Vaccine passports and privacy pitfalls

As businesses consider returning to the office, they must realise that they now have more responsibility for their employees’ well-being than ever before, and precautions must be taken to protect them from COVID-19 and its variants.

Since not all staff are likely to have been vaccinated, employers are seeking ways to determine who has received their shots. However, the need to manage and protect such sensitive information presents a significant data security challenge.

The New Normal, For Now

Last March, most workforces suddenly shifted from 10-20% working from home (WFH) to an unprecedented 90-100%. The vast majority of employees are still working remotely, with no prospect of returning to the office anytime soon.

Many have been allowed to use their own devices to remotely access systems that were previously restricted due to the confidentiality, integrity or availability of the data.

Obviously, this has created a significant security risk, but during a period like this, when the main priority is to retain business continuity and productivity, it’s easy to understand why businesses chose to turn a blind eye.

Are Organisations Ready?

Many employers are asking their employees for proof of vaccination in order to return to the office, and this poses a number of challenges. First of all, there’s the operational challenge: how will companies collect this information? What types of vaccine evidence will they accept? How will the records be kept up to date?

Next is the health data security challenge. Very few organisations are prepared to store such sensitive information and, further complicating things, every country has its own required framework for protecting health data. For example, hospitals in the US follow HIPAA guidelines, those in the UK follow NHS guidelines, and those in Ireland follow HSE guidelines.

This is an unprecedented challenge for organisations. Even if they are compliant with GDPR regulations, these ‘vaccine passports’ they are requiring constitute health data, which must be protected under an entirely new set of rules. In fact, it is potentially the most sensitive information these companies have ever had to manage.

Potential Liabilities

For employees, if personal health data were released into the public domain or even just within the organisation, the liability would be significant – from a legal and cybersecurity perspective.

If it is known that organisations are demanding COVID-19 data from staff, it also makes them a target for criminals.

Should companies decide to collect information on employees’ vaccination status, it is crucial that they write a policy for their legal department’s approval and share it with the workforce. They must then ensure the right systems are in place to safely store the information.

They need to look at the controls they are going to place around the physical security of the office, along with cybersecurity for the health data being collected and stored.

Users should be trained on what to do if they have concerns or feel their health data has been compromised. Furthermore, if it is going to be stored by a third party, that party should be fully vetted for cybersecurity, even more carefully than a traditional third-party vendor.

Finally, companies must consider crisis management: what will they do if something goes wrong? Companies must look at every possible scenario, including data deletion, modification and theft.

Can They Do It?

The challenge is not insurmountable, but it is significant. Between the legal ramifications, technical requirements, reputational damage if something were to go wrong, and challenge of convincing employees to turn over their data in the first place, organisations that demand vaccinations have quite a task ahead of them.

The most important thing is to make sure that the key decision makers – C-level executives and the board – are fully on board and educated about the potential threats.

I suggest using the 5 Pillars of Security framework, a proven methodology designed to demystify cybersecurity challenges for company leadership by framing them in business language that the C-suite and board can understand.

We will likely be in a hybrid office/WFH model for some time and need to learn how to manage this new environment. It is likely that most organisations will collect data associated with their employees’ health, so we can no longer rely on old controls that were not designed for this type of situation.

We need to move forward by elevating the data security issue to the C-suite and board level and ensuring that organisations have the strongest possible level of technical controls, policies and training in place.

Mathieu Gorge is VigiTrust CEO & Founder.