With only a national registry number and a postal code, employers, insurers or banks can see in just a few clicks whether a Brussels resident has been vaccinated, De Tijd and Le Soir reported on Tuesday.
The oversight is the result of the way Bruvax, the Brussels vaccination platform, is set up. Predictably, citizens rights organisations have been quick to voice their indignation at what they view as a gross breach of privacy.
By simply entering a national registration number and postal code (both of which employers have for their employees) into the platform, it is possible to see if there’s an option to set an appointment.
If the option to schedule an appointment shows, it means that person has not yet been vaccinated.
Charta21, a non-profit organisation founded during the lockdown that fights for privacy and fundamental rights, sent a letter to the Brussels Joint Community Commission (Cocom) on Monday evening, urging it to “immediately put an end to the data leak.”
“While the Prime Minister and the Data Protection Authority recently reminded us that an employer does not have the right to know our vaccination status, the Bruvax site allows all employers to know the vaccination status of all employees residing in the Brussels Region,” Jacques Folon, privacy expert and member of Charta21, told De Tijd.
The competent services were on leave on Monday due to a holiday but a spokesperson said that they would “examine the question with the services and people concerned.”
The Bruvax tool was launched by Cocom in mid-March and replaced the federal registration platform. With just a name, state registration number and postal code, Brussels residents can choose a vaccination centre. By simplifying the procedure, the city wanted to make it possible to register an (older) family member.
With only 56.2% of the population fully vaccinated in Brussels, the region lags far behind Flanders (80.2%) and Wallonia (69.8%).
Legal analysis in progress
Reacting to the news during a press briefing on Tuesday, the head of the Brussels Health Inspectorate Inge Neven said that the legal analysis is still ongoing at the moment and that it seems “a bit too early to make a statement on that.”
“Of course, as a public institution, we try to respect all regulations concerning the GDPR as much as we can,” she said. “So if it turns out that we need to make adjustments, we will certainly do so.”
Bruvax was developed to facilitate the registration for vaccination for all the residents of Brussels as much as possible, which is why Cocom chose to do that via people’s national registry number, Neven confirmed.
“Additionally, and not unimportantly, if someone uses someone else’s national registry number without their permission, that is also considered an offence, so that is why we think we are certainly in the right,” she said.
“But the analyses are in progress and we will certainly come back to this when they are finished,” Neven concluded.
Update: This article has been updated to include a response from the head of the Brussels Health Inspectorate.