AKI: Personal data must be protected when checking COVID-19 certificates
Before coronavirus certificate checks are set to be implemented across Estonia on Monday, the Data Protection Inspectorate (AKI) emphasizes that the data on the certificates is sensitive and personal, which means event oragnizers must ensure it is not misused.
From August 9, new capacity caps will be introduced which limit the number of people allowed to gather at indoor events to 50 and those at outdoor events to 100 if no checks are made on entry.
The number of participants can be higher if the organizer ensures coronavirus certificates are checked on entry. In such cases, there may be up to 6,000 attendees indoors and up to 12,000 outdoors. The COVID-19 certificates of all attendants must be checked, their authenticity and validity must be verified, and in case of doubt, the identity of the person providing the certificate must be established.
Certificates are not required for people under 18 as they have not yet had the chance to get vaccinated.
AKI recommends event organizers use kontroll.digilugu.ee, a digital checking platform developed by the state, which ensures personal data will not be misused.
"The government order, which gave entrepreneurs the right to check coronavirus certificates does not allow for the data to be gathered. Therefore, if the entrepreneur decides to check coronavirus certificates with an alternative application, they must first make sure what the application does with the data," explained AKI technology adviser Urmo Parm.
Parm said that while entrepreneurs might not want to retain the data, an application could still save it and forward it to a third-party country. "If this happens, the entrepreneur who allowed the application access to the data is responsible," the adviser noted.
AKI does not know of any other applications that can read coronavirus certificate QR-codes issued in Estonia, but the inspectorate admits that such applications cannot be ruled out going forward.
Event workers who are tasked with checking certificates must also be educated in basid data protection principles and a confidentiality agreement must be signed, obligating workers to keep any data they received while working the event to themselves.
Identification can only be checked if there is reasonable doubt
In addition, AKI points out that the government order only allows for identification checks if there is reasonable doubt. The inspectorate's legal adviser Liisa Ojangu said organizers cannot check the ID-card of each visitor.
"This action would go beyond powers conferred by legislation and it would also be unethical to suspect everyone of dishonesty. Until the government publishes clearer directives, common sense should be used and identity checks should only be conducted if there are obvious discrepeancies - perhaps the name on the certificate is of the opposite sex, the person's appearance does not match the birth of date, the vaccination date is earlier than vaccines were even conducted in Estonia, etc," Ojangu said.
She also emphasized that checking false coronavirus certificates still begins with checking the QR-codes. "Since coronavirus certificate checks are such a new solution and it includes processing personal data in a large amount, entrepreneurs must first think how they are affected by this new situation," Ojangu said, adding that AKI's homepage can offer answers to some questions.
Follow ERR News on Facebook and Twitter and never miss an update!
Editor: Kristjan Kallaste