Skip to content
Report Health data and COVID-19 tech

Checkpoints for vaccine passports: Future risks and global consequences

Governments must also need to consider the longer-term effects of vaccine passport systems and how it might shape future decisions

10 May 2021

Reading time: 16 minutes

Black outline of egg timer in red circle

The focus of most discussions of COVID vaccine passport schemes (including previous chapters of this report) has been on the immediate and near-term questions of practicality, legality, ethics and acceptability of systems being developed right now, looking at opportunities and concerns over the next year or two. These discussions focus on schemes being launched within months, including those already operational in Israel and before summer 2021 in the European Union, and their operations over the next year or two, as mass vaccination campaigns roll out around the world.

Even if a country is able to establish that all design questions have been answered, that the societal, legal and ethical tensions have been resolved, that there is no way of adapting existing systems and that a new system needs to be built, the long-term effects of building such systems and how they could shape the future must be considered. In particular, consideration should be given to whether these systems will:

  • Become a permanent fixture of future pandemics?
  • Be expanded to cover a wider and more granular set of health statuses, outside the pandemic context?
  • Change norms and expectations about the bounds of sharing personal health data?
  • Create wider path dependencies that shape the adoption of other technologies in future?

This section is also vital to any public engagement. The public may not see all the unintended consequences and may discount effects on their future selves and future generations, especially with the prospect of escaping a cycle of lockdowns faster. States with longer time horizons and broader duties to all their citizens, need to consider the future risks alongside the immediate pressures on their publics, and encourage their public to do so through deliberative and open engagement.

Checkpoints for vaccine passports

This is one of six requirements for a socially beneficial vaccine passport system, as outlined in a report based on an extensive review of the key debates, evidence and common questions around digital vaccine passports

Permanent emergency solutions

Once time, resources and political capital have been invested in their construction, it is unlikely that these systems and their underlying infrastructure will be rolled back once the crisis that initially justified their creation has passed. There are arguments for maintaining such systems:
for example, the Tony Blair Institute suggests in its case for digital health passports, that ‘Designed properly and integrating testing status, a health passport would also help us manage the virus and prepare for new strains and future pandemics.’1

It is likely that SARS-CoV-2 (the virus that causes COVID-19) will become endemic, like seasonal flu and other infectious disease-causing pathogens (or better contained, like measles, or even eliminated), at which point it will no longer require the emergency and intrusive measures justified by its present transmissibility and fatality. Accepting this as a reasonable scientific expectation for the near future raises concerns about the longevity of emergency apparatus, and that such infrastructure – once built – will not be stripped back.

In response, it has been suggested that sunset clauses should be built into any COVID vaccine passport scheme, with primary legislation clearly setting out the date or conditions by which a scheme will come to an end, and procedures designed into the system to allow that to happen, e.g. a process for the permanent deletion of any data, databases or apps that compromise the technical system.2

Clauses could be included in any use of emergency powers or particular legislation setting out government powers during the COVID-19 pandemic, and include time horizons like the end of a particular year or the end of the crisis according to set criteria (a declaration by the WHO, or cases of infection at a certain level for a specified time period). The clause could also include any process by which a scheme may be explicitly reapproved and continued. In the UK, it has been suggested that a majority vote in both Houses of Parliament could be required to continue any system.3 The Danish Government’s plan for the use of its Coronapas includes an August 2021 ’sunset clause’ for the use of the app other than for tourism and travel, with discussions about the experience of using the system in May and June 2021, to decide on its continued scope and use.4

These will not always be enough to guarantee the system does not become a permanent fixture. Take for example, the European Union’s Digital Green Certificate.5 In one way, it is clearly a time-limited proposal with a clear-end point, albeit with quite a high bar: ‘the Digital Green Certificate system will be suspended once the World Health Organization (WHO) declares the end of the international public health emergency caused by COVID-19.’ However, as a reminder of how these systems become a permanent fixture of life, they note immediately afterwards that ‘Similarly, if the WHO declares a new international public health emergency caused by COVID-19, a variant of it, or a similar infectious disease, the system could be reactivated.’

This creates a kind of path dependency: once this system is built, it becomes a tool for future emergencies, including any future outbreak of COVID-19 or other respiratory pandemics. This in itself does not pose too many additional concerns, beyond those raised in previous chapters. If it can be justified in our current emergency circumstances, there are good reasons to think it could be justified in similar future emergencies, and a pre-existing system could allow it to be spun up much faster. But many of these systems are being discussed as if they are one-off temporary solutions. If the plan from the start is for them to form the basis for future respiratory pandemic preparedness, they should be honestly presented to the public in these terms. They will also require ongoing investment and maintenance.

Scope creep

There is another version of this path dependency: if the purpose and design of the system expands beyond the narrow focus on an emergency response to become business as usual. The digital nature of the system particularly lends itself to iteration, gradual expansion and ‘scope creep’. Some forms of expanded functionality might be in keeping with a public
health purpose, for example, collecting data for disease surveillance and epidemiological research for COVID-19, and perhaps integrating symptom tracking systems with vaccination status.

Other forms may be more sweeping. Other kinds of health status such as physical and mental health records and genetic-test results could also be incorporated to provide more sophisticated risk scoring or even inclusion and exclusion on the basis of health risks beyond COVID-19, moving from COVID status certification to health status certification.6
medConfidential suggest a thought experiment for provocation: any solution under consideration should be tested against whether we would accept the same system of health information verification and differential access for a mental health condition or for HIV.7

Some have pointed to the history of biometric technologies as an analogous example of scope creep, with the initial uses of biometrics limited to exceptional circumstances, such as detention centres and crime investigations, before gradually expanding into everyday tasks,
such as unlocking our phones or logging into our bank accounts. Technologies that seemed intrusive when introduced become commonplace step by step, first by their use in extremes and then each use setting a precedent for the next.8 That is not to say that the gradual
expansion of biometrics is inherently problematic – they are clearly useful in many applications – but often technologies are developed and rolled out before there is sufficient engagement with the public about what use cases they find acceptable and what criteria for effectiveness
and governance they would set.

Similarly, the continued use and expansion of a COVID vaccine passport system could possibly be justified if the tensions in previous chapters are resolved and COVID-19 remains a long-term danger or we deem the systems useful enough to be repurposed for other health concerns. The key concern is that conversations and public engagement need to happen at each stage of continued use and expansion. Each use needs to be evaluated on its own terms at the time of deployment, informed by lessons learned from the previous operation of any similar systems, and driven by informed decisions rather than allowed to continue through software updates without transparency or accountability to citizens.

There is a risk that these important conversations about continued use may not happen or lose salience when the immediate danger is passed, and citizens have to focus their minds on rebuilding post-pandemic.

Others have suggested the system could be expanded beyond the health context, such as for identity verification for other purposes and generalised surveillance.9 However, the greatest impact of developing COVID vaccine passport systems may not be that the core of the system
is directly expanded into a permanent form of digital identity. Rather, the implementation of the system might set precedents and norms that influence and accelerate the creation of other systems for identification and surveillance.

Wider path dependencies

Just as path dependencies in terms of existing infrastructure, legal mechanisms and social and ethical norms will shape any adoption of COVID vaccine passport systems, so will those systems shape the paths available to decision-makers at future junctures.

Decisions made today may have implications for many years to come. For example, if we put in place widespread facial recognition systems to verify identity under these schemes, will we then re-evaluate the appropriateness of using facial recognition for other purposes e.g. age verification in hospitality venues? Or will we be locked into a path, once the capital has been invested, of installing and ironing out the operational issues in these systems? In this scenario, venues find themselves with a very different cost-benefit calculation than they did before the pandemic.

Comparisons were drawn during our expert deliberation to post9/11 security infrastructure at airports, and the once limited but now essentially mandatory Aadhaar identity system in India. There was pessimism about the likelihood of COVID vaccine passport technologies being ‘switched off’ once the crisis has passed, and the tendency to lead to path dependency: ‘Once a road is built, good luck not using it,’ as one participant in our expert deliberation put it. This might be a particular issue if the status of other health conditions were to be added.

Continuous development

If we recognise that these technologies are not intended to disappear once the immediate danger has passed, then we must think of these technologies as perpetually unfinished. This is especially true of the software aspects, which will require constant updates to remain
compatible and consistent with other software systems, legislation and standards.

Therefore, ethical evaluations of COVID status certification systems will require acknowledgment of uncertainty, risk and the inherent unfinished nature of the technology. Where significant uncertainty exists, some suggest that decision-makers can learn from precautionary and anticipatory approaches in sustainable development and other fields.6

Wider information flows and changing expectations

Even if the scope of statuses and purposes in the systems themselves remains limited, concerns were raised during our expert deliberation about how information in the system might be used more broadly than intended.

Even with the most privacy-preserving technology, health data could come into contact with different actors, including those in healthcare settings, employers, clients, police, pubs and insurance companies, who may have different levels of experience and trustworthiness in handling personal data. Private companies who offer COVID vaccine passports may also have commercial incentives to monetise any personal data they collect. Both risk data being shared with third-parties and being repurposed in future for uses the individual did not consent to. This concern is likely to be less significant if high standards on privacy-preserving design are followed in the design phase, and if data protection law is adequately enforced.

Finally, the implementation and existence of a system of health data-sharing in exchange for differential access to services could change social norms about the acceptable circumstances for health data-sharing in future, particularly if the system has any durability beyond the immediate emergency circumstances.11 This is not to prejudge what those changes will be – an ineffective and mismanaged system could damage public trust in digital identity systems and health data-sharing, while an apparently successful one might embed those ideas as a normal part of daily life. Either way, it will have an effect on the social norms and ethical reality in which we evaluate the system retrospectively, for good or ill, and it will shape the attitudes we take into future systems with similar properties.

Recommendations and key concerns


The current uncertainty, ongoing social anxiety and economic cost of the pandemic makes the technical fix of a novel tool and emergency infrastructure seem attractive, but the starting point should be identifying specific problems and looking at whether and how these could be addressed through existing practices and laws.


If these systems are intended to be used in the long-term, then governments should be upfront about that intention and undertake design, legal and ethical assessment, deliberation etc. on that basis, not pretend they are building a temporary system.


This should include – in primary legislation, where possible – details of:

  • Sunset clauses, including clear procedures for deciding whether to continue schemes, and details of legislative oversight and further public deliberation.
  • Commitments not to engage in ‘scope creep’; any expansion to the system should undergo its own separate assessment, with all the criteria outlined in other sections.
  • Proper investment of resources to ensure systems are properly maintained during use and don’t break down, and so exclude people or otherwise unexpectedly fail.
  • Governments and other providers should establish clear, published criteria for evaluation of the success of a system at achieving its stated purpose and of any side effects or externalities caused by the creation of these systems. This might include epidemiological modelling, as far as is possible, of the system’s effect on COVID-19 spread within society, and economic evaluation of the additional marginal benefit provided by the system. Any such evaluation should be continuous with regular public reviews and updates.


  1. Beacon, R. and Innes, K. (2021) The Case for Digital Health Passports. Tony Blair Institute for Global Change. Available at: (Accessed: 6 April 2021).
  2. Global Privacy Assembly Executive Committee (2021) Global Privacy Assembly Executive Committee joint statement on the importance of privacy by design in the sharing of health data for domestic or international travel requirements during the COVID-19 pandemic. 31 March 2021. Available at: (Accessed: 6 April 2021).
  3. Pietropaoli, I. (2021) Part 2: Getting Digital Health Passports Right? Legal, Ethical and Equality Considerations. Available at: (Accessed: 6 April 2021).
  4. Prime Minister’s Office. (2021) Rammeaftale om plan for genåbning af Danmark. 22 March 2021. Available at: (Accessed: 6 April 2021).
  5. Global Privacy Assembly Executive Committee (2021) Global Privacy Assembly Executive Committee joint statement on the importance of privacy by design in the sharing of health data for domestic or international travel requirements during the COVID-19 pandemic. 31 March 2021. Available at: (Accessed: 6 April 2021).
  6. UK Ethics Accelerator, Response to Ada Lovelace Institute call for evidence
  7. medConfidential, Response to Ada Lovelace Institute call for evidence
  8. Dr Btihaj Ajana, Response to Ada Lovelace Institute call for evidence
  9. Nuffield Council on Bioethics (2020) Rapid policy briefing: COVID-19 antibody testing and ‘immunity certification’. Available at: (Accessed: 6 April 2021).
  10. UK Ethics Accelerator, Response to Ada Lovelace Institute call for evidence
  11. ibid.

Related content