This should be much more clearly defined IMHO. At the moment if there are no formal requirements in place, it is possible for an admin of an authorized lab to start using labs private key to issue "validity certificates on the side e.g. for profit"... Much more specifics should be defined about how the private keys are stored / protected (e.g. HSM requirements or other similar requirements which are defined by standards) and also limitations as to if e.g. cloud based HSMs are allowed. Also the security requirement should be strictly defined in the arrangements between WHO and national level authorities as well as between national level authorities and healthcare providers. For smaller countries or countries with centralized EHR with lab results the issuance of keys might end within national authority (as it would be signing the SVCs with its keys and no keys shall be handed over to labs/healthcare providers)

It would be important in my view to allow member states also to publish a field which is used internally for unique identificaiton (e.g. some member states have unique social security numbers). This way the validation would be much more specific than just name,surname and birth date. This field of course can be optional

This approach with dataset in QR code is not mandatory and to enable privacy certain data can be used in hashed encryption - thus for validation the VERIFIER would enter the same data and compare "hash". This way much more privacy would be enabled with a comparatively small design overhead.