Aug 30, 2023

Manitoba Ombudsman has released its report on the privacy implications of the Manitoba immunization card launched in June 2021, in which Manitobans could request an immunization card to be used as proof they were fully vaccinated against COVID-19.   

We recognize it was no small obligation to ensure privacy protection in the development and operation of the immunization card during a critical phase of the province’s history. The card needed to be usable throughout the province in a broad range of social environments to allow for safe re-opening concurrent with the gradual removal of emergency health orders. The immunization cards and certificate needed to be accurate, readily available and verifiable while at the same time protecting an individual’s personal health information from unauthorized collection, use and disclosure.

Anticipating the public interest and concerns that the card’s introduction would generate, we launched our review on June 10, 2021 to assess and comment on privacy implications and on whether the collection, disclosure and security of Manitobans’ personal health information by Manitoba Health, Shared Health Manitoba, and Manitoba Central Services (the Trustees) complied with the Personal Health Information Act (PHIA). Our review continued throughout the time period in which the card was in use and after it’s deactivation in Manitoba was publicly announced on February 10, 2023. It is important to note that the initiative continues to provide information for the purpose of the Canadian proof of vaccination credential and for individuals to read their proof of vaccination information on a limited basis.

Our objectives in conducting the review were to:

- determine the legislative authority to use and disclose personal health information for the purpose of creating an immunization card

- confirm whether the verifier (individual who scans the QR code) collects any personal health information

- review the notice about the handling of citizens’ personal health information

- review the retention and destruction policy

- determine what additional information is generated through the utilization of the card

- review the security safeguards for the personal health information

- evaluate whether there are any secondary uses of the data collected and, if so, determine what is the legislative authority to use the data for a different purpose

- confirm whether a privacy impact assessment will be conducted for this initiative

- determine whether a framework or policy has been or will be developed providing guidance for the use of immunization cards.

Overall, we found that the Manitoba Immunization card was and is compliant with PHIA in the development, implementation and deactivation phases of the initiative.  We found that the collection, use and disclosure of personal health information for the initiative is authorized under PHIA, including being limited to the minimum amount reasonably necessary to accomplish the purpose. Participation was initiated by the individual and is based on informed consent. The trustees took appropriate measures to protect and secure the personal and personal health information of Manitobans. 

It was evident that trustees employed a strong privacy management approach in their work and designed the Manitoba immunization card and verifier applications with privacy in mind.  It is a good example of why it is important for organizations to complete a privacy impact assessment at the outset of a project.  This was a recommendation we made to the stakeholders when we began our review.

As more organizations use technology to innovate and deliver services, a privacy impact assessment is an important tool that can assist a trustee to anticipate and prevent potential risks to privacy when developing or evaluating a program or service. It is also a proactive approach to privacy that demonstrates to citizens that their personal information is being appropriately managed and safeguarded.

https://www.ombudsman.mb.ca/uploads/document/files/case-mo-00342-en-en.pdf