332 6th Avenue SW, Suite 900 Calgary, AB, T2P 0B2
Carscallen LLP

Privacy factors for businesses considering COVID-19 vaccination requirements

Privacy factors for businesses considering COVID-19 vaccination requirements

We previously discussed the issue of whether employers in Canada could require COVID-19 vaccinations for their employees returning to work on the blog here. Outside of the employment law context, legal considerations also arise for businesses that are considering implementing so-called “health passports” or “immunity passports” for customers or patrons physically attending their place of business or receiving certain (mostly in-person) services. Aside from employment law and other issues that may arise from such measures, there are additional legal considerations for private businesses in Canada in refusing to provide services or access to people based on immunity status.


The basic idea of a digital “health passport” or “immunity passport” is that patrons or customers would have to provide digital confirmation to businesses of either a negative COVID-19 test, or having received the COVID-19 vaccination. Requiring a health passport at businesses such as restaurants and bars, theatres, cinemas, sporting arenas and other public venues would supplement current public health regulations (i.e. mask mandates and quarantine requirements) and could also assist business owners in both ensuring a safe and healthy workplace for their employees and customers, as well as providing businesses with economic incentives for safely staying open and operating.

For example, Ticketmaster previously announced that it may require attendees to provide a “health passport” for entry at its sporting and concert events (although the company subsequently backtracked on this idea due to public backlash). Similarly, several airlines have announced that they will require international travellers to receive the COVID-19 vaccine once it becomes widely available in order to travel with them. Last week, Emirates became one of the first international airlines to trial the International Air Transportation Association’s (“IATA”) digital “Travel Pass”, a digital passport in the form of an app downloaded to a user’s cell phone to help verify the user’s pre-travel COVID-19 test results or vaccination certificate.

Much like the COVID-19 tracing apps developed around the world (to varying degrees of success, as we discussed previously), the proposed digital COVID-19 “health passports” would primarily involve an app downloaded to a user’s phone that encrypts the user’s health information in order to provide confirmation of that information to authorities, businesses, or institutions which require it.


COVID-19 vaccination requirements that are imposed by businesses on customers differ from mask or quarantine requirements that are issued by the government, making it a more fraught and potentially difficult decision for business owners to apply and enforce. Unlike general mask mandates, it is highly unlikely that any Canadian governments would issue general vaccination mandates for the public (barring certain exceptional circumstances). As a result, vaccination requirements for entry to private businesses would be imposed at the discretion of business owners, and businesses may experience customer backlash or negative repercussions if they refuse entry or service to unvaccinated customers without any related government mandate.

Whether a business owner can legally impose vaccination requirements on customers and patrons is a highly fact-dependent situation that should involve consultation with an experienced lawyer.


Private businesses requiring proof of and having access to an individual’s private health information also presents significant privacy issues. Most importantly will be how that private information is stored and encrypted, and whether there is any centralization or regulation of these apps by the relevant governmental authorities. For example, airlines in Canada are federally regulated, so if COVID-19 vaccination or immunity is ultimately required for air travel we could expect to see some form of federal regulation or direction relating to the storage and protection of that information. (This may end up being incorporated into the new federal privacy legislation, which was announced by the federal government late last year.)

As with the COVID-19 tracing apps, if multiple apps are developed and utilized by different industries, then individual health information could potentially be shared on multiple platforms. We are already seeing the development of a number of “health passport” apps including: the IATA’s Travel Pass mentioned above (for international travel and use by airlines); CommonPass by the Commons Project; CLEAR’s Health Pass for expedited airline security lines; and IBM’s Digital Health Pass, to name just a few.

An additional consideration is that several of these apps are being developed by private corporations, and some individuals will be reluctant to share their personal information with a company such as IBM in order to access services or attend a business.

Ultimately, businesses considering utilizing digital health passports for patrons will want to consult an experienced privacy lawyer to understand what their responsibilities and obligations are with respect to using and protecting that private information in the course of their operations.

Carscallen LLP’s Privacy Law Expertise

Carscallen LLP’s Privacy Law Group advises private businesses, public sector entities and healthcare clients on compliance with their obligations under applicable national and provincial privacy laws, including Canada’s Anti-Spam Legislation (CASL), the Personal Information Protection Act of Alberta (PIPA), the Freedom of Information Protection Act of Alberta (FOIP), the Healthcare Information Act of Alberta (HIA), and the CRTC’s Unsolicited Telecommunications Rules. We offer a full range of legal services in the area of Privacy Law. If you have any questions about your business or organization’s compliance with its privacy law obligations, or you need advice on a potential or actual privacy breach, please contact a member from our Privacy Law group for more information.

*This update is intended for general information only on the subject matter and is not to be taken as legal advice.

Posted: February 2, 2021

Related Posts

Comments are closed.