The initial situation: Special situations require pragmatic solutions

The Corona pandemic is a challenge. The government's goal is to contain the incidence of infection and a return to normal coexistence. One component of pandemic management is 3G evidence. (From the German “genesen, getestet oder geimpft” which means “recovered, tested or vaccinated”). While vaccination and test certificates had already been digitized, recovered persons had to get a certificate from their doctor or pharmacy. The City of Cologne took the pioneering role here and chose a fast and pragmatic way to close this gap. The mission was to develop the first digital recovery certificate in Germany.

Due to the initial situation, the authority has decided to work with start-ups. Increased digitization enables faster and more efficient work in pandemic management. Nevertheless, the focus must always meet the highest standards for official applications. The City of Cologne commissioned SIDESTREAM to develop the application. Because on the one hand we are an agile start-up, and on the other hand we stand for high quality. Especially when it comes to health data, quality is even more important than speed.

The requirements: Data security is the priority

Despite the acute situation and the search for a quick and pragmatic solution, no compromises could be made in terms of safety. Sensitive health data must be protected in digital environments. Data security is a central aspect regarding OZG implementations. At the same time, it is important to the city of Cologne to make the application user-friendly and unbureaucratic.
‍
In addition to these aspects, there were the following requirements for the application:

• For Cologne residents who are less digitally savvy, there should be the option to print out the certificate.
• From a user perspective, the application had to be compatible with existing digital measures to combat pandemics such as the Corona warning app and the CovPass app.
• The backend of the application should also be compatible with existing structures such as digital contact tracking (DiKoMa).
• The evidentiary value and security against forgery should correspond to the standards of the digital vaccination certificate and should also be valid throughout Europe with the so-called DCC conformity.

There are also some technical requirements for a digital recovery certificate. The application must be both data-efficient and secure. In addition, this should run on the local infrastructure of the city of Cologne. During development, it is important to take many stakeholders into account (project management city of Cologne, health department, press office, IT administrators, BMG and their consultants, Ubirch and Railslove) while remaining agile. SIDESTREAM was selected as a suitable partner to implement these high requirements at a high quality level.

The solution: Close collaboration and pragmatic implementation

Die Entwicklung der GovTech Anwendung entstand daher in enger Abstimmung mit der Stadt Köln. So entwickelten wir eine innovative und qualitative Anwendung zur Digitalisierung von Genesenen-Zertifikaten mit höchsten Datensicherheits-Standards.
‍
Gleichzeitig ist die Software auf einer unbürokratischen Basis gebaut. Das städtische Gesundheitsamt hatte seit Mai Schreiben verschickt, welches den Genesenenstatus von Covid-19 Patient:innen bestätigt. Neben der Bestätigung enthält das Schreiben eine individuelle Genesenen-ID der Empfänger:innen. Diese ID dient als individuelles Sicherheitsmerkmal. Die einfache Handhabung und Nutzerfreundlichkeit sind entscheidend für eine hohe Akzeptanz der Anwendung. Das Zertifikat wird wie die anderen Nachweise als QR-Code generiert. Dieser kann vom Bildschirm direkt mit der Handy-Kamera in die Corona-Warn-App oder CovPass App eingelesen werden. Alternativ gibt es auch die Möglichkeit zum Download oder Ausdruck. So erfüllt die Anwendung die Voraussetzungen des Digitalisierungsgesetzes, ermöglicht aber auch eine analoge Nutzung des Nachweises. Das Zertifikat wird auf Knopfdruck erstellt, wobei nur wenige weitere persönliche Angabe zur Person gemacht werden müssen. Insgesamt verarbeitet die Anwendung neben der ID nur den Nachnamen und das Geburtsdatum, wobei das Datum als zusätzliches Sicherheitsmerkmal dient. Das Zertifikat ist damit sowohl datensparsam als auch sicher.

Technology Deep Dive: The recovered certificate combines data economy and security

Like the approach of the city of Cologne, the application is also designed pragmatically. The core of the certificate is implemented through various components:

• Frontend: guides the end user through the recovery certificate creation
• Backend: processes entered user data and generates recovery certificates based on it
• Reverse proxy: distribution of requests to the backend and frontend
• Database: Preventing multiple generations in the official digital certificate interface

The application was built entirely on the infrastructure of the city of Cologne. It was structured in such a way that as little user-related data as possible needs to be stored. The recovery certificate itself does not store your last name or date of birth. Instead, it queries the City of Cologne's DiKoMa API with every request to verify the data combination entered. Successful certificate creation ensures that the certificate is not issued multiple times.

Conclusion

The “OZG” (Online Access Act) aims to make processes more efficient and accessible. For start-ups, it is also a driving force to introduce innovative ideas into administrative processes. The recovery certificate shows that new applications can be implemented at a high level in cooperation with public authorities in an agile and secure manner. The certificate meets the security standards for government software implementations while having an intuitive user experience. At the same time, it is data-saving and runs stably on the local infrastructure of the City of Cologne. Especially in crisis situations, stable applications are crucial.