in ensuring that their citizens and visitors are vaccinated. It seems fair enough then that if we want to visit a country we should declare our vaccine status (and that is something that has happened historically around the world with various countries requiring certain vaccinations for visitors and requiring vaccination certificates to be provided). And although early days, it may be that the particular type of vaccine is also a necessary piece of data.
But whether I may or may not require hospital treatment, or become seriously ill, is of no relevance to a bus company or a shop; all they should really need to know is that I am not going to infect other passengers or employees (in which case, mask wearing may be far more relevant). In my view, vaccine status is not a necessary piece of data for these organisations. So under the Law, they are not entitled to hold it or to process it, and that includes requesting it before passengers can get on a bus or individuals can go into a shop.
Obviously the analysis gets a little more complex when the airlines are crossing borders and collecting information on behalf of the country into which they are flying or in response to a law imposed on them.
Fast forward 6 months and we might know more about the efficacy of the vaccine to prevent the spread of the virus. If vaccinated people cannot be spreaders, does the analysis change? It might well do, but in that case, we need a discussion as a society as to who actually needs this information, how they use it, and how long they keep it because the danger is that with such an enormous amount of sensitive data readily available, unless we are careful and resist the temptation, it becomes a tool for unfair (and possibly somewhat random) discrimination and victimisation.
Like many things, data protection is being, and will continue to be, tested through the crisis. Although it might not appear quite so relevant as masks or sanitiser, it does have a role to play. That is particularly so if the lofty ambition to vaccinate the world might actually translate in reality into one database, containing special category data, on every single human on the planet. Definitely something we should discuss before we do it.
If you would like any further information, please get in touch with your usual Bedell Cristin contact or one of the contacts listed.
Part of our series for Data Privacy Day 2021, first published by Bailiwick Express on 28 January 2021.
Related Service: Regulatory & Compliance
Partner | Cayman Islands
Partner | GuernseyRead more
Richard Le Liard
Partner | Jersey