By Sarah Bakar, Lisa Hooper and Chong Shao

As governments roll out vaccinations and the COVID-19 pandemic begins to ease in certain parts of the world, tentative plans to reopen international travel have begun. Central to these plans is the ongoing discussion of having a kind of digital document to prove that individuals are vaccinated – that is, a ‘vaccine passport.’

There are many different versions that have been or are being developed by various organisations such as governments, airlines and industry groups, non-profits and technology companies. Vaccine passports are not only being developed to facilitate international travel. They have also been proposed to be used for domestic purposes, such as entry into restaurants and events. 

In the realm of international travel, several passes have been introduced: CommonPass, AOKPass and the IATA Travel Pass. To date, the IATA Travel Pass has received the most uptake from airlines. These include Singapore Airlines, Qatar Airways, and Emirates Airlines to name a few. 

The Travel Pass was developed by the International Air Transport Association (IATA). It is a mobile app that allows travellers to store and manage their verified certifications for Covid-19 tests and vaccines.

Nick Careen, Senior Vice President, Airport Passenger Cargo and Security at IATA said‘It’s about trying to digitize a process that happens now and make it into something that allows for more harmony and ease, making it easier for people to travel between countries without having to pull out different papers for different countries and different documents at different checkpoints.’

How the Travel Pass app will work

Travel Pass will ask users to create a profile, enter their flight details, and direct the users about their requirements for travel such as suggesting verified testing facilities. Travel Pass will integrate with testing facilities so that the results can be sent directly to the app. Moreover, when governments start to issue digital vaccine certificates, the individual can opt to upload this certificate onto the app as well. Once the appropriate data has been uploaded, the user will receive a confirmation or ‘okay to travel’ notification which is relied upon by airlines.

In the app’s current state, a physical passport will still be used to confirm a person’s identity in conjunction with the app; COVID-19 results and vaccination status will not be ‘linked’ to a person’s physical passport. IATA’s plan is that Travel Pass will eventually be able to store an individual’s passport details on the app and thus be able to link COVID-19 results and vaccination status in one place. 

Travel Pass and privacy

While Travel Pass is still in the early stages of being released to the wider public, we note that its cautious approach to data handling is in line with public sentiment. For example, the Australian Community Attitudes to Privacy Survey 2020 found that 9 in 10 Australians want more control over their data.

From what has been published by IATA, Travel Pass appears to be mostly sound from a privacy and security perspective. Based on the current Travel Pass privacy policy, we note the following privacy positives:

  • Use of Travel Pass is voluntary 

  • IATA conducted a Data Protection Impact Assessment (DPIA) of the Travel Pass (although we note that this has not been published) 

  • IATA built Travel Pass from the beginning with privacy by design principles 

  • The app gives control to the user in terms of what information is entered (such as using the digital passport facility and/or uploading their vaccination certificates) and who it is shared with (no information is shared with an airline or government without their authorisation)

  • All Travel App data is stored locally on the device – this includes verified COVID-19 test results and vaccinations certificate (however, the IATA server will temporarily process data in order to facilitate an action such as receiving test results from a testing facility or sharing data with a partner)

  • Deletion of the app means the deletion of all data 

  • If an individual chooses to share data with a partner, the data is encrypted and sent directly to them from the mobile device. 

There are some remaining issues where more clarity and transparency would be welcome, for example:

  • What is the procedure involved in an airline verifying an individual’s ‘Okay to travel’ status? Do airline staff sight the status or are individuals required to share their test results/vaccination status? 

  • What will be the mechanism for oversight and assurance that what is described in the privacy policy is the reality? 

  • Can we be sure about the assurances that IATA will immediately delete the processed data from its servers? What happens in case of technical issues? Is the data retrievable? 

As more and more airlines participate and adopt Travel Pass, we hope and expect more information to be made available on how Travel Pass handles user data and the benefits of having such tool.