Vaccination, test & recovery certificates

Context

A draft regulation of the European Parliament and the Council on the so called ‘Digital Green Certificate’ provides that by the beginning of June 2021 each Member State of the European Union must be responsible for the issuing of 3 certificates:

  1. a certificate confirming that the holder has received a COVID-19 vaccine in the Member State issuing the certificate (‘vaccination certificate’);
  2. a certificate indicating the holder’s result and date of a NAAT test or a rapid antigen test listed in the common and updated list of COVID-19 rapid antigen tests established on the basis of Council Recommendation 2021/C 24/0121 (‘test certificate’);
  3. a certificate confirming that the holder has recovered from a SARS-CoV-2 infection following a positive NAAT test or a positive rapid antigen test listed in the common and updated list of COVID-19 rapid antigen tests established on the basis of Council Recommendation 2021/C 24/01 (‘certificate of recovery’).

Legal analysis

Article 1 of the draft regulation states:

« This Regulation lays down a framework for the issuance, verification and acceptance of interoperable certificates on COVID-19 vaccination, testing and recovery in order to facilitate the holders’ exercise of their right to free movement during the COVID-19 pandemic (“Digital Green Certificate”).

It provides for the legal ground to process personal data necessary to issue such certificates and to process the information necessary to confirm and verify the authenticity and validity of such certificates. »

Recital 37 specifies that « this Regulation establishes the legal ground for the processing of personal data, within the meaning of Articles 6(1)(c) and 9(2)(g) of Regulation (EU) 2016/679 (General Data Protection Regulation, Ed.), necessary for the issuance and verification of the interoperable certificates provided for in this Regulation. It also does not regulate the processing of personal data related to the documentation of a vaccination, test or recovery event for other purposes, such as for the purposes of pharmacovigilance or for the maintenance of individual personal health records. The legal basis for processing for other purposes is to be provided for in national law, which must comply with Union data protection legislation. »

A regulation is a legal act that applies automatically and uniformly to all EU countries as soon as they enter into force, without needing to be transposed into national law. It is binding in their entirety on all EU countries. As far as the vaccination certificate, the test certificate and the certificate of recovery are only used in order to facilitate the holder’s exercise of his right to free movement between Member States during the COVID-19 pandemic as referred to in the regulation, no additional legal ground by Belgian law is necessary. If it would be the intention to also use the certificates in order to give access for citizens residing in Belgium to services delivered in Belgium, a Belgian legislative basis seems to be necessary.

The scope of the Regulation being the issuance, verification and acceptance of certificates mentioned, processing of personal data about tests or vaccination events for other purposes is to be regulated by Belgian law, in this case the cooperation agreements of 25 August 2020 and 12 March 2021. The regulation doesn’t overrule those cooperation agreements.

Proposal for implementation in Belgium

A web application is made available for requesting a vaccination certificate and a test certificate after authentication of the identity. For children up to 17 years old, the vaccination certificate and the test certificate can (also) be requested by each of the parents as known in the National Register.

The vaccination certificate contains the mandatory data set out in the proposal of the European eHealth network. The data about the vaccination is provided by Vaccinnet.

The test certificate contains the mandatory data set out in the proposal of the European eHealth network. The data about the test results is provided by Sciensano. A test certificate can only be requested related to a test performed during the past 72 hours (to be defined).

The certificate of recovery contains the mandatory data set out in the proposal of the European eHealth network. The data about the test results is provided by Sciensano. The certificate indicates the date of the first positive result available within a period of 180 days before the issuing date of the certificate.

All certificates comply with the trust framework and detailed technical specifications set out by the European eHealth network.

The vaccination certificate, test certificate and certificate of recovery take the form of a PDF which can be saved or printed. The field labels of the certificates can be printed in Dutch, English, French or German. The data itself is printed as available in Vaccinnet or at Sciensano. It is examined how the certificates can be included by the holder in publicly available mobile card wallets such as FidMe, Key Ring or Stocard.

The bodies that issue the certificate are

Each certificate has a unique number and a delivery date. The eHealth platform manages a database with the relationship between the number of the certificate, the social security identification number (SSIN) of the holder of the certificate and the delivery date. This database is interrogable in order to verify the authenticity of a certificate.

A person who wants to execute his right to correction of the data put on the certificate, he has to prove the correct data by a document delivered by the health care provider that administered the vaccine or executed the test.

Operationalisation proposal

A suitable way to operationalise the proposal is to provide a RESTfull API that can be called upon by a responsive web application and generates the required certificate in the form of a PDF.  Should Vaccinnet and Sciensano not dispose of an appriopriate environment for making their databases accessible via a RESTfull API, an (existing) replica of Vaccinnet and the COVID-19 Test Results Database containing the relevant data could be made accessible via a RESTfull API. The RESTfull API can be accessed via the responsive web application made available on the Personal Health Viewer after authentication of the identity via CSAM level 400 or higher or via other user interfaces.

The repartition of tasks could be as follows:

  • Vaccinnet puts (a replica of) the relevant data from Vaccinnet at the disposal;
  • Sciensano puts (a replica of) the relevant data from the COVID-19 Test Results Database at the the disposal;
  • a broker provides a RESTfull API that, when a person requests a certificate via the Personal Health Viewer or another user interface,
    • retrieves the relevant data from one of the replicas;
    • creates the requested certificate in the form of a PDF based on this data (via a free of charge open source PDF generator);
    • adds a unique number, a delivery date and an issuer indication to the certificate;
    • delivers the certificate in the form of a PDF;
    • stores the social security identification number (SSIN) of the holder of the certificate, the unique certificate number and the delivery date of the certificate in a control database in which the authenticity of the certificate can be verified by third parties;
  • the broker provides a RESTfull API for consulting the control database.

Other information

World Health Organization

Interim position paper (to check)

Call for public comments: Interim guidance for developing a Smart Vaccination Certificate – Release Candidate 1

GitHub on Smart Vaccination Card (SVC) – Release Candidate 1

Remarks on WHO proposal

Other

COVID-19 credentials initiative

ICAO – Machine readable travel documents