Tracing Data Flows in Norway and Austria: A Comparative Study of Vaccination Data Governance

epidemiological


Introduction
The COVID-19 pandemic revealed the immediate relevance of immunisation data for vaccination governance.For many national immunisation programs, data registry practices appeared insufficient for providing an accurate account of vaccine coverage or target risk groups, and to make prioritizations as to who should be vaccinated and when.One example is Austria, where in January 2022, the parliament passed a new law by which COVID-19 vaccination became mandatory for residents above the age of 18 (with several exemptions).Yet amongst other things, it was unclear how those who had not been vaccinated could be identified and how compliance with the vaccine mandate could be monitored.It appeared impossible to link the newly established vaccine registry with the existing population registry and the epidemiological registry (which records people who tested positive for .In other words, it appeared technically and politically impossible to move data from one registry to another, to enable the correct data to flow to the proper sites, and to enforce a historic piece of legislation -which was then ultimately abolished.This is but one example of how immunisation registry data can play a central role in governing vaccination not only in times of crisis, but also in 'normal' times.As epidemiologists have shown (see, for instance, Crowcroft and Levy-Bruhl, 2017), registry practices vary considerably across countries, including the technical arrangements, actors, and practices that are involved in making data flow and that make it interoperable with other data.From the perspective of science and technology studies (STS), this variability in data practices and infrastructures is not surprising, of course, but their link to contemporary forms of governance remains insufficiently explored.Doing comparisons between specific practices of governing health and disease across countries seems particularly pressing in the context of the ongoing pandemic, where the efficiency and reliability of immunization registries and the (lack of ) interoperability of registry data have shaped not only public debates but vaccination governance itself.This paper examines this link and asks: What is the role of registries in vaccination governance?How do data practices shape and reflect relations between citizens, health providers and the state?In this paper, we study different versions of immunisation registries in two countries: Norway -a paradigmatic data intensive welfare stateand Austria, which we label 'data hesitant' .We analyse how both countries have developed and implemented different registry infrastructures for collecting data on vaccination.Our analysis focusses on childhood immunisation programs which are central pillars of public health governance in welfare states, where political, historical, and cultural differences are particularly prevalent.While childhood immunisation programs constitute our focus, out of necessity, our analysis also sheds light on how registries re-emerged as a governance issue in Norway and Austria in the early COVID-19 pandemic.
The main analytical concept that we mobilise in this study to capture and understand differences in immunisation (data) governance is 'data flows' .Building upon a rapidly emerging body of studies on data practices and data journeys in STS (see for example Leonelli and Tempini, 2020;Bates et al., 2016) allows us to examine the material, social and political circumstances that make data travel and the values, agencies, and responsibilities that are tied to and negotiated on these journeys.We postulate that data practices shape and reflect deep-rooted historical and political differences in governance.Our comparative approach foregrounds, first, how the achievement of individual and collective immunity is intimately linked to the material and political conditions that make data flow (or not).Second, and relatedly, we show how data flows, in turn, make available specific ways in which state authorities, citizens, and health care providers become tied together.Below, we lay out the analytical framework of our study and then proceed to explain our methodological approach.Subsequently, our empirical analysis provides a detailed account of (vaccination) data governance in Norway and Austria and the kind of relations they entail between the state, health providers, and citizens.

Investigating registry practices and data flows
Scholarship on datafication and digitalisation has commented critically on the varied impact of the arrival of big data with respect to its potential to not only increase surveillance (Boyd and Crawford, 2012), but also its capacity to produce data for curing diseases or enhancing access to information.Overall, the 'datafication of health' (Ruckenstein and Dow Schüll, 2017) and medicine has been of key interest among the emerging body of studies in STS, and much has been written on how databases and new digital tools redistribute and challenge ethics, accountability, transparency, citizenship, as well as patienthood (e.g., Hoyer et al., 2019;Pinel and Svendsen, 2021;Ruppert et al., 2017;Cakici et al., 2019).The growing number of studies focussing on the intense datafication and data optimism in the Nordic countries is particularly noteworthy (Bauer, 2014) but tends to privilege data-intensive forms of governance over those that feature a reluctance or hesitancy towards datafication and digitalisation (Paul and Haddad, 2019;Paul and Loer, 2019).The present study seeks to contribute to our understanding of datafication and digitalisation by contrasting two paradigmatic instances that are situated at opposite ends of a spectrum of datafication: Norway presents a case of data-intensive governance while Austria features what one may call data hesitant governance.Setting these against one another is instructive for understanding the link between registry practices and governance more fundamentally in and beyond the public health domain.Our study of data flows in vaccination governance also speaks to the longstanding interest in enumerative practices for government and state formations (e.g., Porter, 1995;Desrosières, 1998;Scott, 1998).Building on these earlier studies of data practices, more recent work has turned to the socio-material conditions for collecting, sharing, and using digital data beyond the state, including scientific research and industry actors (e.g., Leonelli 2020) and the values, frictions, or challenges in accountability that emerge from new data (Pinel and Svendsen, 2021;Leonelli and Tempini, 2020;Amelang and Bauer, 2019;Høyer et al., 2019;Høyer, 2019;Bates et al., 2016;Tupasela et al., 2020).Overall, it becomes clear that registries do not merely consist of devices and their technical connections, but function to tie together, or hold apart, a range of actors, practices, values, and imaginaries (Star and Ruhleder, 1996).
In the recent edited volume on Data Journeys in the Sciences (Leonelli and Tempini, 2020), Leonelli proposes the concept of 'data journeys' to capture and analyse the different "conditions under which data are handled, understanding the reasons underpinning such diversity, and identifying nodes of difference and similarity in ways that can help develop best practice" (Leonelli, 2020: 5).Like Leonelli, Bates et al. (2016) point to the 'frictions' of data journeys and how these are linked to the historical, cultural, and political circumstances of the data.Others have mobilised the concept of data flows to analyse the various attachments that enable and emerge from such journeys.The work of Høyer et al. (2017) and Pinel and Svendsen (2021) on flows, nonflows, and overflow, for instance, points to the need to study the role of data flows for enabling particular relations between individuals and the state.
The present study pushes this link between data flows and governance forward.We do so by focusing on an area of datafication that has typically gone unnoticed in the literature on enumerative practices, perhaps due to its seemingly mundane character: that of immunisation registries.Most scholarship on immunisation data practices and governance has focussed on technical aspects and challenges related to the collection, use, and sharing of data (e.g., Pebody, 2012;Balog, 2012), leaving the political aspects of these questions unattended to.Yet, vaccine registries are clearly political in nature: First, they contain decisions as to how individuals and populations are targeted and what interventions are included as data points (i.e., childhood vaccines, COVID booster vaccines, etc).Second, the design and use of registries involve questions as to how this data can or should be used, such as for monitoring individual and collective immunity, or vaccine uptake among specific groups.Third, registries imply decisions as by whom this data can be used and thus distribute agency and responsibilities differently.The concept of data flows helps us to tease out these political aspects and to understand how data comes to matter in the first place.It further helps us locate data in a concrete physical space -such as doctor's offices or electronic vaccination records -and importantly, highlights 'frictions' of data flows and how these generate and reflect particular forms of vaccination governance.Moreover, this conceptualization emphasizes how differences and contingencies make available different ways in which state authorities, citizens, and health care providers become tied together by vaccine registries -and thus shape what it means to be a citizen not only through data (Friese and Latimer, 2019;Ruppert et al., 2017;Cakici et al., 2019) but through the practices and infrastructures that make data flow (or not).Finally, paying attention to 'flows' provides a framework and approach to do comparison in a manner that is sensitive to contextually contingent practices of governance.

Methods and materials: Doing comparative case studies of data flows
In the volume Thickening Comparison: On Multiple Facets of Comparability, Niewöhner and Scheffer (2010: 3) make a case for comparison in ethnographic research that should "(exceed) both the single case study and the contrasting of any number of multiple cases".Drawing on Geertz's (1973) notion of 'thick description', Niewöhner and Scheffer (2010) argue that thickness emerges in and from comparison for two reasons: first, because it requires a processual and explorative attentiveness to the objects and what is compared; and second, it calls for an awareness of the limitations of doing comparisons and the reductions it might implicate (Niewöhner and Scheffer, 2010: 3-4; see also Friese and Latimer, 2019;Deville et al., 2016).This argument is in line with other methodological contributions in STS that engage affirmatively with comparisons and the field's emphasis on case studies as a methodological and analytical critique of universals (Beaulieu et al., 2007).Like Niewöhner and Scheffer, Beaulieu and colleagues (2007: 687) point out how doing comparative studies relies upon careful staging of the research object -"not through the use of a formalized framework, but through interaction and conversation".
The idea for this paper emerges from a shared interest among the authors in challenges related to governing immunization, as well as a longstanding interest in the politics of health and disease (Bjørkdahl and Druglitrø 2019;Paul 2016;Paul and Loer, 2019).The immediate differences that seemed to exist in our empirical sites (Norway and Austria) regarding registry practices stood in stark contrast to the ongoing requirements for interoperability of immunisation data at the European level and the level of the World Health Organisation (Pichelstorfer and Paul, 2022).These efforts to establish technical interoperability appeared to be a means towards joint action where political integration -a joint vaccination program -remains impossible.Observing these tensions between technical and political integration in our respective national contexts in more detail, our objects of comparison became shaped through what Niewöhner and Scheffer (2010) Science & Technology Studies XX(X) have called 'thickening contextualisations' .The thickening was achieved by different methodological strategies for the two sites: we conducted a mainly document-based analysis and web-based study to examine Norwegian data flows, supplemented with two interviews.Our study of Austrian data flows was primarily shaped by interviews, supplemented with document analysis.We will detail these asymmetries in data collection in the following sections.The differences in our methodological approaches reflect the material differences in data flows in our two cases, including where and by and for whom the data is made accessible.
The Norwegian system for data registry practice features -at least at the level of policy reports, scholarly literature, and web portals -a high degree of transparency and accessibility.The web portal of the Norwegian National Institute of Public Health (NIPH) is, for instance, comprehensive in terms of statistics, reports, publications, legal texts, and fact sheets, providing a rich empirical field site.The website became an important site for accessing reports and newsletters about immunisation data.Another web portal that has been important for this analysis is "Helsenorge.no"and "My Vaccines", where individual citizens have direct access to their personal immunisation information.The relevant regulations around immunisation and health data, including data protection, are also all accessible online.We have particularly investigated the Norwegian Immunization Directive (SYSVAK), which is the key legal text for governing the administration of vaccination and immunisation data, and the Health Registries Act [Helseregisterloven] that manages data protection concerns of registry data and the Infection Protection Act [Smittevernloven].We also accessed online newspaper articles, press releases by the Ministry of Health, and other published interviews with stakeholders about the infrastructures for making immunisation data flow in the Norwegian context.We additionally interviewed two experts (in Norwegian) at the Infectious Disease Registries located at the NIPH who were responsible for immunisation data collection, sharing, and use.These interviews (including follow-up questions and clarifications via subsequent email exchange) were mainly to clarify aspects of our analysis of online sources.
In Austria, in contrast to the remarkable transparency and accessibility in Norway, documentation of the National Immunisation Program (NIP) has largely been limited to publications of annual vaccination rates that are aggregated on a national level, which conceal regional variations and fractured forms of health data governance.Moreover, the closed-off nature of policymaking (Prainsack and Gmeiner, 2008) restricts the accessibility of policy materials for researchers -hence raising a need for interviews.To be clear, while access to digital documents (e.g., annual reports and vaccination schedules) is common, these documents remain fairly technocratic and do not offer insight into policy practices and implementation.What is more, at the level of federal states, even digital material is scarce and much knowledge is shared informally.The purpose of the interviews was to understand not only different perspectives, but specific practices.In this sense, we conducted them with a certain "ethnographic sensibility" (Prainsack and Wahlberg, 2013) where in-person interviews enabled access to data flow materials that would have otherwise remained inaccessible.As for the Austrian case, we draw on ten interviews (in German) with policy officials and epidemiologists at public health authorities involved in collecting, curating, and using childhood immunisation data.These practiceoriented interviews were specifically conducted for a study of vaccination registries in 2018 using a semi-structured interview guide that aimed at eliciting narratives about data practices, and more specifically how data infrastructures were set up and how data is collected, shared, and used.We approached senior officials and program managers in four out of nine federal states.In our sampling strategy, we aimed for variation in our selection of sites to understand the variability of data collection in Austria.Document analysis included annual reports by the Ministry of Health over the period of five years, the mother child health pass, the websites of pertinent authorities (Ministry of Health, social insurers) and printed material provided by state authorities.Some of this material was not publicly accessible but was collected during the interviews when interview partners demonstrated how they produced and shared data on immunisation, using artefacts such as vouchers and template letters or pointing out features of software in use.
Using these materials, we sought to trace the infrastructures of data flows and in what form data travels, and what actors and networks are put to work in making data flow.We also focus on how vaccination registries are mobilised as governance tools in policy reports, and on the material set-up of the two national immunisation programs, i.e., the infrastructures in which vaccines are administered and recorded, exploring what is recorded or not, by whom, and to what end.In our analysis, we use five joint themes to organize the material: data entry (with locations and involved actors); material data infrastructures and their historical development; data sharing and data frictions (i.e.references to disconnections and disruptions of data flows); data use (e.g. for public health monitoring); and the role ascribed to different actors (e.g., public health institutions, epidemiologists, doctors, citizens) in registries (e.g. as producers, owners, or users of data).While comparative analysis risks losing empirical, normative, or conceptual detail that emerges in single case studies, it has clear benefits by putting insights from single case studies into perspective and specifically allowed us to pool knowledge from two parallel research projects.Our own entanglement in the two policy contexts as well as our experiential knowledge both as users of and commentators on these two systems proved useful in obtaining access to the field.This ethnographic sensibility (Prainsack and Wahlberg, 2013) along with our experience of the pandemic shaped our comparative approach and the multiple iterations of our analysis.The following section, we begin our analysis by exploring the contingencies of organising, regulating, and valuing immunisation data and registries, and how they have developed over time.We trace how immunisation data is put to work in different ways in two national immunisation programs -that of Austria and Norway -and networks of sites and stakeholders that are included in the organisation of immunisation governance.Subsequently, we focus more intimately on how data flows, what and whose work is involved in making data flow across different locations and how these flows mirror and reproduce particular relations between the state, citizens, and healthcare providers.

Norway: data flow optimism and tight couplings
Scholarly literature on Nordic countries suggest that the establishment of data registries was closely connected with the establishment of a welfare state, and the flow of data to registries and between different registries are said to have shaped how individual citizens could be governed (Alastalo and Helen, 2021; see also Bauer, 2014;Eklöf, 2016;Schiøtz, 2003;Alver et al., 2013;Thygesen et al., 2011;Lie and Roll-Hansen, 2001).Parallel to this data intensive governance and 'data optimism' (Lie and Roll-Hansen, 2001), Norway is usually said to feature a high acceptance of centralized and interventionist public health policy (Tupasela et al., 2020).Immunisation strategies have largely been politically uncontroversial and immunisation rates have been traditionally high (Asdal and Gradmann, 2014: 182) 1 .There is an advanced legal apparatus around health registries that condition the work of health care providers, including the EU General Data Protection Regulation (GDPR), which was implemented in Norway in 2018.The National Immunization Directive (SYS-VAK-Directive) provides the foundation for this centralised structure.The Norwegian Immunisation Registry called SYSVAK was first introduced in the 1970s and is said to be the state's most comprehensive preventative measure oriented towards individual citizens (Alver et al., 2013).The aim of the SYSVAK registry was to get a comprehensive overview of vaccination coverage at national, county, and municipal levels, and importantly an overview of the impact of the Childhood Immunisation Program (CIP).As officials at the Infectious Disease Registries office pointed out in our interview: "The Child Immunisation Program has always been the most important part of SYSVAK" (Interview 11).Another important aim they emphasised was to ensure that this registry, combined with other registries, could provide a foundation for different health statistics and for research.For example, data from SYSVAK are made available for researchers, a process that is shaped by a set of procedures and legal regulations and requirements for use.
Norway has fifteen national health registries, including SYSVAK.The SYSVAK registry is linked to an electronic patient record system, a system where health providers register immunisation data (a system we will return below).The public health system around immunisation is closely integrated with the flow of data into SYSVAK.New parents, specifically mothers, are immediately enrolled in the healthcare system based on their personal identification number and their assignment to a public nurse at a local health station.Here, parents of infants receive standardised instructions related to postnatal care of child and maternal health.It is also in this space that children are enrolled in the child immunisation program, which is structured as a call-recall system until the age of fifteen.This system features a logic of equal access to vaccinations for all children regardless of their social status.While vaccination is not mandatory in Norway, to abstain from participating in the program involves active resistance from parents.Local health stations administer the call-recall system, and with the help of these datafied infrastructures, public health nurses, located at schools, help sustain immunisation as the default choice.These standardised arrangements to health care may be an important reason for why hesitancy around the vaccines in the national immunisation program is less prevalent in Norway, than in, for instance, Austria.The infrastructure for childhood immunisation suggests a strong social norm, that of participating in not only a highly datafied public health infrastructure, but the joint production of collective immunity.
In our interviews, officials at the Infectious Disease Registries (which administers the SYSVAK registry) highlighted the close link between registering data correctly and conscientiously, the value of 'good registry data' , and individual health (Interview 11).They emphasised how the SYSVAK regulations delegate a lot of responsibility to health care professionals.When performing vaccinations, health care workers in Norway are obliged to 'register and report correct vaccination information to SYSVAK' (NIPH, 2014).This obligation is established in the SYSVAK Directive (Forskrift om innsamling og behandling av helseopplysninger i Nasjonalt vaksinasjonsregister (SYSVAK-registerforskriften) mentioned above.The directive requires that the authorised health provider has access to an electronic patient record system (EPR) with 'SYSVAK integration and communication' .Most health providers have an EPR system with a SYSVAK integration, but the pandemic also made visible how many health care locations where vaccinations usually would not be conducted, such as elderly health care centres, also needed to be equipped with this system in order to participate in the national corona vaccination program."It is a well-established system, and we have health personnel that is good and conscientious.(…) So, our health personnel believe in the significance of [collecting data] as well as their duties and part in it." (Interview 11).
When the public health nurse registers the vaccine, the person and vaccine are linked to the personal identification number of the person receiving it.From SYSVAK, the aggregated data will flow 'back to' the public in different shapes -in statistics at the national, municipal, and individual level (including through digital platforms where citizens can access personal health data by using their personal identification numbers and the BankID service, as we will discuss later).While the data that flows into SYSVAK specifically is identifiable at the individual level, only a certain number of persons at the NIPH are authorised to couple immunisation data with personal identification numbers.Here, data protection regulations play a key role.In reports on vaccine coverage directed towards the public, the data will be available at the county and national level.Data at the municipality level can be accessed through the Statistical Bank of Municipality Health '(Kommunehelsas statistikkbank)' .
A characteristic feature of Norwegian immunisation governance is then that data is valued as a source for knowledge production that can provide the foundation for immunisation control and surveillance and be used for developing new research-based public health policy strategies.Another characteristic is how legal structures and a clear demarcation of expertise and responsibility make sure that data is collected and put to work in different sites and by different actors.'Good' immunisation (data) governance in the Norwegian context depends upon the ability to legally tie together a broad set of actors, sites, and technical solutions to sustain a good data flow.For instance, the role of public officials in making data flow is directly linked to individual person's immunity, by their legally assigned responsibility to ensure the reliability of the data that is made to flow into the SYSVAK registry.When the data is reported to SYSVAK, it does not simply flow into the registry.It has to be validated first and this is done by manual as well as automated procedures, which sometimes fail and disrupt flow.In this part of the flow, the role of the officials is to take out 'instances' that they are sure are wrong. 2This is what they call 'data washing (datavask)' .To do this they use a 'rule engine' .In our interview they described the rule engine in this way: You can say the rule engine washes in its own way, because it "throws out" people who apparently have not received all doses according to recommendations and programs from the statistics.But the purpose of it is actually to check if a person is completely protected against the given disease they are vaccinated against.The rule engine is easily set up.It runs through a series of rules per person per vaccine dose where it counts days between doses.(Interview 11) In our interviews, the officials highlighted how frictions in this tightly coupled system would regularly occur -for instance, from typing errors from health personnel or technical errors in the system."We spend a lot of time on technical error in vaccination reports," the public officials said.If error happens, it may, according to the officials, directly affect children's immunity: "If the wrong date is registered for example, it will affect the intervals of vaccination and the child's immunity -for example if the dose is given too early" (Interview 11).The direct link between registry data, data-based actions, and status of immunity was the subject of public debate during the COVID-19 pandemic.The NIPH launched the emergency preparedness registry named 'Beredt-C19' ('Prepared-C19') as an addition to the national immunisation program to "frequently extract and compile data from the various data sources" to provide the authorities with the "relevant, essential knowledge base to deal with the COVID-19 epidemic" (NIPH, 2020).Daily couplings were made between this registry and other registries, and correspondingly, the NIPH received daily inquiries by researchers requesting access to the registry data.This coupling of registries generated, for instance, the insight that occupational groups such as waiters and bus drivers are at a greater risk of COVID-19 infection (Magnusson et al., 2020).Furthermore, when Norwegian decision makers were discussing how they could improve vaccination rates, they could use an immunisation registry which was well linked with other registries. 3The interoperability of different registries enabled health authorities in principle to identify individuals who, for example, had not been vaccinated.
However, during the COVID-19 pandemic, the unusual situation of having to reach and immunise a large proportion of the population within a relatively short time span revealed the shortcomings of registries (even though tightly coupled) to provide a basis for mass-immunisation and prioritizations in vaccination governance.For example, the phone registries (which again are linked up to the personal identification number of each citizen) were not reliable in that several phone numbers could be registered to one person, but used by others (for instance, family members).Furthermore, when it came to defining prioritization schemes for COVID-19 vaccination in late 2021, critical voices pointed out how exclusively identifying risk groups based upon registry data foreclosed discussion of other and more efficient ways of realising herd immunity (see, for instance, Mamelund et al., 2021).
Hence, frictions in data flows regularly come to the fore despite the tight couplings between registries, sites, and expertise through which data travels, and despite the rather comprehensive legal structures that shape this practice.These frictions might be due to technical errors in the reporting or curation of data or when the registry data provides the foundation for making prioritizations in terms of vaccination, as during the pandemic.How can these flows and frictions be compared to the Austrian situation?

Austria: data flow resistance and loose couplings
Austria is organised according to a federalist structure whereby public health policy, including implementation of vaccination policy, remains mainly within the remit of its nine federal states.The national childhood immunisation program in Austria was established in 1998, a few decades after its Norwegian counterpart SYSVAK was first piloted.Like in Norway, childhood vaccination in Austria remains voluntary, and the target group for the national immunisation program consists of children up to the age of 15 years.While the two cases both share this central value of promoting collective immunity, institutional design and implementation practices differ substantially across the two countries.Vaccination rates are comparatively low in Austria, according to the World Health Organization (WHO) (2020) -one in five infants do not receive basic vaccinations by the age of two.Public health infrastructures are less visible than in the Norwegian case as childhood vaccinations are typically administered in GP offices, rather than public vaccination centres, and childhood vaccination practices strongly rely on the initiatives of medical professionals, parents, and caregivers.New parents and their children are not automatically assigned to a public health institution but need to take initiative in finding a paediatrician to arrange for childhood immunisations.
In the same way as implementation of the national immunization program is shaped by the federalist setup, each federal state is responsible for gathering and reporting data about childhood vaccination to the Ministry of Health and has established particular practices and infrastructures for doing so.While epidemiologists, who assign great scientific value to immunisation data, have long called for a more centralized approach, Austria continued to lack one until the emergence of a rapidly designed registry for COVID-19 vaccines, as discussed further below.In fact, and in contrast to Norwegian practices, Austria has a history of resisting the centralization of data infrastructures and collection of public health data, stemming from conflicts over 'data ownership' between federal states, the Ministry of Health, general practitioners, and epidemiologists that view data as a public good. 4Pointing to this controversy over data ownership, an epidemiologist argues: "this data does not belong to the Ministry of Health […] we collect and record this data as part of the national surveillance system and from the point of view on data protection it belongs to no one" (Interview 7).These concerns over data ownership and access to vaccination data in combination with the argument by the Austrian Medical Association that public health data collection might not be reconcilable with data protection effectively prevented the centralization of data infrastructures for years (Paul et al, 2021). 5Notably, our interview partners referred to data protection as a central political value more generally, rather than specific regulations that may apply, such as the EU General Data Protection Regulation (GDPR) or the Austrian E-Health Regulation (Gesundheitstelematikgesetz).
As our interviews reveal, a diverse range of methods of collecting data on childhood immunisation are used across the country, shaping how data flows are organised and, by extension, what kind of knowledge can be produced about the immunity of the Austrian population.In contrast to Norway, the practice of immunising an individual is only loosely linked to the immunisation data used by the state. 6This has several reasons: For one, instead of legally defined responsibilities to report data as in the Norwegian case, GPs and paediatricians in Austria are only paid for administering vaccines once their data is delivered on a quarterly basis, thus creating a financial incentive for data reporting.Private doctors, however, where patients pay out of pocket, typically have little incentive to submit data, as payments for data delivery are considered comparatively low.This leaves a substantial number of childhood (and other) vaccinations provided unaccounted for.Furthermore, immunisation data travels through many different sites.Once it is collected by doctors in private practices, it moves to local health offices, then onwards to the regional health directorate, who then report aggregate data to the Ministry of Health on a quarterly basis.Moreover, a variety of data collection practices exist in Austria: While in some states, paper vouchers are distributed to parents of infants and then collected at the point of care to document vaccination, other states rely on doctors to document vaccination themselves and to report these to local public health authorities.In addition, some states collect individual level data on vaccination, whereas others do not.Finally, as a public health official points out, such data work is onerous and risks distracting from what they understand to be their main responsibility: "our aim is to ensure that children are vaccinated, and we therefore sometimes forgo data collection" (Interview 8).
These different data registries (and some of our interview partners questioned whether the term registry is even applicable for some of the regional databases) are not used for research, nor can individual immunisation records be linked to population registries.Instead, these registries primarily serve to organize the reimbursement of primary care physicians and calculate an estimated vaccination coverage rate for a specific cohort.Respondents also critically comment on the way some data is merely stored, but not used: school-based data (such as on vaccination, but also screenings) is thought to "end up in some drawer" (Interview 1) and is not put to use for research purposes.A senior public health official, for instance, tells us she would like to measure the impact of regional information campaigns (Interview 3) to get a better understanding of the impact of their own work.An electronic vaccination pass, she suggests, would also help her get better resources, "for it would provide numbers which have more effect [to substantiate a claim for money for a new program]" (Interview 3).
In whichever way this data is collected at the decentralized level of federal states, individual level data, including all local knowledge this implies, is disembedded from the data files once this data is delivered to the Ministry of Health, which is done on a quarterly basis.This anonymised, aggregated dataset typically includes only vaccines per recent birth cohort rather than the complete dataset, thus, as statisticians and epidemiologists argue, adding to imprecision (Interview 9,10).Due to the highly localised and different ways of counting, national vaccination rates can only be estimated.The fact that data is not effectively used for centralised steering or research does not mean that data is not valued as such, but that digitalisation in vaccination governance -and other policy areas, for that matter -presents something like a Pandora's box to decision makers.Better data and more knowledge from secondary research risks revealing that tackling under-vaccination may require more complex, and more politically and financially costly interventions, such as addressing socio-economic inequalities or rethinking the voluntary and loosely organised nature of the national immunisation programme.In contrast to our Norwegian case, where independent research on public health and evaluations of its governance is enabled by access to registries, these questions remain unaddressed in Austria, for the very nature of infrastructures shapes what kind of evaluative questions can be asked to begin with.
Given that public health infrastructures in Austria are less centralized than in the Norwegian case, and that vaccinations are typically administered in paediatric or GP offices rather than at public vaccination centres, childhood vaccination strongly relies on the initiatives of medical professionals and parents (similar to adult vaccinations in Norway).In addition, the fact that childhood vaccines are mostly administered in doctors' private practices foregrounds individual decision-making rather than the communal value of vaccination.This loose link between individual immunisation and collective immunity is also reflected in the ways in which data loosely travels from the site of vaccine provision to administrative bodies and state authorities.There are thus many obstructions to data flow built into the Austrian immunisation data practices.They range from questions concerning the distributed authority to gather data, distributed ownership of data, material properties of the data (where the variety of data forms, ranging from paper-based records to excel spreadsheets or local digital systems, make it more difficult for data to travel), and historically established resistances to centralized data collection.This fragmentation stands in contrast to the value assigned to centralized health data in the case of the Norwegian data imaginary.

Norway: good vaccination governance as (digitized) user-participation
Making immunisation data available to the broader public is a key part of the SYSVAK's activities.On the SYSVAK websites of the NIPH, there are statistics on corona vaccination, child immunisation program, HPV vaccinations and the overall SYSVAK registry.The statistics are accompanied by explanatory text, and hyperlinks are used to link up to related, but specialised topics.A video is uploaded on the frontpage with the title: "How to register data in SYSVAK", clearly targeting health personnel.There is also information about the vaccination service and how it is linked up to the registry data, an overview of data protection, and rights related to accessing and deleting data.Individual citizens are more directly linked up to the data flow by other digital platforms and numerical tools.Recently, individuals have been attributed increased responsibility for personal immunisation data by the development of different digital solutions for making this data flow from the point of immunisation, through the registries, and back to the citizens.Since 2011, individual level data has flowed back to the individual citizen mainly through the digital service Helsenorge.no.At its launch, the reasoning given to the public was that disseminating immunisation information to citizens would provide "better care and better health services" (Strøm-Erichsen, 2011 cited in Bjerkestrand, 2016; see also NRK 2011, 15 June).The service was framed according to the principle of "user participation" (Norwegian: brukermedvirkning) 7 , which meant that 'users' -or citizenshave control of the personal immunisation data that the state collects but also are envisioned to be able to better take care of themselves in terms of health.The Minister of Health and Social Affairs stated in their press release: "The health services must -to a greater extent than today -be able to involve users and patients.I mean that the patient must be enabled to be an active participant in questions regarding their own health.That means amongst other things that we need to focus strongly on digital services" (Strøm-Erichsen, 2011 cited in Bjerkestrand, 2016;see also NRK 2011, 15 June).
In the beginning, the web portal was packed with health information relating to different issues and problems, enacting the 'traditional' top-down mode of public health communication, but in a new outfit, so to speak (see Bjørkdahl and Druglitrø, 2019).Access to information about immunisation status and vaccines was added the same year as the launch under the heading 'My vaccines' , making it possible also to download up-to-date vaccine passports.Since then, various adjustments have been made.For instance, 'My Vaccines' now also offers detailed information about past vaccinations, as well as a log showing by whom and when individual immunisation data has been accessed, and for what purposes.
This arrangement enacts the citizen as a co-owner of data and grants them a right to transparency in data flows.In 2021, Helsenorge.no was launched as a mobile app, providing personal health data directly to mobile phones.While the portal was from the outset promoted as adaptable and dynamic where new features could be added when needed, critics asked if this was only another addition to the state's 'collection of digital links' (Bjerkestrand, 2016) -not only pointing to the obsession of technical fixes to problems of public administration, but also a comment on the top-down and non-user-friendly mode of communicating health information.While the issue of data protection has accompanied different technical solutions in Norway, our study indicates that other problems and issues have also increasingly featured in public debates.
In the Norwegian case we see how data flows connect different locations and actors.This heterogeneity is enabled and sustained by the broad distribution of responsibility attached to the curators of data or the bearers of data: technical systems, health care providers, and citizens.There are no, at least in principle, passive producers or recipients of data.Public health infrastructures, and to a great extent public health policies, target the individual and facilitate the active participation of citizens in reaching the immunisation goals of the state.This also includes the broader 'publics': technologists and informaticians, public health officers, interest organisations, and others.
At the same time, while data seems to flow quite smoothly across many sites, we have also begun to identify frictions in terms of what is experienced as good and bad modes of governing vaccination.

Austria: from local to centralised data flows and emerging 'users'
The Austrian data practices do not only differ from Norwegian ones in the extent of datafication and how this data is made to travel through different sites to the state, but also by whom this data can be used and for what purposes.Through the specific ways in which only some data is made to flow (individual level data is removed from the aggregated data file that is sent to the Ministry of Health), these data practices enact citizenship differently than in our Norwegian case: in Austria, the citizen is a resource for data, but data does not flow back to the citizen.While citizens have an active role in vaccination governance and are, together with health care providers, responsible for monitoring their immunisation status or that of their children without the interference of an active state (distinct from the Norwegian system, there is no call-recall system in place) 8 , they are not involved in data management, curation, or use.More specifically, they are rendered absent as individuals as soon as data moves from regional public health offices to the Ministry of Health.As mentioned above, the data that is used at the national level constructs a collective based on aggregated data where all references to individuals have been removed.This absent individual must be understood against the backdrop of a strong concern in Austria for individual data protection and privacy through which all efforts to health data collection have been framed and, in many cases, have been successfully opposed.
Furthermore, beyond the specific COVID-19 registry, these locally specific vaccine registries cannot be linked to individual level data, such as in population registries, thus hindering more specific assessments of the vaccination system, of specific regions with a low vaccine uptake, or of subgroups that may be hard to reach or are otherwise vulnerable.Data frictions and the lack of interoperability with other registry systems, such as the population registry, influence who is or can be targeted and governed through immu-nisation data collection, curation, and use, in what ways, and whose immunity can become knowable and manageable.
The limited availability of immunisation data for governance changed substantially with the development of COVID-19 vaccines.The pandemic provided a window of opportunity for accelerating a long-standing techno-political project, the introduction of electronic vaccination cards and, underlying these, a central registry.New legislation on digital health was rapidly passed in October 2020, establishing a legal and at once moral mandate for individual-level data collection for the sake of public health (Gesundheitstelematikgesetz, 2020).The pandemic offered an opportunity to introduce the electronic vaccination card rapidly without extensive societal debate, and specifically without providing the legal possibility of opting out of data collection.This is particularly interesting given the historical resistance to digitalisation, specifically from medical associations, data protection activists, and local authorities that had invested in their own local data infrastructures -often citing economic costs as being in the way of centralisation.While the electronic vaccination card was initially planned for the national childhood immunisation program, its implementation was strongly shaped by the pandemic and currently includes only data on COVID-19 vaccines -not solving the data frictions teased out and discussed above.In the long term, the digital record is meant to achieve a variety of goals: to gradually replace paper-based vaccination records, to integrate federal data registries into a centralized vaccine registry, to increase administrative efficacy, and to enable better governance of communicable diseases, including the ability to assess and manage collective immunity.In addition, and crucially so, the electronic vaccination card is to allow citizens to access and download their own immunisation record.The download option also includes access to a personalised digital EU COVID-19 Certificate, or Green Pass.The electronic vaccination card functions as a technology that provides citizens with a different role in the practices of governing vaccination and immunological relations.It enables new data flows between different sites and actors (e.g., GP practices, public health centres, Ministry of Health, citizens), and these data flows have been further facilitated by a change in legislation which mandates health care providers to deliver data on COVID-19 vaccination data electronically -much like in the Norwegian case.
This additional data infrastructure produces a particular relation between citizens and the state: at least for the purpose of pandemic management, the state now obtains precise data on which segments of the population have (not) been vaccinated.In addition, it ties together vaccination and the use of data to participation in society: the vaccination became an entry requirement for many places such as restaurants, gyms, or hair stylists.The way in which data is made to flow makes citizens not only into objects of data (data is collected about them) but also into subjects, as active users of data (Ruppert et al., 2017).Other envisioned functions of the electronic vaccination card were, however, side-lined, such as the implementation of a call-recall system, which was initially planned but has not been carried out so far.Nor were data flows between different registries enabled that would have allowed an effective targeting of the unvaccinated population.The Austrian case thus demonstrates that datafication and digitalization might indeed bring about new forms of citizenship and participation in public health, but that these depend upon data flows to be realised.

Conclusion
In this paper, we examined a seemingly mundane infrastructure of datafication and governance: immunisation registries.Despite their key role in immunisation governance, these registries have received little attention outside of epidemiology.Driven by an interest in datafication efforts -both successful and less successful projects -we compared Norwegian and Austrian registries, respectively.Using qualitative methods, we examined data flows that form part of vaccine registries and how these reflect but also produce particular styles of governance.We label these 'data intensive' governance in the Norwegian case and 'data hesitant' for our Austrian case.Importantly, our study goes beyond the technicalities that make data flow (which, as it turned out, are never just technicalities), but allows us to sketch the ways in which data flows tie together -or disconnect -different actors involved in vaccination governance, including the state, health care providers, and citizens.Summing up, we find a fundamental two-way relation between vaccine registries and the governance of collective and individual immunity: First, it is only when data begins to flow that immunization comes to count for public health.Second, and simultaneously, the very flow of data -or the lack thereof -is contingent upon and embedded in the sociotechnical conditions of governance, including relations of trust and responsibility among central actor groups including the state, health providers, and citizens.
In the Norwegian case, data flows from individual bodies to registries and back again to different users.Key to these data flows are the clear allocation of responsibilities and the link between data and vaccination, as well as tight couplings between different data sites.This flow of data and the ways in which immunisation data is made available to users forms part of the state's efforts towards collective immunity.The registry system in Norway is sustained by a collective of curators and users, technologies, legal instruments, and expertise.The individual responsibility for immunisation is a central part of making data flow in a 'good' way in the Norwegian context.
In the Austrian case, the allocation of responsibility and link between data and immunization are less standardised and more fragmented across different federal states.It becomes apparent here that such a fragmented organisation of data collection produces obstructions in the data flow and makes data less reliable as a source for research or policymaking.Moreover, the noncentralised and non-digitised organisation of data assigns even more responsibility to the individual to manage their own immunisation status (e.g., in the case of loss of paper-based records), and data practices are only loosely related to vaccination governance.At the same time, this renders the individual citizen invisible in data governance.The loosely organised character of the national immunisation program has not changed with the recent introduction of the electronic vaccination card that remains limited in its use.Now, as before, the flow of data is obstructed in different ways.This obstruction manifests itself, for instance, in the failure to include essential features such as call-recall functions for basic immunizations and booster vaccination.These frictions are reminders of Star and Ruhleder's (1996) argument that data infrastructures are never finished in that tools and features are added, tinkered with, abandoned, or contested.
Investigating vaccination governance in terms of its underlying data infrastructures provides insights into the role of registries in governance more generally.Such an approach should not privilege flows over non-flows but should treat these symmetrically and as regular features of governance.Non-flows, as much as data flows, produce and reflect politically and culturally specific relations between citizens, healthcare providers and the state.A better understanding of the sociotechnical distribution of rights, agency, and responsibilities regarding both data flows and immunization itself is particularly pertinent given the many political implications that vaccination registries have.
A comparative approach to data flows highlights the contingencies of data practices and helps reveal how the socio-materiality of data is deeply cultural and political.To us, a comparative approach is valuable and productive in the same way that is often deemed to be a burden: the very act of comparing raises more questions about the empirical object (Deville et al., 2016) that call for further comparative investigations as well as for more in-depth individual case studies.The current pandemic demonstrates the necessity of a (historically) situated way of looking at, first, what has come to count in immunisation and how data infrastructures enable immunisation practices, but also how such infrastructures of datafication are resisted and where resistance is located.As this paper shows, immunisation, as a historically established, but newly politicised policy area, can function as a platform from which to mobilise key questions for the future of the datafied welfare state (Dencik and Kaun, 2020), particularly as to how data practices establish concepts of responsible citizenship and new socio-political categories, such as who is immune enough and thus deserving of rights and privileges.