Data Protection - Digital COVID Certificates

Data Protection Information note on the issuing of Digital COVID Vaccination Certificates and recovery certificates prepared by the Department of Health and the Health Service Executive

July 2021

Purpose of the Information Note

The purpose of this Note is to provide helpful information on the processing of personal data that is being undertaken for the purposes of issuing Covid 19 vaccination certificates and recovery certificates. The Department of Health and Health Service Executive are the Joint Controllers for the processing. All processing is in accordance with the EU Digital Covid Certificate Regulation.

Background

The European Union agreed an EU Regulation for Digital Covid Certificates EU DCC Regulations (Regulation (EU) 2021/953 (14 June 2021). The EU Digital Covid Certificate Regulation is binding in its entirety and directly applicable in all Member States.

The Regulation provides for three certificates-

a vaccination certificate;
a recovery certificate, and
a test certificate.

Member States of the EU are required to give effect to the EU Digital Covid Certificate Regulation: in particular, to provide for the issuing of certificates.

Who arranges for the issuing of the certificates in Ireland?

The Department of Health and the HSE have entered into a Joint Controller Arrangement under Article 26 of GDPR to give effect to the processing of the personal data necessary to issue the vaccination and the recovery certificate. The EU Digital Covid Certificate Regulation allows for the vaccination certificate to be issued automatically or on request. Having regard to the likely demand for the certificate, the Joint Controllers will arrange for it to be issued automatically. This is possible since the HSE already has the necessary data as a result of information provided by individuals as part of the vaccination programme.

Under the EU Digital Covid Certificate Regulation, the recovery certificate must be requested. Recovery certificates can be requested directly from the Joint Controllers via the following link: www.gov.ie/en/service/9aa37-request-a-certificate-to-show-that-youve-had-covid-19-in-the-last-6-months/ or by phoning the Call Centre Support Service.

Importantly, in order to prevent any potential fraudulent criminal activity, the HSE will never initiate contact with anyone on their vaccination or recovery certificates. However, you may be contacted by an agent via phone or e-mail in response to a query that you have raised. There is no cost for citizens to receive the generated vaccine and recovery certificates. If you have a query on either certificate, please see section on Call Centre Support Service below.

In relation to the test certificate, the issuing of those certificates is for the test facilities involved to arrange on behalf of the individual since the certificate arises as a result of a direct engagement between the individual and a testing facility. The EU Digital Covid Certificate Regulation does allow such certificates to be issued automatically but testing facilities are likely to arrange for them to be issued at the request of individuals. The best advice is to talk directly to the testing facility.

Data Protection Considerations

To ensure that data protection concerns were identified and addressed, the EU Digital Covid Certificate Regulation was the subject of consultation with the European Data Protection Board and the European Data Protection Supervisor. There has also been national engagement with the Data Protection Commission on the responsibilities of the data controllers and data processors involved in the issuing of the certificates in Ireland, the rights of data subjects and data flows necessary to give effect to the issuing of certificates.

The EU Digital Covid Certificate Regulation provides that the General Data Protection Regulation (GDPR) applies to the processing of personal data involved and also provides the legal basis for such processing.

Data Protection Impact Assessment

A full Data Protection Impact Assessment (DPIA) has been carried out and is available on the websites of the Department of Health and the Health Service Executive. Due to the time constraints regarding the roll out of the Digital Covid Certificate, a public consultation process was not feasible but a communication process to aid transparency is in place.

Lawful basis for processing

The lawful basis under GDPR for processing personal data and special category data for the issuance of a vaccination or recovery certificate is, as per the EU Digital Covid Certificate Regulation:

Article 6(1)(c) - processing is necessary for compliance with a legal obligation to which the controller is subject;/ Article 6(1)(e) processing is necessary for the performance of a task carried out in the public interest or in exercise of official authority vested in the controller;
Article 9(2)(g): processing is necessary for reasons of substantial public interest, on the basis of Union or Member State law which shall be proportionate to the aim pursued, respect the essence of the right to data protection and provide for suitable and specific measures to safeguard the fundamental rights and the interests of the data subject.

Both GDPR grounds are underpinned legislatively in national and EU law by the EU Digital Covid Certificate Regulation.

Data Minimisation

The Joint Controllers have adopted a data minimisation approach to the processing and only personal data that is necessary and proportionate to issue the vaccination and recovery certificates
will be processed.

Information being processed

As per the EU Digital Covid Certificate Regulation, the vaccination certificate will contain the following categories of personal data:

(a) the identity of the holder;
(b) information about the COVID-19 vaccine and the number of doses administered to the holder;
(c) certificate metadata, such as the certificate issuer or a unique certificate identifier.

The personal data to be included in the vaccination certificate is set out in the EU Regulation:

(a) name: surname(s) and forename(s), in that order;
(b) date of birth;
(c) disease or agent targeted: COVID-19 (SARS-CoV-2 or one of its variants);
(d) COVID-19 vaccine or prophylaxis;
(e) COVID-19 vaccine product name;
(f) COVID-19 vaccine marketing authorisation holder or manufacturer;
(g) number in a series of doses as well as the overall number of doses in the series;
(h) date of vaccination, indicating the date of the latest dose received;
(i) Member State or third country in which the vaccine was administered;
(j) certificate issuer;
(k) unique certificate identifier

As per the EU Regulation, the certificate of recovery shall contain the following categories of personal data:

(a) the identity of the holder;
(b) information about past SARS-CoV-2 infection of the holder following a positive test result;
(c) certificate metadata, such as the certificate issuer or a unique certificate identifier.

The personal data to be included in the certificate of recovery is set out in the EU Regulation:

(a) name: surname(s) and forename(s), in that order;
(b) date of birth;
(c) disease or agent from which the holder has recovered: COVID-19 (SARS-CoV-2 or one of its variants);
(d) date of the holder’s first positive NAAT test result;
(e) Member State or third country in which test was carried out;
(f) certificate issuer;
(g) certificate valid from;
(h) certificate valid until (not more than 180 days after the date of first positive NAAT test result);
(i) unique certificate identifier.

Other personal data that will be processed is limited to what is necessary to ensure that the vaccination certificate or recovery certificate can be issued to the right person (for example, email
address, mobile phone number, home address, Individual Health Identifier).

Processing of special categories of personal data

As the vaccination certificate and the recovery certificate indicate the health status of the individual concerned, the Joint Controllers regard then as falling under the definition of ‘data concerning health’ in Article 4 of the GDPR. Such data is a special category of personal data under Article 9 of the GDPR.

Who can access the personal data?

The Joint Controllers have legal obligations under the GDPR and the Data Protection Act 2018 to ensure all personal data processed by them is kept confidential and secure.

The Joint Controllers have entered into appropriate and legally binding data processing agreements (under Article 28 of the GDPR) with processors.

Where those processors need to engage sub-processors to carry out particular processing operations (such as printing of certificates) all such arrangements will be also subject to legally binding agreements.

All processor and sub-processor agreements will outline each parties’ responsibilities and the scope, purpose, duration and means of processing undertaken and related security measures taken by each party.

Personal data will be available to processors and sub-processors only to the extent necessary to enable them to fulfil the terms of the processing operations they are contracted to undertake.

Will the information be processed outside the European Economic Area (EEA)

Processors and sub-processors can only process/transfer personal data outside the EEA with the prior written approval of the Joint Controllers and subject to such safeguards as are specified that comply with GDPR.

Data Security

The Joint Controllers have been particularly concerned to ensure that appropriate technical, organisational and human measures have been put in place to safeguard the personal data
processed. This has involved the identification of potential risks and mitigating actions to address them.

How long will the personal data be kept?

It is a principle of GDPR that personal data can be retained for only as long as necessary. The EU Digital Covid Certificate Regulation provides that personal data processed for the issuing of a certificate cannot be retained for longer than is strictly necessary. Further, the EU Digital Covid Certificate Regulation provides that it will terminate on 30 June 2022. Personal data processed under the EU Digital Covid Certificate Regulation cannot be retained beyond that date (unless the EU introduces a further Regulation to extend the date) or it is necessary for healthcare purposes.

Rights of data subjects in relation to the personal data processed

GDPR provides that data subjects have specified legal rights concerning personal data processed about them. These include:

a right of subject access;
a right to request the correction of inaccurate information or the updating of incomplete or out of date information;
a right to request the restriction of the processing of personal data in certain circumstances;
a right to request the deletion of personal information (including medical records on a case by case basis);
a right to lodge a complaint with the Data Protection Commission.

Call Centre Support Service

A Call Centre Support Service has been established to provide information and answer questions on the issuing of vaccination and recovery certificates. In relation to test certificates, the Call Centre can only advise callers to contact the facility that carried out the test as transactions are private between the facility and the individual who was tested.

For queries in relation to your Digital Covid Certificate, please call 1800 700 700

The Call Centre may need you to provide them with personal data to help them with your query (for example, they may need you to provide personal information to verify your identity or help them establish the likely date for the issue of your certificate). Any personal data you give them will be processed on a public interest basis (under Article 6(1)(e) GDPR) and a substantial public interest basis (under Article 9 (2)(g) GDPR) (both GDPR grounds are underpinned legislatively in national and EU law by the EU Regulation).