10 Design Considerations for Vaccine Credentials


As COVID-19 vaccines become widely, if not fairly, available in different regions, both the public and private sector are working to develop vaccine credentials and associated surveillance systems.

Information technology applied to vaccination can be effective, but it can also be oppressive, discriminatory, and counter-productive.

But these systems can be tuned to reflect and address key concerns.

What follows is a list of ten separable concerns, and responsive design strategies. The concept of separation of concerns in technology design offers a path to better health policy. Because each concern hardly interacts with the others, any of them can be left out of the design in order to prioritize more important outcomes. Together, all of them can maximize scientific benefit while enhancing social trust.

  1. Authenticity

An inspector should be assured that a vaccine certificate was not tampered with and that it was issued to the presenter. This need not imply any privacy risk, or even need a network connection. One such method for authenticating vaccine credentials adds a human-recognizable and machine-readable face photo to a standard 2D barcode. It works with paper as well as mobile phone presentations.

  1. The digital divide

For this concern, paper credentials have equity and privacy advantages. Equity, because paper is cheap and well understood. Privacy, because there is no expectation that a person must unlock and show a mobile phone. Digitally signed certificates that also include a photo, like #1 above, can be copied for convenience without risk of fraud.

  1. Vaccine scarcity

Where vaccines are scarce, it’s important to prioritize vaccination eligibility according to employment, age, living situation, and health status. To promote privacy, a digital eligibility certificate (using authenticity and equity tech like #1 and #2 above) can be issued by a trusted intermediary, such as a physician or notary. This separate certificate avoids linking eligibility information to the eventual vaccination credential. For added convenience, issuance of the eligibility certificate can also be linked to an allocation registry. Notification of an available appointment can be further privacy-protected using the trusted intermediary to avoid central registries of emails or phone numbers.

  1. Privacy

Patients can be vaccinated anonymously while still producing authentic credentials as described in #1-3 above. However, being able to track patients across time provides valuable additional information. This includes the emergence of variants, vaccine efficacy in various contexts, side-effects, and long-term health impact.  Technology for tracking people across time while preserving privacy is already deployed to assist with contact tracing. The de-identified individuals can only be tracked with their informed authorization. Privacy-by-default tracking as a feature of digital credentials is practical given planning and coordination.

  1. Population registries

Maintaining a registry of vaccinated individuals shares many of the equity and privacy challenges of managing a voter roll or credit bureau. A central registry may be needed as variants develop and newer vaccines arise; for example, this registry might ensure that individuals are notified in a timely manner of their eligibility for a booster; it might also work to guard against unnecessary repeat vaccination. Such a registry may require uniqueness checking, for example, referencing a driver’s license number or iris scan against a central registry. The security of such a registry may be problematic. Separation of concerns demands that such registries be strictly limited in scope and highly regulated. This capability could be built-in to vaccination IT systems but kept inactive until needed. Patients may decline providing license numbers or allowing iris scans until then. This would still be compatible with #1-4, above.

  1. Payment fraud

As the number of vaccination sites expands and eligibility requirements are relaxed, financial fraud by vaccinators could become an issue. Insurance fraud is typically managed by notifying the beneficiary of benefits received. This requires the vaccinator to capture an insurance ID to be submitted for payment. However, there is no particular reason to add this identifier to a vaccine credential, or for the vaccinator to keep it themselves long-term. A digital credential compatible with #1-5, above, could curb potential fraud.

  1. Disparities in access

Data to inform vaccine access policy is needed for both equity and public health. Much of that data is sensitive among groups that suffer discrimination or fear deportation. Access data, however, need not identify or track individuals to be effective. Reliable statistical data is sufficient. Differential privacy is a well-understood technique for describing the patterns of groups within the dataset while withholding information about individuals. The technology can be applied at the vaccinator level by scanning a simple paper form or providing a check-in kiosk. It is therefore compatible with privacy-preserving technology #1-6, above.

  1. Adverse events

The CDC operates the Vaccine Adverse Event Reporting System (VAERS), which is accessible to clinicians, as well as patients. Similar systems operate as part of clinical trials and post-market surveillance in general. VAERS creates a centralized registry based on online reports. Digital vaccine credentials compatible with #1-7, above, would make it more convenient and more reliable to link adverse event reports to specific sites, times, and lot numbers associated with a vaccination or test. This would entail a privacy risk similar to #7 above which could also be mitigated using differential privacy methods.

  1. Unknown long-term efficacy

Accurate and timely evidence of vaccine efficacy has immense economic and public health consequences. However, the broad scope of and contextual sensitivity required to determine this poses challenges that go beyond technological solutions to social engineering. Open source technology can help and goes hand-in-hand with decentralization of technology to communities. Technologies #1-8 above can be designed with community participation in mind, while also including audit features. Audits provide protection against gaming the findings by rogue communities.

  1. Global variation

Technologies #1-9 above can be further enhanced by the adoption of global standards as determined by the World Health Organization and privacy-minded Internet standards groups like W3C and IETF. The adoption of global standards promotes security and trust and prevents political manipulation of medical science through censorship. A decentralized and open source design allows for parallel deployment of standards as well as local innovation.

In summary, separation of concerns allows vaccination information technology to be designed without compromising privacy or equity. We should focus on improving these apps and using open standards and promoting open source collaboration to boost security and trust. By making vaccine information technology accessible and secure, patient health cards – be they digital codes on paper, or an image on a simple mobile phone – should be available to people in developed nations as well as the developing world. And the technology should apply equally well to vaccination, testing, and other interventions.

It’s not too late to plan for the next variant or pandemic and associated concerns of testing capacity and vaccine allocation. The health and survival of millions could be at stake.

Adrian Gropper, MD, is the CTO of Patient Privacy Rights, a national organization representing 10.3 million patients and among the foremost open data advocates in the country. This post originally appeared on Bill of Health here.