New bylined article about vaccine passports in The May issue of Governance + Compliance MagazineJune 4, 2021
Companies requiring vaccine passports as a term of employment will have a new data privacy challenge on their hands
Mathieu Gorge, CEO & FOUNDER AT VIGITRUST
As a growing number of businesses are thinking of reopening their offices to employees, the reality of the changes that will be required in order to protect staff from COVID is becoming more apparent. Concerns associated with the well-being of employees are amplified due to businesses having more responsibility as offices reopen and there are several factors that offices need to consider include:
- rearranging the physical space to ensure that employees are maintaining social distancing
- putting sanitisation stations in place for employees to use
- ensuring that there are systems in place to check which employees are in the office at any given time and which employees are in contact with each other, in order to enable contact tracing
However, as only some staff are likely to have been vaccinated at this point, employers are now looking for ways to check who has been vaccinated and when. The need for the management of such sensitive information is creating a new data security and compliance challenge for businesses and employers.
The Interim Normal
Let us look back at what has happened over the last 12-13 months. Between March and September 2020, many people were solely trying to survive and adapt to lockdown, as well as working remotely. After this, many workers believed they would go back to the office in the new year.
However, as the second and third waves of the virus gradually set in, the realisation hit that we would be working in a hybrid environment for at least the foreseeable future.
Today we find ourselves in a situation where we have a vast number of employees — in fact the majority — still working from home. Some people incorrectly refer to this as the ‘new norm’. I say incorrectly because I believe it is a little bit too early to label it in any way at all. Whether it is the new norm or the interim norm, we do not know just yet.
What we do know is that the employer-employee relationship has shifted drastically as a result of the COVID-19 pandemic. At the very beginning of the health crisis, we saw a number of employers allowing their employees to work from home using their own devices, with access to systems that they otherwise would not have been allowed to access because of the confidentiality, integrity or availability of the data. We saw the bigger firms outfit their employees with laptops that were somewhat secure (sometimes fully secure and sometimes not so much). The urgency was to stay working and retain business continuity, albeit with some data security concerns.
A year later, things have changed quite a bit. We now accept that the risks associated with the pandemic have dramatically increased, so organisations went from having approximately 10-20% of their workforce working from home to around 90-100% seemingly overnight.
Are Organisations Prepared?
In essence, we have built a makeshift shadow IT environment, wherein the architecture has completely changed in a very short time. We are now relying on a distributed architecture and new environment that we need to secure and, unfortunately, some organisations have been concentrating on short-term versus long-term cybersecurity goals. It is worth noting that the likes of GDPR, HIPAA, PCI and other frameworks and regulations apply to the organisation even during a pandemic.
Looking at the actual issue of vaccines, a number of organisations are asking their employees for proof that they’ve been vaccinated in order to get them back into the office, and this poses a number of different challenges.
First of all, there is an operational challenge in doing this: how are they going to collect information? What type of vaccine proof will they accept? How will they collect those proofs? How will they make sure that the data is up to date? Where are they going to keep it? Is it going to be in paper format, digital format, or a mix of both?
Next comes the issue of data security, because we are now looking at personal data — health data, to be precise. Most organisations are not geared up to host this sensitive information and it is important to note that every country has a framework for protecting health data, and these frameworks are typically incredibly granular and require controls that may or may not be in place.
For example, hospitals in the US have to comply with HIPAA guidelines, those in the UK have to follow guidelines set by the National Health Service (NHS), and those in Ireland must follow HSE guidelines.
This is a new and unprecedented challenge for any organisation, even if it is in compliance with the likes of GDPR or, for the banking industry, PCI or DSS. Health data is personal data, and employers should be protecting it. They may never have had access to information as sensitive as their employees’ COVID status, and now they will end up being responsible with a list of employees that have been vaccinated, a list of those who have not, a list of employees that have had their first shot but not their second and so forth.
If personal health data were to get into the public domain or circulated to other people within the organisation, the liability would be a major issue — not only from a legal perspective, but also from a cybersecurity perspective.
So what should a company do? Well, if it decides to collect information about which of its employees are vaccinated and which are not, it should first and foremost write a policy, ensure it gets the green light from the company’s legal department, and communicate the policy to the workforce. It should then ensure that it has the right systems and environment in place to securely store the information and always keep it up to date. The company should also train users on what to do if they have concerns or if they feel that their information might have fallen into the wrong hands. This should include updating ecosystem diagrams regarding where the data is going to be hosted and stored. If it is going to be kept by a third party, then that party should be fully vetted for cybersecurity, much more scrupulously than a traditional third party vendor would be. And finally, the company should look at crisis management: what is the company going to do if something goes wrong with this data?
Company leadership must look at every possible type of scenario, including:
– the data has been deleted and employees must be asked to provide it again
– the data has been hacked
– the integrity of the data has been compromised
– the data has been modified
– somebody without the proper credentials has somehow gotten access
– the data has been printed when it was not supposed to be
– the data was backed up, and some of the back-ups have disappeared.
There are any number of scenarios that businesses must foresee in order to make sure that they are completely ready to host this type of sensitive information.
Is It Possible?
In my opinion, this is extremely difficult to do the right way. It is not impossible, but between the legal ramifications, the technical setup and controls that need to be in place, the reputational damage if something were to go wrong, and the challenge of explaining to employees that this data is being requested so that they can come back to the office and feel secure and safe with regards to COVID-19, I see it as being a real challenge for many companies.
Nevertheless, I have to stress that it is not impossible. Looking at the situation from a practical perspective, if an organisation is thinking seriously about collecting information about which employees have and have not been vaccinated, or in fact any other health information related to the workforce, it needs to look at the controls it’s going to put around the physical security of the office space and the data security around the additional health data and personal information being collected and stored. It should certainly look at the security of its employees in terms of where people might be located in the building, and whether there is a geolocation concern that may arise. It should also continue to update and map out its ecosystem (i.e the infrastructure security) and plan for the type of crisis situations that it might have to handle.
We are going to be in a hybrid model for a while longer, and we will have to learn how to manage this new type of environment.
It is very likely that at some stage most organisations will be collecting data associated with their employees’ health, thus we cannot rely on old controls that are unprepared for this.
We need to move forward, and the way to do so is to make sure that this issue is dealt with at the C-suite and board level, and that, at any stage, the strongest level of appropriate technical controls, policies and training have been put in place by the organisation.