Vaccination, test & recovery certificates

Context

A regulation of the European Parliament and the Council on the EU digital COVID certificate provides that by 1 July 2021 each Member State of the European Union must be responsible for the issuing of 3 certificates:

  1. a certificate confirming that the holder has received a COVID-19 vaccine in the Member State issuing the certificate (‘vaccination certificate’);
  2. a certificate indicating the holder’s result and date of a NAAT test or a rapid antigen test listed in the common and updated list of COVID-19 rapid antigen tests established on the basis of Council Recommendation 2021/C 24/0121 (‘test certificate’);
  3. a certificate confirming that the holder has recovered from a SARS-CoV-2 infection following a positive NAAT test carried out by health professionals or by skilled testing personnel (‘certificate of recovery’).

Legal analysis

Article 1 of the proposal for a regulation states:

“This Regulation lays down a framework for the issuance, verification and acceptance of interoperable certificates on COVID-19 vaccination, testing and recovery recovery for the purpose of facilitating the holders’ exercise of their right to free movement during the COVID-19 pandemic (“EU Digital COVID Certificate”). It shall also contribute to facilitating the gradual lifting of restrictions of free movement put in place, in compliance with Union law, to limit the spread of COVID-19, in a coordinated manner.

It provides for the legal ground to process personal data necessary to issue such certificates and to process the information necessary to confirm and verify the authenticity and validity of such certificates in full compliance with Regulation (EU) 2016/679.

Recital 37 specifies that “this Regulation establishes the legal ground for the processing of personal data, within the meaning of Articles 6(1)(c) and 9(2)(g) of Regulation (EU) 2016/679, necessary for the issuance and verification of the interoperable certificates provided for in this Regulation. It does not regulate the processing of personal data related to the documentation of a vaccination, test or recovery event for other purposes, such as for the purposes of pharmacovigilance or for the maintenance of individual personal health records. Member States may process such data for other purposes, if the legal basis for processing of such data for other purposes, including the related retention periods, is provided for in national law, which must comply with Union data protection legislation, the principles of effectiveness, necessity and proportionality, and should contain provisions clearly identifying the scope and extent of the processing, the specific purpose involved, the categories of entities that can verify the certificate as well as the relevant safeguards to prevent discrimination and abuse, taking into account the risks to the rights and freedoms of data subjects.”

A regulation is a legal act that applies automatically and uniformly to all EU countries as soon as they enter into force, without needing to be transposed into national law. It is binding in their entirety on all EU countries. As far as the vaccination certificate, the test certificate and the certificate of recovery are only used in order to facilitate the holder’s exercise of his right to free movement between Member States during the COVID-19 pandemic as referred to in the regulation, no additional legal ground by Belgian law is necessary. If it would be the intention to also use the certificates in order to give access for citizens residing in Belgium to services delivered in Belgium, a Belgian legislative basis seems to be necessary.

The scope of the Regulation being the issuance, verification and acceptance of certificates mentioned, processing of personal data about tests or vaccination events for other purposes is to be regulated by Belgian law, in this case the cooperation agreements of 25 August 2020 and 12 March 2021. The regulation doesn’t overrule those cooperation agreements.

Implementation in Belgium

A web application is made available on the Personal Health Viewer for digitally requesting a vaccination certificate, a test certificate and a certificate of recovery after authentication of the identity. For children up to 17 years old, the vaccination certificate and the test certificate can (also) be requested by each of the parents as known in the National Register.

The vaccination certificate, test certificate and certificate of recovery take the form of a PDF which can be saved or printed. The field labels of the certificates can be printed in Dutch, English, French or German. The data itself is printed as available in Vaccinnet or at Sciensano.

An mobile app, named CovidSafeBe, will also be available on Android and iOS for digitally requesting a vaccination certificate, a test certificate and a certificate of recovery after authentication of the identity. This app permits to store the certificates in a wallet.

Another mobile app, named CovidScanBe will be available on Android and iOS for scanning the QR-code of a vaccination certificate, a test certificate or a certificate of recovery.

The model of the certificates is defined by the European Union.

The vaccination certificate contains the mandatory data set out in the proposal of the European eHealth network. The data about the vaccination is provided by Vaccinnet.

The test certificate contains the mandatory data set out in the proposal of the European eHealth network. The data about the test results is provided by Sciensano. A test certificate can only be requested related to a NAAT-test performed during the past 72 hours and a rapid antigen test performed during the past 24 hours.

The certificate of recovery contains the mandatory data set out in the proposal of the European eHealth network. The data about the test results is provided by Sciensano. The certificate indicates the date of the first positive result available within a period of 180 days before the issuing date of the certificate.

All certificates comply with the trust framework and detailed technical specifications set out by the European eHealth network.

The bodies that issue the certificate are

Each certificate has a unique number and a delivery date. Its contains an electronically signed QR-code.

A person who wants to execute his right to correction of the data put on the certificate, he has to prove the correct data by a document delivered by the health care provider that administered the vaccine or executed the test.

This presentation gives an overview of the certificates, the apps and the web application available on the Personal Health Viewer.

Operationalisation

A suitable way to operationalise the proposal is to provide a RESTfull API that can be called upon by a responsive web application and generates the required certificate in the form of a PDF.  Should Vaccinnet and Sciensano not dispose of an appriopriate environment for making their databases accessible via a RESTfull API, an (existing) replica of Vaccinnet and the COVID-19 Test Results Database containing the relevant data could be made accessible via a RESTfull API. The RESTfull API can be accessed via the responsive web application made available on the Personal Health Viewer after authentication of the identity via CSAM level 400 or higher or via other user interfaces.

The repartition of tasks could be as follows:

  • Vaccinnet puts (a replica of) the relevant data from Vaccinnet at the disposal;
  • Sciensano puts (a replica of) the relevant data from the COVID-19 Test Results Database at the the disposal;
  • a broker provides a RESTfull API that, when a person requests a certificate via the Personal Health Viewer or another user interface,
    • retrieves the relevant data from one of the replicas;
    • creates the requested certificate in the form of a PDF based on this data (via a free of charge open source PDF generator);
    • adds a unique number, a delivery date and an issuer indication to the certificate;
    • delivers the certificate in the form of a PDF;
    • stores the social security identification number (SSIN) of the holder of the certificate, the unique certificate number and the delivery date of the certificate in a control database in which the authenticity of the certificate can be verified by third parties;
  • the broker provides a RESTfull API for consulting the control database.

Other information

World Health Organization

Interim position paper (to check)

Call for public comments: Interim guidance for developing a Smart Vaccination Certificate – Release Candidate 1

GitHub on Smart Vaccination Card (SVC) – Release Candidate 1

Remarks on WHO proposal

European Commission

EU Digital COVID Certificate – state of play third country equivalence decisions 

Link to Official Journal (OJ)Countries
OJ 9 July 2021Switzerland
OJ 2 August 2021San Marino, Vatican
OJ 20 August 2021North Macedonia, Turkey, Ukraine
OJ 15 September 2021Albania, Andorra, Faroe Islands, Israel, Monaco, Morocco, Panama
OJ 29 October 2021Armenia, United Kingdom
OJ 16 November 2021Georgia, Moldova, New Zealand, Serbia
OJ 25 November 2021Singapore, Togo
OJ 10 December 2021Cabo Verde, Lebanon, United Arab Emirates
OJ 22 December 2021Montenegro, Taiwan, Thailand, Tunisia, Uruguay
OJ 16 February 2022Benin, Jordan
OJ 4 April 2022Colombia, Malaysia
OJ 11 May 2022Indonesia, Seychelles, Vietnam
OJ 29 July 2022Oman, Peru, Philippines
OJ 13 October 2022Brazil, New Zealand (in respect of the Cook Islands, Niue and Tokelau)
OJ 21 February 2023Azerbaijan, Hong Kong
Bilateral agreementUnited Kingdom (England, Northern Ireland, Scotland, Wales)
Other

COVID-19 credentials initiative

ICAO – Machine readable travel documents