Is the Legalization of Vaccination passports an intrusion of personal data?

The latest issue is vaccination passports. Is it too much an intrusion into one’s privacy data protection? In MB we have a vaccination card already and the only thing it collects is your name and how many shots and what kind you received. There is no other information collected. Effective on October 30th, 2021 is a national vaccination QR code that individuals can save on their smart phone. However, the national card is going to contain a lot more information such as the persons age and other highly personal data. Whether or not the MB card/QR code can be added to the national one or act in its place is an issue that will have to be resolved soon.


The State of California has recently passed AB 825 that includes the protection of “genetic” data as being part of personal information. Data breach notification rules are now applicable to genetic data. “Genetic data is any data that results from an analysis of a biological sample or an equivalent element from a consumer that concerns genetic material. This includes DNA, RNA, genes, chromosomes, alleles, genomes, alterations or modifications to DNA or RNA, and SNPs.”[1]

The State of Connecticut in the USA has recently passed new data protection rules. For example, a business must notify consumers and the attorney general of a data breach from ninety days to sixty days and as well imposing the requirement that data managers must provide 24 months of identity theft services to affected consumers. These are but some of the improvements made to ensure proper data protection. The inclusion of genetic data into both of these laws shows the increasing regulation of health and medical data outside of HIPAA. This is a very interesting development which I am sure we will see similarly drafted and added to privacy data law protection both provincially and federally in the near future.

PIPEDA does not currently address the use of genetic data by insurers. The Privacy Commissioner includes this statement as part of their web link:  “The absence of any specific prohibition on the use of genetic test results by insurers has raised concerns about genetic discrimination and the fear that potential discrimination might act as a deterrent to genetic testing even when clinically advisable.” Reference should be made to the following web link:  

In addition to the proactive changes made in the State of Connecticut there is also a Bill before the US Senate that imposes a new rule that if there is a ransomware attack in a payment system that the business must provide notice to the consumer of a cyber attack within 24 hours of the event happening.[2]As technology changes so too is the speed upon which data and information can

[1] The National Law Review Oct. 27, 2021 Vol. XI, No. 300

[2] The National Law Review, Ibid.

be accessed at affected by cyber criminals. The importance of a business maintaining an appropriate level of cyber insurance is becoming ever more necessary and critical to the survival of businesses in this fourt industrial revolution.

BILL C-11 that was before Parliament prior to the election this past Fall will soon be brought back when a new session of Parliament returns. Bill c-11 is to replace the current PIPEDA law as it relates to data protection and penalties that will surely increase for those businesses who are in breach. More on this Bill in the next issue of this newsletter.


DAVID H. DAVIS, Technology and Innovation lawyer: