Travel health passes that trigger data privacy alarms

Businesses should avoid requiring or even asking employees to adopt digital travel health passports until they have conducted comprehensive impact assessments of data protection, according to the Global Head of Integrity for Travel Management Company CWT.

According to the European Union’s General Data Protection Regulation, health data are treated as “sensitive data”, which can only be processed if a clear legal basis has been established for doing so. Such a legal basis still needs to be clarified for travel health passports, says Christel Cao-Delebarre, who added that the GDPR emerges as a global standard for data privacy practices. Companies will also need to exercise due diligence on the security of the various passport products under development and determine whether they, as employers, would be responsible for any infringements.

A travel manager who has already examined health passes told BTN that his company is very careful about introducing them. “Our head of privacy reaffirmed that we need to find a way that this is never mandatory because the company may be responsible for data breaches,” said the travel manager, requesting anonymity. “If employees adopt a passport voluntarily, because it makes life easier, it’s OK.”

A survey of business travelers published by BCD Travel earlier this month found that their No. 1 criterion for approving health passports was satisfactory data protection.

Hälsopass has a digital register of whether holders have been tested or vaccinated for Covid-19. Almost all countries around the world currently require proof of a negative Covid test before they can enter, and discussion has begun on whether a vaccination certificate should be made a prerequisite for border entry or boarding of aircraft. At least ten passport programs are actively promoted and in some cases are already being tested.

“We welcome any new proposal to help people get out of their homes and we will look at it in accordance with privacy, but it must be done in accordance with fundamental privacy rights to ensure trust,” Cao-Delebarre said. “There is more work to be done right now before the passport can be issued.

“When it comes to business communication, employers can actively promote their position on vaccination campaigns and engage staff in a constructive discussion. Asking or insisting that employees sign up for health passes would entail legal risks.”

For travel managers and the companies they work for, says Cao-Delebarre, “do not rush into it until you make sure you have performed an in-depth impact assessment. What are the consequences if you have a mandate as a health worker as an organization? What do you really say? to your employees? It has greater implications when it comes to potential discrimination or categorization of your employees.I would really encourage them not to rush into this until there is much more security from governments and decision makers, and to ensure the integrity and local labor law issues are checked and re-checked. “

Cao-Delebarre added that travel managers should cooperate with their own law and secrecy laws. She also urged travel managers to take the matter to board level to resolve the balance between legal and privacy risks with the business-related continuity risk by not resuming travel.

Several obstacles are blocking the way to finding a legal basis for either mandatory or mandatory registration of travelers. The first, Cao-Delebarre said, is that “as a rule, the legal basis for employees to be vaccinated and obtain a health pass is to support an employer’s obligation to invoke or comply with a specific law, regulation, state approach or decree applicable in the field of employment At present, governments in most countries have not made it a legal obligation to be vaccinated against Covid-19. “

A related topic is whether employers can ask employees to disclose that they have received a health passport and whether employers can process this information as a result. The answer varies, said Cao-Delebarre. According to the European GDPR, consent must be given freely, but it is generally considered impossible for workers to give free consent to employers for fear of the potential consequences of refusal. In the Asia-Pacific region, however, employers are generally allowed to request this information.

“Overall, it is unlikely that there is room for a global policy, which could make it challenging for global employers,” Cao-Delebarre said. “Privacy assessments will be made on a case-by-case basis, taking into account, in addition to local law, the sector in which employers operate and the specific employment tasks and role of a particular employee.”

If companies succeed in identifying an appropriate legal basis, considerable care is still required to avoid liability if employees’ sensitive information is broken or otherwise processed, for example through unauthorized sharing. The impact assessment would consider which parties, including the employer, the airlines, authorities, booking platforms and the digital passport provider, would have the responsibility as data controller or processor.

The assessment would also need to veterinize the digital passport provider’s expertise to adequately protect sensitive data, a data that is not supported by the number of competitors in the market, each offering different ways. Systems including the International Air Transport Association’s Travel Pass, or ICC AOKpass – whose supporters include the International Chamber of Commerce and the aid and risk management company International SOS – claim that they avoid many cases of privacy by not having a central database to store passenger data.

For example, AOKpass places each record on its own blockchain. “It is scientifically impossible to go backwards from the hash to the information,” says co-founder Dr. Chester Drum. “That process allows us to handle signatures instead of the information itself and that provides the authentication framework.

“In theory, you could have a server that takes all this information from around the world and has a hard drive, and everyone recognizes that server as authenticated data, but that would be very dangerous. One of the biggest dangers to compromising privacy is when you takes very sensitive information and puts it in one place, says Drum.

For hackers, Drum argued, the significant effort required to break into a system is only valuable if a large information cache can be stolen, but not if the intrusion only results in access to data for a single person. “Therefore, decentralization is in itself one of the most powerful security measures you can take,” he said.

Drum acknowledged that there is still a first challenge in finding a legal basis for employers to move employees to travel health passports. But, he said, “the flip side of the coin is that companies have a duty to protect employees,” including the use of medical tests to promote their safety. “There is a compromise.”

The travel manager who had been advised to avoid mandatory registration of health passports for the company’s travelers noted that, as far as he knows, there has been little or no consultation with passport developers with the company’s travel management.

Cao-Delebarre said that better cooperation is important. “Sharing and tracking health data really requires an in-depth privacy assessment, and for the travel ecosystem, it would be a good idea to meet and decide who does what,” she said. “It’s not an overnight thing. It must be well thought out to ensure that the debts that can occur after a hacking or other security incident are very well identified and distributed, and at the end of the day the traveler is protected.”

Spread the love
[ Sharing is Caring! ]

More Tags We Love

Marketing a media Rehab centers in houston Truck driving schools in michigan Lawn service business cards Destroy House painting images Bad credit personal loans uk Online Insurance Quotes Young Drivers Storage space running out android Credit counseling society

This div height required for enabling the sticky sidebar