BA's vaccine passports: the legal implications

Why do we need vaccine passports?

The 11th of March marked one year since the WHO declared the Covid-19 outbreak to be a pandemic. Since then, international travel has been deemed one of the primary contributors to the global spread of the virus. Now, one year on, a number of airlines have responded by announcing the development of digital health passports to safely reinstate international travel.

The passports are lauded as an easy way to encourage safe cross-border travel, by allowing customers to record their vaccination status prior to travel. British Airways (BA), for instance, has announced customers will be encouraged to register their two vaccine injections, or a negative test result, on the company's smartphone app.

These checks will allow airlines to resume a fuller service as soon as possible - an encouraging lifeline to an industry all but decimated by the past year's restrictions, with IAG, BA's parent company, reporting losses of £6.7 billion.

The passports may be welcome news to some consumers, who, worn down by lockdown fatigue, are raring for an escape from home; although this remains dependent, as ever, on restrictions.

A word of caution

Despite optimism and excitement about the world reopening, it is important that consumers and airlines don't rush blindly into these initiatives.

Storing any type of personal consumer data - from contact details, to financial information and medical records - comes with risks attached, with the potential implications reaching far beyond this year's summer holiday.

For example, BA suffered two significant data breaches in 2018, exposing the personal information of more than 420,000 British Airways customers. As a result, the ICO issued BA with a £20 million fine, with the total compensation pay-out in the group action against BA potentially reaching an additional £2.4 billion.

In February 2021, BA customers were implicated in a third data breach. BA members may have had their data accessed after passenger processing system SITA suffered a cyber-attack.

Questions should be asked of BA and other airlines as to whether their cyber security follows best practice, and this interrogation should extend to third-party providers. As BA and other airlines begin to demand more personal data from customers, such as medical data, it is imperative that they remain vigilant in the face of data breaches.

In the first instance, it is important to dissect whether BA can legally require travellers to input vaccination information. The entitlement to process medical evidence normally requires consent. However, if it became a prerequisite for travel, then the focus becomes more about whether a person wishes to travel or not. This cannot be considered as explicit consent.

BA appears to be adopting the public interest justification, which states that processing medical information is necessary for reasons of public interest in the area of public health, such as protecting against serious cross-border threats to health. In this case, making consumers aware of their rights and getting clear consent is absolutely critical, in terms of both legality and consumer confidence. Additionally, before a public interest justification is implemented, it is vital that the passports receive approval from either the government or a governing body. This should ensure they are satisfied that the safety of consumer data will be maintained.

An overarching consideration is the highly sensitive nature of the data. The confidentiality of medical records makes them highly prized assets for cyber criminals, and potentially raises the chances of a data breach occurring.

Additionally, due to the particularly personal nature of medical data, compensation pay-outs for offending businesses are often far more costly because of the increased potential for consumers to experience distress and psychological trauma from data leaks.

By comparison, victims of the 2018 BA data breach are eligible to claim up to £16,000 in cases of severe psychological distress. Alternatively, in the case of the 56 Dean Street data breach in 2015, when a leak exposed the contact details of 800 patients using the clinic for HIV services, the most seriously affected claimants are likely to receive damages of up to £30,000.

An opportunity for redemption?

Vaccine passports present a difficult dilemma for BA: risk another data breach, with the hefty financial implications, or delay resuming business as usual.

Any steps BA does decide to take should be approached with mindful consideration of the lessons they should have learned about data protection. If vaccine passports are approved by the government in spite of some public reservations, BA will need to proceed with caution if they are to seize this chance for redemption.

Aman Johal is a lawyer and director at Your Lawyers