The government must explain how Covid-19 passports will be used and how they will ensure accurate identification, a privacy expert has said.

Last week transport secretary Grant Shapps confirmed the NHS App would be used as a Covid-19 passport from 17 May when international travel resumes.

Announcing the 12 countries on the UK’s ‘green list’, which won’t require quarantine upon return, he said the passport would be used to prove Brits have had their vaccination, or tested negative for the virus, before going on holiday.

But Eerke Boiten, professor in cyber security at De Montfort University in Leicester, told Digital Health News that “too little” is known about how these passports will be used.

“They need to tell us what the scenarios are that they envisage, what are the use cases? And then pin those down sooner rather than later,” he said.

“At the moment we just know too little about how they are going to implement it.”

Boiten, who has previously been vocal on the privacy risks of some contact-tracing apps, said in principle he is “less worried” about Covid-19 passports if they are limited to international travel, but added a strong authentication system would need to be in place to ensure privacy and proper use.

“As usual, the questions to ask are around authentication and the chances for abuse,” he told Digital Health News.

“What guarantees on authentication do they rely on? Because owning a phone is not strong enough authentication, or not strong enough identification of the holder.

“It needs to be tied to some identity system at some point and the use cases need to justify that.”

Boiten suggested a QR code could be used to verify a person and only transfer necessary vaccination data.

“In any situation we need to know that whoever presents the passport is the genuine holder of the passport. Not only that the passport information can’t be forged from scratch, but also that you can’t use somebody else’s information in that situation,” he said.

The NHS App allows users to access a range of NHS services on their smartphone or tablet. It was launched in 2018 and offers services including symptom checking and triage; appointment booking; repeat prescription ordering; access to patient records; national data opt-out; and organ donation preference.

It already allows users to check their vaccination status if permitted by their GP, which applies to all jabs.

To better asses potential security risks associated with using the NHS App as a Covid-19 passport, Boiten downloaded it and assessed the level of personal information it held on himself.

“In terms of privacy risks, I don’t think it adds significantly to the risks that are already in the NHS App itself,” he told Digital Health News.

“The NHS App has sensitive information about prescriptions in there. Having that on your phone, with the right security measures, is already a situation where we need to worry about making sure sensitive information doesn’t leak.

“Covid status, in some ways, is probably less sensitive than some of the other medical information, but on the other hand it’s also more powerful if it allows people more autonomy.”

But he said a data protection impact assessment would need to be carried out before Covid-19 passports are rolled out to ensure privacy and security.

Following confirmation of Covid-19 passports from Shapps a government spokesperson said “security and privacy will be at the core of our approach”. The added a solution for people who didn’t own a smartphone was also being considered.

When contacted by Digital Health News about how Covid-19 passports would be implemented the Department of Health and Social Care was unable to provide further information.