Recovery Certificate: Behind the Scenes of a GovTech Application
How can governmental measures be implemented even in acute situations in accordance with the “Onlinezugangsgesetz” (Online Access Act - OZG)? A pragmatic approach and agile custom GovTech application development are the key.
In this case study, we take a look at the implementation of an “OZG” application for digital pandemic response that we developed in collaboration with the City of Cologne.
The initial situation: Special situations require pragmatic solutions
The Corona pandemic is a challenge. The government's goal is to contain the incidence of infection and a return to normal coexistence. One component of pandemic management is 3G evidence. (From the German “genesen, getestet oder geimpft” which means “recovered, tested or vaccinated”). While vaccination and test certificates had already been digitized, recovered persons had to get a certificate from their doctor or pharmacy. The City of Cologne took the pioneering role here and chose a fast and pragmatic way to close this gap. The mission was to develop the first digital recovery certificate in Germany.
Due to the initial situation, the authority has decided to work with start-ups. Increased digitization enables faster and more efficient work in pandemic management. Nevertheless, the focus must always meet the highest standards for official applications. The City of Cologne commissioned SIDESTREAM to develop the application. Because on the one hand we are an agile start-up, and on the other hand we stand for high quality. Especially when it comes to health data, quality is even more important than speed.
The requirements: Data security is the priority
Despite the acute situation and the search for a quick and pragmatic solution, no compromises could be made in terms of security. Sensitive health data must be protected in digital environments. Data security is a central aspect with regard to “OZG” implementations. At the same time, it is important to the City of Cologne to make the application user-friendly and unbureaucratic.
In addition to these aspects, there were the following requirements for the application:
- For Cologne residents with less digital affinity, there should be the possibility to print out the certificate.
- From a user perspective, the application needed to be compatible with existing digital pandemic response measures such as the Corona warning app and the CovPass app.
- Also in the backend, the application should be compatible with existing structures such as the digital contact tracking (“DiKoMa”).
- The evidential value and forgery protection should correspond to the standards of the digital vaccination certificate and should also be valid throughout Europe with the so-called DCC conformity.
There are also some technical requirements for a digital recovery certificate. The application must be both data-saving and secure. Furthermore, it should run on the local infrastructure of the City of Cologne. During the development it is important to consider many stakeholders (project management of the City of Cologne, health department, press office, IT administrators, BMG and their consultants, Ubirch and Railslove) while remaining agile. SIDESTREAM was chosen as a suitable partner to implement these high requirements on a high quality level.
The solution: Close cooperation and pragmatic implementation
The development of the GovTech application was therefore done in close coordination with the City of Cologne. Thus, we developed an innovative and qualitative application for the digitization of recovery certificates with the highest data security standards.
At the same time, the software is built on a non-bureaucratic basis. The city’s health department had been sending letters confirming the recovery status of Covid-19 patients since May. In addition to the confirmation, the letter contains an individual recovery ID of the recipients. This ID serves as an individual security feature. The simple handling and user-friendliness are crucial for a high acceptance of the application. The certificate is generated as a QR code, just like the other proofs. This can be scanned from the screen directly with the mobile phone camera into the Corona warning app or CovPass app. Alternatively, there is also the option to download or print it. In this way, the application fulfils the requirements of the digitalisation law, but also enables analogue use of the certificate. The certificate is created at the push of a button, with only a few additional personal details to be entered. Overall, the application processes only the last name and date of birth in addition to the ID, with the date serving as an additional security feature. The certificate is thus both data-saving and secure.
Technology Deep Dive: The recovery certificate combines data economy and security
Like the approach of the City of Cologne, the application is designed in a pragmatic way. The core of the certificate is implemented through various components:
- Frontend: guides the end-user through the recovery certificate creation process
- Backend: processes entered user data and generates recovery certificates based on it
- Reverse Proxy: Distribution of requests to the backend and frontend
- Database: Preventing multiple generations in the official digital certificate interface
The application was built entirely on the infrastructure of the City of Cologne. It was structured in such a way that as little user-related data as possible needs to be stored. The recovery certificate itself stores neither last name nor date of birth. Instead, it queries the “DiKoMa” API of the City of Cologne for each request in order to verify the data combination entered. Successful certificate creation ensures that there are no multiple issues of the certificate.
The “OZG” (Online Access Act) aims to make processes more efficient and accessible. For start-ups, it is also a driving force to introduce innovative ideas into administrative processes. The recovery certificate shows that new applications can be implemented at a high level in cooperation with public authorities in an agile and secure manner. The certificate meets the security standards for government software implementations while having an intuitive user experience. At the same time, it is data-saving and runs stably on the local infrastructure of the City of Cologne. Especially in crisis situations, stable applications are crucial.