Digital Health Passports For Air Travel - Is There Security In Troublesome Times?

Digital Health Passports for air travel - Is there security in troublesome times?

A concern about data privacy

What just happened?

With COVID-19 here to stay for the foreseeable future, the aviation industry has now shifted to focus on its adaptability in these tumultuous times. One of the topics of great importance in the industry now is that of digital health passports.

What does this mean?

For the safety of its local populace, many countries currently require mandatory COVID-19 test results on arrival, and it’s likely that a COVID-19 vaccine confirmation will also be required very soon given the quick ramp-up of vaccine provisions in various countries with air travel hubs such as the UK, USA, and Singapore.

The use of digital health passports removes the need for paper-based documents, allowing passengers to verify their identity and prove their health status by storing results of COVID-19 tests, and eventually, digital vaccination records. The border customs can review the documents through these online systems, reducing the need for contact with any hard-copy documents and unnecessary human interactions.

Several digital solutions have already entered the market from various suppliers, including AOKpass, CommonPass, IATA Travel Pass, Daon’s VeriFLY, the UK-based V-Health Passport. Airlines including British Airways, Singapore Airlines, and Qatar Airways have announced trials of the technology, with some airlines even trialling more than one solution from different providers simultaneously. [1]

With the influx of these new technologies, a challenge that arises is the implementation of the digital health credentials in a secure way in order to protect passengers’ privacy. Most of the aforementioned solutions have a privacy-by-design approach, which takes into account the sensitive data of passengers and only publishing data where necessary and having in place protective mechanisms to prevent sensitive data from being leaked. [2]

TSA’s Executive Assistant Administrator of Operations Support, Stacey Fitzmaurice, stressed that the public must be reassured that their personal identification and health information is protected and used for the intended purpose. She noted that a digital health passport should be able to provide information pertinent to a specific use case, and that data minimalisation is key to ensuring necessary information is provided about an individual while also respecting their privacy and civil liberties. [3]

How does this impact the legal sector?

Health data is deemed as "sensitive data" under the European Union's General Data Protection Regulation. [4] In-house legal teams and law firms should advise their companies and commercial clients on carrying out due diligence into the new digital systems before letting their employees embark on using them to store their health data.

Privacy and satisfactory data protection are valued by many business travellers, as shown from BCD Travel’s survey in January 2021. [5] Therefore, governments will need to work with companies to consider legislation to ascertain a clear legal basis for authorities using the health data of individuals. If there is success in identifying an appropriate legal basis, an impact assessment would need to be carried out to consider whether airlines, governments, air ticket booking platforms, or the digital passport provider, would bear responsibility as controllers or processors of the data in the event of a data breach.


The Legists Content Team

Assessing Firms:

#HoganLovells #CooleyLLP #DLAPiper #BakerMcKenzie #Covington&BurlingLLP



[1] Future Travel Experience, ‘Digital health passports: Standardised, interoperable and coordinated approach needed for industry-wide rollout’ (February 2021) <>

[2] Xu Heng, ‘A Value Sensitive Design Investigation of Privacy Enhancing Tools in Web Browsers’ (2012) Decision Support Systems 54(1), 424-433

[3] n1

[4] Article 9 of the Regulation (EU) 2016/679 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data OJ L 119, 4.5.2016, p. 1–88

[5] Amon Cohen, ‘Travel Health Passports Triggering Data-Privacy Alarms’ (Business Travel News, 29th January 2021) <>



Stay Tuned

Receive regular news, updates, upcoming events and more...