A legal analysis has shown Brussels' vaccination platform Bru-Vax respects personal data, Brussels health authorities' have announced, following criticism of a data leak regarding people's vaccination status.
Earlier this week, it was reported that people, for example, employers, insurers or banks, could find out if a Brussels resident had been vaccinated by simply entering a national registry number and a postal code on the platform, however, the region's health authorities, the Joint Community Commission (Cocom), have denied these claims.
"As a public administration, Cocom ensures that the protection of privacy is respected. Legal analyses concluded that the Bru-Vax platform respects personal data," a statement from the authority on Thursday evening read.
The Bru-Vax tool was launched by Cocom in April 2021, replacing the federal registration platform. According to Cocom, it was designed to improve accessibility to vaccination, by just requiring a name, state registration number and postal code, for people to register for a vaccine.
Related News
- 'Sense of mistrust': vaccination and Covid Safe Ticket divide society, Unia says
- Belgium's four-day teleworking obligation 'absolutely incomprehensible'
"This is essential in the context of the digital divide in Brussels, problems with the reception of invitation letters, and a lower level of adherence to vaccination among citizens," it said.
According to previous reports, entering this data on the platform would show if it is possible to set an appointment. If the option to schedule an appointment shows, it means that person has not yet been vaccinated.
As reports about the supposed data breach came out, one citizen's rights organisation that fights for privacy and fundamental rights, Charta21, sent a letter to Cocom urging it to “immediately put an end to the data leak," resulting in the authority starting a legal analysis.
While the legal analysis was ongoing, Cocom's head, Inge Neven, said that it was important to emphasise that the use of someone else's national registration number by a person, without having a legal basis, "constitutes unlawful processing of personal data and a breach of the General Data Protection Regulation (GDPR)."
No unauthorised access to data
The authority's legal department has now found that "Bru-Vax does not allow massive leakage of personal data," as "there is no breach of personal data if Bru-Vax's security system does not allow unauthorised access to the data."
Cocom added that anyone who enters the booking system does not have access to personal information about the vaccination, that it is simply possible to book an appointment (for the 1st or 3rd dose) or, if this is not possible, to be refused an appointment by being told: "you are not eligible".
"This message and the fact that an appointment can be made does not constitute a breach of security and does not allow the deduction of a person's immunisation status. There are a number of reasons why access to booking an appointment may be blocked or allowed."
The authority added that regular updates are made to the platform and that it "will adapt the system to remove any possibility of inferring a person's vaccination status even by accessing the profile," to take into account the concerns raised by citizens.
