But, with the new plan so reliant on – and offered exclusively to – vaccinated citizens, how can the government appropriately roll out a vaccine passport that can quickly but more importantly, securely, prove vaccination status?

Little conversation is being had around the security implications and data privacy concerns which need to be addressed and properly managed for the rollout to be both successful and secure.

Our current status: vaccination unknown

As more and more of the population over the age of 16 become fully vaccinated, they are eligible to lodge their “double vaccination” status with MyGov, which seems only natural given the pre-existence of the nationally available system.

With robust “Covid Safe Check-in” systems already in place across the states and territories, the digital scheme is designed to allow Australians to access to various places such as cafes, restaurants, and cinemas, and for other freedoms, such as interstate and international travel.

While the government isn’t labelling the offering a “vaccine passport”, it certainly bears resemblance to that which we have seen in many other countries across the globe. After all, looking at what other countries have done well and not so well might just be the key to a more successful rollout.

Looking abroad for inspiration

From Europe to the US, travellers are understandably sceptical about sharing their medical information with a third party, and rightly so, keeping your digital identity secure with a vaccine passport will be key to a safe implementation.

While the end goal would be to have a uniform pass that is accepted anywhere in the world and to keep digital identities secure, the reality is that today there are still a wide variety of approaches being taken by governments around the world, with widely varying goals and privacy protections.

New York State, for example, has partnered with IBM to implement the Excelsior Pass which uses blockchain technology in an app to show proof of a vaccine or negative Covid test results. In Israel, residents can use a “green pass” as either a digital app or a physical card. China is using WeChat to track their vaccine passports, and even tiny Bermuda has its SafeKey to enable tourism and larger public gatherings.

In many regards, however, Europe is the most similar to Australia when it comes to frequent cross-border travel. With the rollout of its European Union (EU) Digital Covid Certificate across the continent, it is looking increasingly likely as an exemplar for down under.

The EU Covid Certificate includes standardised vaccination status for the individual in a QR code that is protected by a digital signature to make it tamperproof. Each time the EU Covid Certificate is scanned, the unique digital signature is verified – meaning the data integrity of the vaccination status and the legitimacy of the issuing body is confirmed – leaving very little room for falsification.

At the same time, no personal information is shared or tracked during the verification, helping preserve the privacy of individuals.

The data security provided by the Public Key Infrastructure (PKI) and digital signatures is proven by decades of experience in large rollouts, including the e-passports in common use around the world.

Whether the issuing body is a hospital, test centre or other health authority, each has its own digital signature key, allowing each country to manage the way the vaccination certificates are created in their jurisdiction. This standards-based approach allows the system to scale quickly across the EU, while respecting national government operations and individual privacy.

Why reinvent the wheel if we don’t have to?

From the limited details available, it sounds like the Australian initiative is built on the lessons of the EU Digital Covid Certificate, which itself integrates related standards from the International Civil Aviation Organisation and the World Health Organisation. This makes sense for, while today the focus is on internal requirements, one hopes we will soon see reopening of international activity and the need for these vaccination certificates to work across borders.

Australia is in a great position with its existing government-led eID wallets, so adding the vaccination status is a logical next step. Ironically, the EU’s Digital Covid Certificate efforts have lead to new initiatives there to institute eID wallets that work to common standards, are privacy sensitive, and transparent in their operations.

The issue of transparency is important, as users have an aversion to using any vaccine credential that may turn into another layer of user tracking on the internet. Notably, the EU considerable time on the privacy rules surrounding their EU Covid Certificate and it use. Citizens will be more likely to adopt a credential whose rules are clear, and whose use is entirely under their own control.

The best-designed vaccine certificates contain only minimal personal information to identify the holder, and only communicate to validate the PKI-based signature rather than transmit the details of the passport.

Whatever the approach, an effective vaccine passport needs to reassure travellers of its safety. To instil public confidence, careful planning and consideration needs to be undertaken to ensure the program has clear goals, strict privacy parameters, and is developed with the highest security standards and the best interests of Australians’ digital identities in mind.

Stephen Davidson is Senior Manager, Governance, Risk and Compliance, DigiCert