Blog Posts Business Management

Would vaccination passports guarantee data privacy?

Blog: Capgemini CTO Blog

One of my friends recently drew my attention to an article in Time magazine, in which the International Olympic Committee (IOC) President Thomas Bach has said that COVID-19 vaccinations could be required for athletes and fans to attend the postponed Tokyo Olympics. This is set against a backdrop where vaccines to inoculate against COVID-19 are being developed and (at the time of this writing) set to be given to the public. To limit the spread of the disease at an event vast numbers of people are expected to attend, drastic measures are being considered to not risk another massive increase in cases worldwide.

Given that there are several global events planned for 2021 and assuming that vaccination passports provide a solution, how could they be implemented appropriately?  What regulations should be complied with to protect personal information and reduce the likelihood of the infringement of human rights?

There are many questions to be answered, some of which focus on the governance of personal data.


IATA recently announced that it was creating a digital platform to facilitate the sharing of vaccination information called the IATA Travel Pass. The reasoning for this is: “to re-open borders without quarantine and restart aviation governments need to be confident that they are effectively mitigating the risk of importing COVID-19. This means having accurate information on passengers’ COVID-19 health status.

It seems prudent that a collective definition of why the data is being gathered across the world should be adopted. If the reason is simply to present proof of having had a vaccination, that in itself is quite different from requiring presentable proof of immunity. Such a requirement should, at the minimum, include a follow-up test to prove that the individual has produced the required protective antibodies.


The concept of data sovereignty means that personal information (including health data) is usually governed by regulations that afford some protection to the citizens of the region where the data is stored. Examples of this include:

However, how do you apply the principles of health data governance internationally? What standards should be used to protect the data? How should it be stored, and what should happen to it when it is no longer needed? The standard requirements of asset management and data governance must be observed when processing personal data, even in a global context.


In order to have a trusted worldwide system that can prove that an individual has had a vaccination, it would seem logical that such a system should have traceability built-in. This would imply that an assertion that an individual has had a vaccination can be traced back to a point in time where the injection was administered (and, potentially, which type of vaccination it was – especially given that different vaccines have different efficacy rates).


How should such a system be administered? Should it be on a country-by-country basis, given that each nation could claim ownership of said data and how it should be used? If the aviation industry (IATA) is setting up its own system, should this be a process that is extended to travel across land borders? How would such a system be applied consistently in different countries, with varying levels of social and technical infrastructure, so that travellers around the world have equal access to transport?


In the next 12 months, the world has an expectation (or hope) to return to business as usual, including international travel. That includes the following sporting events postponed from 2020:

If we are going to reduce the likelihood of a return to the levels of infection seen throughout 2020, a number of measures will have to be implemented. Ideally, these should enable equal access to travel, irrespective of the economic background of one’s country.  A vaccination passport may well be one of these, but to keep the pandemic in check it will require a truly collaborative approach to the governance of data that matches to that seen by the global medical community to make a real difference.

To learn about Capgemini Data Protection and GDPR Services, visit:


Leave a Comment

Get the BPI Web Feed

Using the HTML code below, you can display this Business Process Incubator page content with the current filter and sorting inside your web site for FREE.

Copy/Paste this code in your website html code:

<iframe src="" frameborder="0" scrolling="auto" width="100%" height="700">

Customizing your BPI Web Feed

You can click on the Get the BPI Web Feed link on any of our page to create the best possible feed for your site. Here are a few tips to customize your BPI Web Feed.

Customizing the Content Filter
On any page, you can add filter criteria using the MORE FILTERS interface:

Customizing the Content Filter

Customizing the Content Sorting
Clicking on the sorting options will also change the way your BPI Web Feed will be ordered on your site:

Get the BPI Web Feed

Some integration examples