He specified that this platform had undergone adaptations and would still suffer following the denunciation, ten days ago of a breach in data protection, by the Charta 21 association.
According to the latter, the pitfall lies in the fact that the national register number is necessary for registration and that people other than the holder can enter this number on the platform and be informed of its vaccination status.
Alain Maron reminded members of the Brussels Parliament’s Health Committee who questioned him on Thursday that Bru-Vax, launched last April, was designed to improve accessibility to vaccination, in a Brussels context of digital divide, problem of reception of invitation letters and lower vaccination membership of citizens.
Unlike the Doclr platform that Brussels gave up, Bru-vax does not require prior registration, the use of the identity card, or any other complex identification system (based, for example , on a series of numbers), which are used to access medical data. The appointment of thousands of people by trusted third parties such as pharmacists, general practitioners, relatives or even street workers has been greatly facilitated.
“In practice, the call centers set up across the country to support appointment setting apply the same procedure as that established for the Bru-vax site. It is therefore possible for a usurper in possession of the NISS number to deduce the vaccination status of the person for whom he claims to be calling, ”commented Alain Maron in passing.
According to the minister, the incriminated change in Bru-vax took place on September 15. It was intended to make it easier to book an appointment for the third dose and prevent people from signing up for two appointments when they only needed one.
According to the initial analyzes of the legal department of Cocom, the administration considers that the posting, for medical reasons – some citizens cannot receive this one -, of the fact that a citizen is (not) eligible to a vaccination or to receive a (first / second / third) dose by encoding the national register number and a Brussels postal code, does not constitute a “breach of security” within the meaning of the definition in article 4.12 of the Regulation General Data Protection.
Nevertheless, the Bru-vax site was adapted again on November 19, so that the person who logs in to Bru-vax can no longer know if the person is eligible for a first dose or a booster dose.
At the same time, an external legal analysis carried out urgently at the request of Minister Maron indicates, according to the latter, that it “seems a priori difficult to maintain that the changes made on September 15 do not constitute a breach of personal data. , given that the treatment allowed everyone with access to the NISS of a person concerned to pretend to be them and to deduce their vaccination status “.
The lawyer consulted noted that the GDPR offers the controller a margin of maneuver in determining the level of security suited to the processing and that the objective of fighting as much as possible against the pandemic, taking into account the specificity of Brussels and of the health risks that this runs, was weighted much higher than the risks of unauthorized access to the vaccination status of the people concerned.
“In conclusion, the risk analysis carried out by Cocom is based on an in-depth weighting of risks and rewards. It was not taken lightly. We have decided to follow the advice of the lawyer without delaying it. ” that is to say to re-examine the appropriate level of security in order to meet the objective of accessibility while maximizing compliance with GDPR rules and to adopt, pending the outcome of this process and the definition new measures allowing access to the Bruvax site, a process fully compliant with the GDPR “, further explained the Minister.
The instructions of the agents of the Brussels call center for vaccination are also being reviewed to ensure that the person calling the call center cannot deduce any private information during the conversation.