Newspaper Column
PCPD in Media
Hong Kong’s vaccine pass is a vital, and secure, tool in war against Covid-19 -- Privacy Commissioner's article in South China Morning Post (February 2022)
With the more contagious Omicron variant sweeping across the world, governments have been ramping up efforts to address the new challenges posed by the Covid-19 pandemic. Since early this year, Hong Kong has been hard hit by the Omicron wave, and the gravity of the outbreak necessitates new and more effective containment measures.
The vaccine pass arrangements, which took effect on February 24, require citizens to have had at least one vaccine dose (or to produce medical exemption certificates instead) before entering premises such as restaurants, shopping malls and supermarkets. Given the colossal number of infections, the prospect of even stricter anti-epidemic measures, on top of universal testing, looms large in the weeks ahead.
Empirical studies have shown that vaccination is the cornerstone of success when it comes to recovering from the pandemic and reducing the rate of infection. In the past year or so, governments around the world have gradually rolled out health codes, vaccine passes or health passports, with or without contact tracing functions, as a step towards the resumption of cross-border travel and domestic activities.
On the mainland, while practices vary across different provinces, people are required to show or scan a health code or itinerary code, which capture information related to Covid-19 infection risk and movement history respectively, before entering most public premises.
The European Union introduced a Digital Covid Certificate to facilitate cross-border travel in Europe. In France, people over 16 must present a vaccine pass to enter designated public premises and take public transport. Similarly, in Singapore, residents are required to use their vaccine pass via the contact tracing app TraceTogether to create check-in records when entering public premises.
A vaccine pass serves as an effective tool in creating a uniform way of presenting and verifying vaccination records, as well as helping public health officials in their contact-tracing efforts. But, given that it often contains data such as personal identifiers and a user’s vaccination or recovery records, any concern over privacy protection and data security is understandable.
In trying to strike a reasonable balance between safeguarding public health and protecting personal privacy, we have to recognise that the right to privacy, like most other rights, is by no means absolute. In times of emergency, like a life-threatening pandemic, it is well established that the right to privacy would have to give way to the right to life.
While the right to privacy is enshrined in the Basic Law and the Hong Kong Bill of Rights Ordinance, it is subject to restrictions “to the extent strictly required by the exigencies of the situation” in times of public emergency, as stated in section 5 of the ordinance.
In fact, under the Personal Data (Privacy) Ordinance, section 59 also exempts personal data relating to the health, identity or location of an individual from data protection provisions, if the use of such data is necessary for safeguarding the physical or mental health of the data subject or other individuals.
My team and I have looked into the design and functionality of the vaccine pass in Hong Kong, and we can assure any people who are in doubt that its operation complies with the Personal Data (Privacy) Ordinance. In actuality, the vaccine pass adopts privacy protection by design and has undergone security and privacy assessments and audits by independent third parties.
To address any lingering doubts, I will highlight a few features of the vaccine pass.
First, data minimisation has been adopted. When a visitor scans a “Leave Home Safe” QR code at a venue with their app, no personal data would be displayed on the screen and only the QR code that represents the vaccination record or medical exemption certificate is visible.
Nor would any personal data be shown on the screen of the venue operator’s mobile device when they use the official “QR Code Verification Scanner” mobile app to verify the visitor’s vaccine pass.
Second, while visit records would be created after the vaccine passes are verified, all such records, which originate from the visitors’ vaccination records and contain personal data, would be masked and hashed, resulting in the production of unidentifiable data stored in the mobile device of the venue operators.
Further, the visit records would be encrypted, making them inaccessible to the venue operators. In essence, no personal data (as defined under the Personal Data (Privacy) Ordinance) is stored in the mobile device of a venue operator.
Only in the unfortunate event when a person who is confirmed to have tested positive for Covid-19 has visited the premises would the health authorities request that the visit records be uploaded to the government’s private cloud. The records would be retrieved and further processed via encrypted channels by authorised personnel for epidemiological investigation, including contact tracing, thus effectively mitigating data security risks.
Third, the visit records would only be saved for 31 days in the “QR Code Verification Scanner” app of a venue operator for anti-epidemic purposes, after which, as we understand, the data would be deleted automatically.
With daily infection numbers hitting unprecedented highs, preventing the spread of Omicron and enhancing contact tracing efforts to safeguard public health are legitimate and reasonable grounds for more robust anti-pandemic measures.
The introduction of the Hong Kong vaccine pass is in line with similar measures taken on the mainland and in other parts of the world, and does not fall foul of the privacy law. Hong Kong is facing an unprecedented public health crisis. Let us make good use of the vaccine pass and join hands to ride out the storm.