World Health Organization COVID certificate guidance skips digital ID
The World Health Organization has published its technical and implementation guidance for COVID-19 vaccine certificates. The guidance is based on the W.H.O.’s mandate to support healthcare, rather than economic activity. Among the assumptions the organization starts with is that member states will make their own decisions about how to uniquely identify certificate bearers.
The W.H.O.’s ‘Digital documentation of COVID-19 certificates: vaccination status: technical specifications and implementation guidance’ is divided into sections on ethical considerations and data protection, continuity of care and proof of vaccination scenarios, the core data set, national trust architecture, national governance considerations, and implementation considerations. It is intended as interim guidance, and is part of a series which includes separate guidance on documentation for test results and recovery from COVID.
Key principles behind the core data set include data minimization, open standards, paper and digital implementations, and the idea that not all data elements need to be found on the data certificate the core data set itself is made up of a header, vaccination event details, and certificate metadata.
The proposal for Digital Documentation of COVID-19 Certificates (DDCC) sharing vaccination status is based on public key infrastructure (PKI) and barcodes or QR codes.
The guidance reiterates that the mandate of the project is only to support attestation that vaccination has occurred, rather than as an immunity passport or permission.
Certificates can be printed on an analog document, as on a handwritten paper certificate or a PDF print-out, or stored on a smartphone.
The guidance stipulates that the DDCC:VS is not an identity document, and while a unique identifier is recommended, a name and date of birth is sufficient biographic data to meet the proposed specification. Biometrics are mentioned among optional personal data.
W.H.O. guidance on COVID certificates originally only covered a continuity of care use case, and the extension of the certificates to analog or digital “health passes” introduces a new set of ethical concerns, which the guidance examines. These include the likelihood of fraud, and while built-in “anti-fraud mechanisms” are among the recommendations in the document, what those mechanisms should be is not mentioned, except that they should work without the use of any digital technology.
While the guidance notes that the identity binding of the certificates can be extended to meet standards like those of ICAO for international travel, the W.H.O.’s approach contrasts with those focused on the digital health pass use case, which necessitates guidance specifically about how the digital identity aspect should work.