The socio-technical challenges of designing and building a vaccine passport system

In the fourth of our public evidence events on vaccine passports and COVID status apps, we explore what technical and practical considerations any government facilitating vaccine passports and COVID status apps, and the surrounding societal-technical system, need to consider.

This video is embedded with YouTube’s ‘privacy-enhanced mode’ enabled although it is still possible that if you play this video it may add cookies. Read our Privacy policy and Digital best practice for more on how we use digital tools and data.

The World Health Organisation (WHO) has established the Smart Vaccination Certificate consortium which will recommend standards for security, authentication, privacy, and data exchange and develop appropriate guidance detailing use cases, standards, and best practices for member states. The EU Member States, with the support of the European Commission, have adopted guidelines on proof of vaccination for medical purposes set out a trust framework for establishing the authenticity and integrity of certificates. Private initiatives such as the Linux Foundation Public Health’s COVID-19 Credentials Initiative and the Vaccination Credential Initiative, which includes Microsoft and Oracle, are also putting forward and pushing for open, accessible and interoperable technical standards.

These technical concerns are inextricably linked to practical questions around implementation and the wider policy these systems fit into. Who has the legitimacy to create these systems and set standards? How do policymakers and developers prove they and their systems are trustworthy? Are transparent pilots and early engagement with the public (including marginalised groups) enough? What social support needs to be in place for those unable or unwilling to be vaccinated?

And looking beyond the next few months, can these systems be built with sunset clauses and the ability to be ‘switched off’ once their purpose has been served and the crisis has passed? Or will they become part of more permanent infrastructure and push politicians towards particular policy choices?

The panel will consider:

• What technical design decisions can and should be made, including security, authentication, identity linkage, interoperability, data-sharing, input data? Is it possible to design these systems in a way that preserves privacy and prevents the repurposing of information flows?
• What practical considerations should governments be thinking about in designing these systems, beyond the technical specifications? What wider policy architecture is required around these systems to achieve their intended outcomes and mitigate harms?
• Does the creation of vaccine passport systems inevitably mean a greater embedding of digital identity systems, for better or worse, or is that a choice? How wary should we be of building long-term infrastructure in response to a time-bounded crisis?