Skip to content

Newspaper Column

PCPD in Media

"Vaccine Pass - Striking a Reasonable Balance Between Protecting Privacy and Public Health" -- Privacy Commissioner's article contribution at Hong Kong Lawyer (March 2022)


With the more contagious COVID-19 variant Omicron sweeping across the world, governments around the globe have been ramping up efforts to address the new challenges posed by the pandemic. Since early 2022, Hong Kong has been hard hit by the Omicron wave, and the gravity of the outbreak necessitates new and more effective measures to contain the spread of the new variant. The vaccine pass arrangements, which took effect from 24 February, require citizens to have received at least one dose of vaccination (or to produce medical exemption certificates instead) before entering scheduled premises such as restaurants, shopping malls and supermarkets. With the colossal number of infections, the Government also announced in February that universal testing would be carried out in March.


Empirical studies have shown that vaccination is the cornerstone of success when it comes to recovering from the pandemic and reducing the rate of infection. In the past year or so, governments around the world have gradually rolled out “health codes”, “vaccine passes” or “COVID-19 health passports”, whether with or without contact tracing functions, as a step towards the resumption of cross-border travels and domestic activities. In the Mainland, whilst practices vary across different provinces, the public is required to show or scan their “health codes” and/or “itinerary codes” that capture information in relation to COVID-19 infection risks and movement histories respectively before entering most public premises. The European Union introduced the “Digital COVID Certificate” to facilitate cross-border travels in Europe. In France, a vaccine pass must be presented for people over 16 years old to enter designated public premises and take public transport. Similarly, in Singapore, citizens are required to use their vaccine pass contained in their contact tracing applications (“TraceTogether”) to create “check-in” records with the Singaporean national digital check-in system (“SafeEntry”) at high risk public premises, which would then be deployed for contact tracing purposes.


Striking a reasonable balance

While a vaccine pass serves as an effective tool in creating a uniform way of presenting and verifying vaccination records as well as helping public health officials in their contact tracing efforts, given that it often contains personal data such as personal identifiers and COVID-19 vaccination or recovery records of users, any concern by users over the protection of privacy and security of data is understandable.


In trying to strike a reasonable balance between safeguarding public health on the one hand and protecting personal privacy on the other, we have to recognise that the right to privacy, unlike the right to life, is by no means absolute, in particular at times of emergencies like a life-threatening pandemic. As commented by the United Nations Human Rights Committee in November 2018, right to life “is the supreme right from which no derogation is permitted…even in situations of… public emergencies”. Whilst privacy right is enshrined in the Basic Law and the Hong Kong Bill of Rights Ordinance (Cap. 383) (“BORO”), it is subject to restrictions “to the extent strictly required by the exigencies of the situation” at times of public emergency, as stated in Section 5 of BORO. In fact, this limitation is also reflected in the provisions of the Personal Data (Privacy) Ordinance (Cap. 486) (“PDPO”), in which section 59 exempts the use of personal data relating to the health, identity or location of an individual from the “limitation on use” requirement if such use is necessary for safeguarding the physical or mental health of the data subject concerned or other individuals.


Vaccine pass

My team and I have looked into the design and functionality of the vaccine pass in Hong Kong, and it has been found that the operation of the vaccine pass is in compliance with the requirements of the PDPO. In actuality, the vaccine pass adopts protection of privacy by design and has notably undergone security and privacy assessments and audits by independent third parties.


I would highlight a few privacy-protecting features of the vaccine pass in this article.


First, data minimisation techniques have been adopted. When a visitor scans the venue’s LeaveHomeSafe QR code with their LeaveHomeSafe app, no personal data would be displayed on screen and only the QR code which represents the vaccination record or medical exemption certificate would be visible. Nor would any personal data be shown on the screen of the venue operator’s mobile device when they use the official “QR Code Verification Scanner” Mobile App to verify the visitor’s vaccine pass.


Second, while visit records would be created after the vaccine passes are verified, all such records, which originate from the visitors’ vaccination records and contain personal data, would be masked and hashed, resulting in the production of unidentifiable data stored in the mobile device of the venue operators. Further, the visit records would be encrypted, making them inaccessible to the venue operators. In essence, no personal data (as defined under the PDPO) are stored in the mobile device of a venue operator.


It is only in the unfortunate event of a confirmed patient having visited the premises that the health authorities would request the visit records be uploaded to the government’s private cloud. The records would then be retrieved and further processed via encrypted channels by authorised personnel for epidemiological investigation, including contact tracing, thus effectively mitigating data security risks.


Third, the visit records would only be temporarily saved in the “QR Code Verification Scanner” App of a venue operator for 31 days for anti-epidemic purposes, after which, as we understand, the data would be deleted automatically.


With daily infection numbers hitting unprecedented highs, preventing the spread of Omicron and enhancing contact tracing efforts to safeguard public health are legitimate and reasonable purposes for implementing more robust anti-pandemic measures. The introduction of the Hong Kong vaccine pass is in line with similar measures taken in the Mainland and other parts of the world, and does not fall afoul of any requirement of the privacy law. Hong Kong is presently facing an unprecedented public health crisis. Let us make good use of the vaccine pass and join hands in riding out the storm.