Data Compliance Issues For Cos. Making, Using Vaccine Apps

By Ron Raether, Edgar Vargas and Kristalyn Lee
Law360 is providing free access to its coronavirus coverage to make sure all members of the legal community have accurate information in this time of uncertainty and change. Use the form below to sign up for any of our weekly newsletters. Signing up for any of our section newsletters will opt you in to the weekly Coronavirus briefing.

Sign up for our California newsletter

You must correct or enter the following before you can sign up:

Select more newsletters to receive for free [+] Show less [-]

Thank You!

Law360 (February 10, 2021, 6:05 PM EST) --
Ron Raether
Edgar Vargas
Kristalyn Lee
For most of 2020, the world struggled with COVID-19 and its effects.

Earlier in the pandemic, we published a Law360 guest article offering privacy guidance to developers interested in creating contact-tracing applications.[1] Now that entire populations are ready to reopen many aspects of their pre-COVID-19 lives, we found it fitting to update our previous guidance with certain additional privacy and employment issues.

COVID-19 vaccines offer hope, but specific questions nonetheless remain.

For instance, how do concert halls, airports, sports arenas, theaters and schools looking for ways to control this pandemic verify the vaccination status of the individuals they seek to serve?

May employers exclude employees from the workplace if they do not get vaccinated, and, if so, how will employers verify employee vaccination status? Smartphone applications using technologies such as blockchain are currently under development, looking to offer individuals the ability to share vaccination status with third parties.

Imagine you're taking that long-awaited European vacation. You arrive at the airport in this new country. You're asked to verify your vaccination record, so you pull out your smartphone to verify your vaccination status. What personal information are you sharing?

These new applications may require, in some way, the collection and disclosure of certain sensitive information, such as health care diagnosis and biometric data. As such, companies developing these applications must keep privacy and security in mind throughout development, an approach commonly referred to as privacy by design.

You may be wondering, though, why not use paper records? After all, vaccine passports, such as the so-called yellow card, have been used for decades. Unfortunately, there appears to be a thriving market[2] for fake COVID-19 documentation, likely due to the short supply of COVID-19 treatments. To support the reopening of businesses, developers hope to offer alternatives that third parties can trust.

Several organizations have either released or announced the development of such applications throughout the world. Dr. Brad Perkins, the chief medical officer at the Commons Project Foundation, a nonprofit in Geneva that developed the CommonPass app said: "This is likely to be a new normal need that we're going to have to deal with to control and contain this pandemic."[3] Consumers need peace of mind when traveling or when going to work, and developers hope to make vaccine verification easy through technology.

Vaccination Verification Approaches

For those interested in learning how different organizations are tackling the COVID-19 vaccine verification problem, we list specific approaches currently in use or under development around the world below.

Vaccination Record Card

The Centers for Disease Control and Prevention will be issuing individuals a physical COVID-19 vaccination record card. This low-tech approach is meant to allow individuals the ability to document the vaccines they receive. The cards will include certain personal information, such as the name, date of birth, patient number, type of vaccine received and vaccination provider source.

Health Pass

CLEAR, a security company that confirms people's identities at airports and other places, is already operating a COVID-19 application. Health Pass seeks to take it one step further by giving employers and employees the peace of mind to get back to work by allowing individuals to upload vaccination record information. Besides collecting location and health information, Health Pass seeks to use certain biometric features to verify individuals by using facial recognition software

Digital Health Pass

Developed by IBM to provide public and private organizations the ability to verify health credentials, such as COVID-19 vaccinations, for employees, customers and visitors who physically enter specific locations. IBM's Digital Health Pass focuses on bringing people back to a physical location, such as a workplace, school, stadium or flight. IBM states that individuals will have the ability to manage their health information through encrypted means, allowing them to control their personal information as they enter physical locations.


Developed by the Commons Project Foundation, the World Economic Forum, and other public and private organizations to allow individuals to document their COVID-19 health declarations, polymerase chain reaction tests and vaccinations, CommonPass aims to enable global travel and trade to return to prepandemic levels.

Several major international airlines, including United Airlines Holdings Inc., JetBlue Airways Corp., Deutsche Lufthansa AG, Swiss International Airlines AG and Virgin Atlantic Airways Ltd., announced they would introduce CommonPass to verify travelers' virus test results, and it appears soon COVID-19 vaccinations.

Developers share that CommonPass will allow users to upload medical data by a hospital or medical professional, generating a printed health certificate or digital pass that can be shown to authorities.


AOKpass was developed by AOKpass Pte Ltd., in partnership with the International Chamber of Commerce, International SOS and SGS SA, to enable individuals "to securely verify their health status with third-parties, while preserving the privacy of their underlying personal health data."

AOKpass aims to support organizations to allow their workers to return to work during the COVID-19 pandemic. AOKpass will store medical information, such as vaccination records, and hash the data so that a unique code is used to ensure the validity of vaccination information.

IATA Travel Pass

IATA Travel Pass was developed by the International Air Transport Association, or IATA, an aviation trade association representing 82% of total air traffic.

Similar to CommonPass, IATA Travel Pass is focused on validating and authenticating COVID-19 travel requirements through four open-source modules: (1) registry of health requirements, which offers passengers COVID-19 travel requirements; (2) registry of testing / vaccination centers, which offer passengers the ability to find testing/vaccination centers; (3) lab app, which allows health providers the ability to share results directly to passengers; and (4) contactless travel app, which enables passengers to manage COVID-19 documents throughout their travel experience.

Employment Considerations

As the vaccination becomes more easily accessible, employers should be mindful of the benefits and potential pitfalls when deciding whether to implement a vaccination program for their workforces. While employers may generally require their employees to get vaccinated as a condition of employment, employers should carefully consider both the legal and practical impact of implementing a mandatory vaccination program.[4]

If employers choose to mandate the vaccination, one of these considerations will be verifying vaccination status. For example, will employees submit copies of physical vaccination cards, or will employers use one of these third-party applications? Employers may even consider developing their own application or online system to track vaccination status and other COVID-19-related issues, such as contact tracing.

Nevertheless, depending on the type of information collected and the manner in which it is used and recorded, by receiving certain employee medical information — e.g., vaccination records — employers may trigger additional legal obligations such as privacy notices prior to collection, recordkeeping and retention requirements, and employee confidentiality.

Privacy — Fair Information Practice Principles

In the U.S., the Federal Trade Commission provides organizations with specific privacy guidelines when handling individuals' personal information, known as the Fair Information Practice Principles. FIPPs is often the framework legislatures employ when enacting privacy legislation.

However, it is crucial to keep in mind that compliance with FIPPs does not equal compliance with privacy laws. Developers should ensure their privacy and security procedures comply with applicable legal requirements.

Developers interested in creating their own solutions should make sure to keep these specific privacy considerations keep in mind throughout development.


Notice is a foundational privacy principle. When provided before or at the point of collection, often referred to as a just-in-time notice. Notice allows individuals to make informed decisions about whether they desire to provide the information requested to certain third parties.

Recently implemented privacy laws, including, for example, the California Consumer Privacy Act, California Privacy Rights Act, Illinois' Biometric Information Privacy Act, and the Health Insurance Portability and Accountability Act, mandate notice in some form.

Choice and Consent

Another foundational privacy principle is allowing individuals to choose the information they provide and consent to its use. At a minimum, developers must provide adequate notice of what information they may access and how such information will be used. Considering that specific applications plan to use biometric data, developers should ensure they receive written consent for those where BIPA applies.

Data Minimization

Limiting the scope of information collected by the application is in line with the FIPPs data minimization principle. Personal information collection should be limited, and any such collection should be directly relevant and necessary to accomplish the specified purposes. Data minimization requires that developers only retain the information as long as needed or as otherwise required by law.

Security Safeguards

The security safeguards principle provides that reasonable security procedures should protect personal information against unauthorized access, destruction, use, modification or disclosure of data. While what constitutes reasonable security during a pandemic is fluid, developers need to assess what safeguards are required when handling sensitive personal information.

For instance, applications should be developed with the latest security measures to prevent unauthorized parties' interference or access, and developers must ensure that their users' personal information is secure from inadvertent loss or disclosure. Developers must take steps to ensure that health care provider and biometric data cannot be reverse-engineered without the subject's consent.

Finally, developers must consider what safeguards are necessary to verify the accuracy of the information collected, such as any vaccines received to defend against COVID-19.

A malicious actor could use the application to trick others into needlessly entering false vaccination records, cause public panic by falsely including vaccination misinformation, or shut down a competitor's business by preventing it from adequately verifying vaccinated individuals. It will be essential to identify ways to eliminate swatting-type outcomes.


Developers will need to ensure that they continue to track vaccine developments. Developers may need to implement changes as new laws are enacted or regulations implemented throughout the country and worldwide.

Developers must be cognizant of and sensitive to U.S. data privacy laws when developing applications that collect, store, use and transmit vaccine recipients' personal information. Following the FIPPs outlined above should give developers a head start on compliance.

Ron I. Raether is a partner at Troutman Pepper and leads the firm's cybersecurity, information governance and privacy practice group.

Edgar Vargas is an attorney at the firm.

Kristalyn Lee is an associate at the firm.

Troutman Pepper associate Sadia Mirza contributed to this article.

The opinions expressed are those of the author(s) and do not necessarily reflect the views of the firm, its clients, or Portfolio Media Inc., or any of its or their respective affiliates. This article is for general information purposes and is not intended to be and should not be taken as legal advice.




[4] For more information about these issues, we published a set of FAQs addressing common questions regarding the COVID-19 vaccine. Read more by visiting

For a reprint of this article, please contact

Hello! I'm Law360's automated support bot.

How can I help you today?

For example, you can type:
  • I forgot my password
  • I took a free trial but didn't get a verification email
  • How do I sign up for a newsletter?
Ask a question!