As businesses, government agencies, and nonprofits reopen and employees return to in‑person offices, many pandemic safety measures are being modified. If your company checked employees’ or customers’ vaccine status or collected other COVID-related information, have you considered what to do with the data now? Businesses that maintain that information or that developed apps or other products to facilitate its collection can pass along an important pointer to others planning to enter the burgeoning health app marketplace: Sensitive health information should come with a “Caution: Handle with Care” label.
Does your business develop vaccine verification apps?
Some vaccine verification “passport” apps store a digital copy of a person’s vaccination card. Others give the user a digital record to save in other apps or in a mobile wallet. In addition to a person’s vaccine status and possibly their test results, some apps collect other information to verify the person’s identity – for example, their name, date of birth, zip code, email address, and phone number. Some apps even tap into state or pharmacy vaccination records. Once verified, apps may keep the data on the phone, others may access data from the cloud, and still other may create a digital credential (often a QR code) that other apps can scan. If your company creates vaccine verification apps or if you’re developing other health-related apps, here are some key considerations.
- Make accurate representations. Clearly explain how people’s information will be used and shared and then live up to those promises. If your company has deployed apps to read credentials at storefronts, ensure that those businesses understand your practices and the limits on how they may use the data you share.
- Keep your app updated and your customers in the loop. If your app needs to be updated to protect against new security vulnerabilities, follow through and do just that. And if a customer needs to update information on file to continue to use your app, communicate that clearly.
- Review and update your privacy claims. Companies are creating apps that may evolve over time to share new or different information, particularly as they relate to public health developments. If your privacy claims don’t keep pace with changes to your data practices, consumers could be misled.
- Minimize the data that is shared. When verifying a consumer’s vaccination status, it may be sufficient to communicate their status to another entity without sharing the person’s name, date of birth, email address, type of vaccine, etc. That principle applies equally to other health-related apps.
- Protect the data you use for verification. If your app transmits sensitive data to verify a person’s status, use transit encryption. People using those apps (or other health apps) commonly rely on open Wi-Fi access points at coffee shops, airports, and other locations where it’s easy for info thieves to intercept data. If your app stores information on a phone, consider protecting or obscuring the data. This helps protect users in the event of viruses (the digital kind), malware, or a lost device.
- Apply the lessons of the pandemic as you develop new health-related apps. Health apps are here to stay. But before your company rushes to market with a new product, train your team to prioritize best practices for secure development. If you Start with Security – and keep it Job #1 as you design, develop, and test – you can reduce the risk of rolling out a product with a fatal flaw. Another important resource: NIST’s Secure Software Development Framework (SSDF). Before your product goes live, verify that it works as advertised and that security measures are operational. One unskippable step: testing your product to ensure it’s not susceptible to common security vulnerabilities.
- If you’re dealing with health data or kids’ data, understand applicable standards and regulations. Additional legal provisions may apply when health information and kids’ information is involved. Seek guidance on the Children’s Online Privacy Protection Act and the COPPA Rule, the Health Insurance Portability and Accountability Act (HIPAA), the Health Breach Notification Rule, and other relevant laws.
Does your business, nonprofit, or other group check people’s vaccine status?
If your company verifies the vaccine status of employees, customers, or others – whether by using an app, checking vaccine cards in person, getting scans of cards via email, etc. – here is some advice to keep in mind. These principles will remain relevant as new health apps enter the market.
- Consider your objective. When checking the status of customers or employees, are you doing that to ensure they’re vaccinated – or do you need more information to comply with legal obligations or possibly conduct contact tracing? Identifying your goal can be an important step to figuring out how to best achieve it.
- When checking someone’s vaccination status, less is usually more. Consider whether you can simply confirm a person is vaccinated by viewing their vaccination card or a digital credential. If you don’t need more detailed information, don’t ask for it and don’t collect it in the first place. You don’t have to protect data you never had
- Research the marketplace. If you decide to use an app or other technology to assist in checking vaccination status or performing other health-related functions, exercise the utmost care in selecting service providers Investigate the companies, learn more about their software, and ask questions about their privacy and data security practices. What information will they be sharing with you? What information will an app be collecting from you, your customers, or your employees? Are the representations you make to others consistent with your service provider’s practices?
- Provide a secure environment. If you do use technology to collect personal information, do you have a secure network through which the information is transmitted? And if you must maintain information, can you store it securely?
- If you need to maintain information about a person’s vaccine status, consider how long you have to retain it. Once you no longer have a legitimate need for someone’s vaccine status or other health-related information, dispose of it securely.
- Use the return to the in-person workplace – or the transition to a more permanent remote office – as a chance to take stock of the data you collect and retain. If you don’t have an ongoing need for a consumer’s date of birth to verify their status, don’t store it. Or if you use an app at a storefront to verify vaccination status of customers, think critically about how long data related to any one customer visit needs to be stored. But don’t stop there. Look beyond COVID-related circumstances to take a fresh look at your information collection and retention practices. Why collect or keep data you don’t need?
The purpose of this blog and its comments section is to inform readers about Federal Trade Commission activity, and share information to help them avoid, report, and recover from fraud, scams, and bad business practices. Your thoughts, ideas, and concerns are welcome, and we encourage comments. But keep in mind, this is a moderated blog. We review all comments before they are posted, and we won’t post comments that don’t comply with our commenting policy. We expect commenters to treat each other and the blog writers with respect.
- We won’t post off-topic comments, repeated identical comments, or comments that include sales pitches or promotions.
- We won’t post comments that include vulgar messages, personal attacks by name, or offensive terms that target specific people or groups.
- We won’t post threats, defamatory statements, or suggestions or encouragement of illegal activity.
- We won’t post comments that include personal information, like Social Security numbers, account numbers, home addresses, and email addresses. To file a detailed report about a scam, go to ReportFraud.ftc.gov.
We don't edit comments to remove objectionable content, so please ensure that your comment contains none of the above. The comments posted on this blog become part of the public domain. To protect your privacy and the privacy of other people, please do not include personal information. Opinions in comments that appear in this blog belong to the individuals who expressed them. They do not belong to or represent views of the Federal Trade Commission.
I agree with everything shared down to the last sentence. Thank you providing excellent recommendations for the times!