WHO Plans Privacy, Security Rules for Covid-19 Vaccine Certificates

The World Health Organization is working on the technical details and privacy standards for digital certificates for coronavirus vaccines to provide individuals with proof of immunization that can be accepted in other countries.

According to Bernardo Mariano Jr, information officer at the UN health agency, WHO is working with Estonia and a group of about 150 volunteers from privacy, management and other experts to determine how an international system for checking individuals’ vaccination history might work. It expects the specifications to be published by the end of the first quarter.

We really need to get the balance right so that people are fully engaged in their health, well-being and safety or privacy, Mr Mariano said. Two aspects are essential, he said: Individual users should always be able to remove their data from the certificates and technology providers should not be allowed to use the data they process.

Newsletter subscription

WSJ Pro Cybersecurity

News, analysis and views on cybersecurity from WSJ’s global team of reporters and editors.

Many European countries have been in lockdown mode for weeks or months, and some have recently begun requiring negative Covid-19 test results from prospective air travelers. Several government officials expressed support for a common immunization card that would facilitate travel. The UK government is considering introducing technology that would allow individuals to prove they have been given a chance. Vaccination rates vary considerably between European countries, with the United Kingdom being the most advanced with a vaccination rate of about 4.5% of the population, while in France only 0.37% of the population has been vaccinated.

Any technology used to help people travel and prevent infection during a pandemic must reassure people about the security of their data, said Massimo Marelli, data protection officer at the Geneva-based International Committee of the Red Cross. Last year, he said, data protection advocates were quick to create national contact-tracking applications, some with strong privacy protections.

The privacy community has gained a lot of credibility, he said.

Estonia began testing its digital certificate for a coronavirus vaccine this week and expects other countries, including Iceland, Finland and Hungary, to begin similar tests soon, said Marten Keevats, technology adviser to the Estonian government. He said court proceedings regarding interstate travel will begin next month. On Thursday, Estonia vaccinated about 1.1 percent of its population, according to the country’s health authority.

According to Kajevac, more and more countries are showing interest in participating in the study. There is a strong sense of urgency to make the economy work, and citizens of all countries want to travel safely again, he said.

According to Mariano, the technology can vary from country to country. WHO will play a role in making different tools work together when a person travels, but it will not record or store personal data, he added.

The Estonian tool uses QR codes to confirm whether a person has received the vaccine and does not contain any personal information about that person, Keevac said. The Estonian government provides a list of health facilities certified to administer vaccines. When people travel from one country to another, for example, border officials check whether someone has received the vaccine from a certified supplier, he added.

Healthcare providers will create a digital certificate with a QR code for each vaccine they administer, said Ain Aaviksoo, Chief Medical Officer of Guardtime Health OÜ, the Estonian company that developed the Covid-19 digital certificate system. Kajevac said the document resembles a flight boarding pass and can be opened in applications such as iPhone Wallet or in emails. It can also be printed, he said.

Ain Aaviksu, chief medical officer of the guard.



The Estonian tool is based on blockchain, a decentralized method of storing encrypted records that are shared between parties and cannot be changed, to transfer data. In October, Estonia and the WHO signed a memorandum of understanding to cooperate on the development of digital vaccination certificates. In addition to his work for the Estonian government, Mr Kaevac also advises WHO on digital health.

Even if you lose your certificate, no one else can know whose it is. We’ve tried to push the confidentiality requirement as far as possible, Aaviksu said.

This technology also makes it possible to detect errors or forgeries because the certificate contains the codes of the vaccine vials. When a certificate is issued, it can only be issued for a specific vaccine for which we know the history in the supply chain, he said.

Mr Mariano said he expects countries to introduce digital immunisation certificates more widely this spring, once the WHO expert group has agreed on the technology and privacy standards.

He said digital certificates must comply with the principles of the 2018 EU Data Protection Regulation, including an individual’s consent to the transfer of personal data for research purposes.

We don’t want to monetize health data, but we want to make research and other health benefits … made available without infringing on a person’s privacy or safety, Mariano said.

Email Catherine Stapp at [email protected].

You May Also Like