David Cullinane (Waterford, Sinn Fein)
Link to this: Individually | In context | Oireachtas source

1005. To ask the Minister for Health if he will advise on a matter raised in correspondence by a person (details supplied) about the EU digital Covid-19 certificate; and if he will make a statement on the matter. [41539/21]

Stephen Donnelly (Wicklow, Fianna Fail)
Link to this: Individually | In context | Oireachtas source

Just like the paper version of the Digital COVID Certificate (DCC), the digital version of the DCC contains personal information such as name, date of birth and details about the vaccination received by the individual. Data is held in an encoded but unencrypted form. It is an open EU wide standard and there are numerous tools and applications freely available which enable decoding of this information. Hence any device which scans these codes has the ability to display the information. It is an open inter-operable standard, so that it can be used for checks at border crossings and as such, this risk cannot be totally eliminated.

Existing safeguards in the current DCC Checker App:

1.Only limited information is displayed.

2.After 2 minutes the information of the last scanned DCC code is automatically removed from the html of the web page and any “printing/saving” of the page will not save any information.

3.The verifier cannot use the browser back button to view earlier scanned codes.

4.The simple, streamlined design page makes it easy for an alert user to catch someone with open browser consoles trying to capture underlying information like DOB.1

Additional improvements in the upcoming versions of DCC Checker App: At present, after decoding - all the information is available as a JSON response but the new version will mask the DoB and UVCI fields.

In relation to the question regarding who is responsible for the protection of the certificate information, whether restaurants or bars ask for people to provide mobile numbers to facilitate contact tracing or whether they ask people to provide evidence of vaccination, they still have a duty of care under GDPR to treat that personal information correctly and in compliance with data protection regulations.