Health pass: are our personal data safe?

► What data does the health pass deliver?

Encoded in the form of a QR code, the health pass delivers very little information during a control. To access a train, a business or an event, the device displays only the first name, last name and date of birth of the pass holder, as well as the words “valid” or “invalid”. It does not specify whether the holder has a complete vaccination certificate, a negative PCR or antigen test of less than 72 hours or a certificate of recovery from Covid.

→ READ. How the QR code has imposed itself in our lives

To fly, the data transmitted is more detailed. The controllers see the information relating to the vaccine or test carried out (country and date of performance, type and manufacturer of the test or vaccine, identifier of the certificate and name of the body that issued it).

► How to keep the information held in the past?

The health pass can always be presented in paper format. There is no obligation to go digital. But it is possible to have your health pass securely in your mobile phone, so you always have it with you, thanks to the “notebook” function of the TousAntiCovid application. You just have to scan the QR code in its application for a digital version to be registered in the mobile.

The certificate then remains on the mobile. It is not stored in a central file, so it is, in principle, safe from piracy. Only social security, which issued the certificate, has knowledge of each person’s vaccination status. The government assures us that ” the information stored on the application “Do not leave the phone and can be deleted” at any time.

► What happens to the data scanned via the TousAntiCovid Verif application?

Shops can check the validity of a health pass by scanning the QR code with a mobile phone, using the “TousAntiCovid Verif” application. This application was developed by the government precisely for this purpose.

In all cases, the establishments are not authorized to keep the data displayed during the control, under penalty of one year of imprisonment and a fine of € 45,000. ” No personal data is stored, whether on the terminal of the person authorized to control or on a central server », Assure the authorities. In the case of checks carried out online, in anticipation of a journey or an event, the result of the check may however be stored temporarily.

► Who are the professionals authorized to check the health pass?

Only the managers of establishments appearing on the list drawn up by the authorities have the authorization (and even the obligation) to verify the pass before admitting a client. They are responsible for the controls. They can delegate this task to their employees or to service providers, in which case they must establish the list of authorized personnel, as well as the dates and times at which they carry out these checks.

→ REPORT. Health pass at the hospital, a week of tolerance and discontent

However, these establishments are not authorized to verify the identity of the pass holder, with the exception of discotheques which already carry out an identity check due to the ban on access to minors. Identity checks can also be carried out on long-distance transport.

► Can an employer ask to verify the health pass of his employees?

The staff of companies subject to the health pass will be required to present their employer with a valid pass from August 30. But, apart from the employees who are in contact with the public and work in cafes and restaurants, cultural places, health establishments and long-distance transport, ” no one may require a person to present [d’un passe sanitaire] », Including the employers, indicate the decrees implementing the law establishing the health pass.

► Are devices other than TousAntiCovid Verif authorized to read health passes?

The decree extending the application of the health pass provides for the possibility of using ” any other reading device meeting the conditions set by an order of the ministers responsible for health and digital. These alternatives to TousAntiCovid Verif already exist, but must meet strict regulations that apply to all personal data, which is protected in the European Union by the GDPR (General Data Protection Regulation)

But, opening up to private actors raises questions and worries the National Commission for Informatics and Freedoms (CNIL), guarantor of the application of the GDPR: ” The compulsory use of a single instrument for reading health passes, developed under the control of the public authorities and easily identifiable for citizens, was an important guarantee to avoid the misappropriation of data. “, Estimated the institution in an opinion of August 9. To ensure the proper use of data by private sector players, it recommends the establishment of a list of approved reading devices and the publication of their source code.


Leave a Reply

Your email address will not be published. Required fields are marked *