On May 19, 2021, the Federal, Provincial and Territorial Privacy Commissioners provided an unusual and joint statement around vaccine passports, where they cautioned about the use of these measures, even when effective in addressing the harm of the pandemic,
At its essence, a vaccine passport presumes that individuals will be required or requested to disclose personal health information – their vaccine/immunity status – in exchange for goods, services and/or access to certain premises or locations. While this may offer substantial public benefit, it is an encroachment on civil liberties that should be taken only after careful consideration. This statement focuses on the privacy considerations.
Vaccine passports must be developed and implemented in compliance with applicable privacy laws. They should also incorporate privacy best practices in order to achieve the highest level of privacy protection commensurate with the sensitivity of the personal health information that will be collected, used or disclosed.
Above all, and in light of the significant privacy risks involved, the necessity, effectiveness and proportionality of vaccine passports must be established for each specific context in which they will be used.
Since that time, many of these vaccine passports have been implemented across Canada, and in some cases they have been challenged under applicable privacy laws.
The Information and Privacy Commissioner of Ontario recently upheld the use of this practice in the university setting in University of Guelph (Re), where the university required students provide proof of vaccination or medical exemption for students wishing to live on campus.
The Privacy Commissioner had little difficulty in concluding that this data was “personal information” as defined by section 2(1) of the Freedom of Information and Protection of Privacy Act (FIPPA).
In demonstrating that the collection was proper under the Act, or “necessary to the proper administration of a lawfully authorized activity,” the university pointed to the operation of the institution under s. 11 of its constating statute. At the time the policy was created, O. Reg. 364/20 required businesses or organizations to follow “the advice, recommendations and instructions of public health officials,” which included a vaccine requirement.
The amount of personal information collected is also subject to data minimization practices, which is defined by the Information and Privacy Commissioner of Ontario as,
“…the practice of limiting the collection of personal information to that which is directly relevant and necessary to achieving a specified purpose.
The Joint Statement also calls for limiting the personal health information to necessary purposes. The Privacy Commissioner concluded,
 In my view, without collecting the vaccine information requested through the COVID-19 Questionnaire, for the start of 2021-22, the university would have been unable to make any of these determinations and, ultimately, obtain proof of full COVID-19 vaccination for students in the residences, which was required to achieve its purposes of complying with the advice, recommendations and instructions of public health officials, and managing its affairs to achieve its objects and purposes.
 For this reason, in my view, the personal information collected by the university was directly relevant and necessary for these purposes. Further, there is nothing before me to suggest or demonstrate that the university collected a greater amount, or other types, of personal information relating to students’ COVID-19 vaccination status.
This finding is important because this necessity test has been historically applied in a restrictive manner, and also applies to collection of information under the Municipal Freedom of Information and Protection of Privacy Act (MFIPPA). In Cash Converters Canada Inc. v. Oshawa (City) the Court of Appeal for Ontario stated,
 ….in order to meet the necessity condition, the institution must show that each item or class of personal information that is to be collected is necessary to properly administer the lawfully authorized activity. Consequently, where the personal information would merely be helpful to the activity, it is not “necessary” within the meaning of the Act. Similarly, where the purpose can be accomplished another way, the institution is obliged to choose the other route.
Privacy cases have generally used three factors in evaluating this necessity:
1. the means used to collect the personal
2. the sensitivity of the personal information
3. the amount of personal information.
What is not included in this factors is any requirement for consent to the collection of personal information, and in some contexts it has been found that consent is not even required.
In the context of vaccine passports during the height of the pandemic, vaccine status would not necessarily be considered particularly sensitive, and could be upheld if obtained in minimally intrusive ways that limited the amount of personal information retained.
Whether such measures would continue to be upheld would largely appear to depend on whether it is supported by medical experts at the time. Their use is currently under review, and the experts appear to be divided.
Where it is not warranted by medical advice, these practices should not continue indefinitely. While that may not be of much assurance to those with objections to vaccine passports at this time, it may provide some comfort in knowing that the collection of vaccine or other medical information that is merely helpful will not enjoy unlimited support.