-
Notifications
You must be signed in to change notification settings - Fork 344
[Discussion] 10C/OEGD Why is the checkbox necessary for the patient to receive her test-result in the CWA? #475
Comments
@dsarkar why is this a discussion item? If there’s no answer then it’s a bug, and a serious one at that. |
Hey @alanrick , I've checked for more information on why the checkbox text is phrased like it is and why it is necessary, but the design of the test form is not something we (the CWA team) control. We can see if we get a more detailed explanation for the docs from the RKI. The reason the checkbox exists is most likely a privacy-related legal requirement. However, I think there is a basic misunderstanding in your firs paragraph
If you are refering to the figure "Anzahl potenziell teilbarer Testergebnisse", then this is wrong. The 54% number is refering to the overall results shared by users after receiving a result returned to the app (i.e. 54% shared their personal random IDs). For the other 46%, the result was also returned to the app, but they did not decide to share it. If the checkbox is not ticked, the result is not uploaded to the test result server and would therefore not be included in this figure because the 54% is already the percentage of the total number of results reported to the app. Corona-Warn-App Open Source Team |
@heinezen interesting. I was always wondering how to read this number. |
Many thanks @heinezen for following up on this. Genuinely appreciated.
I was indeed. So I was wrong. Then in terms of the diagram you're saying that: 54% = count of messages requesting TAN (message I.e. the 46% (100-54) efficiency loss is through users who were alerted of the positive result in their app (after having scanned in the qr-code) but decided not to share the results or not noticing the positive result on their app. This is what is specifically being addressed by the new reminder function in release 1.7.1 and tomorrow we can expect to see an improvement over the 56% success reported when it was released three weeks ago. What puzzles me is that if this is true, then according to Michael Boehm's dashboard and my back-of-the-envelope calculations there is no other loss of efficiency in the app process. Ie. all labs are now connected and all tests support the CWA qr-code, and the checkbox is always ticked correctly (despite comments elsewhere in this forum that some doctors never tick it). I'll recheck my calculations as I find this unlikely but I'll publish them here if anyone is interested. (54% success 2 weeks ago. 56% 3 weeks ago) |
@ndegendogo the RKI description makes it clear that it includes the teletans so I adjusted my answer above accordingly. Nevertheless I find this very difficult to believe because
@heinezen If, despite my doubts, the RKI is measuring exactly what you stated, would it be possible to ask the RKI for a measurement of the percent of results not returned to the app directly because of unticked checkboxes? Apparently 90% of labs are connected to the CWA servers so this ratio could be calibrated. |
This is the confusing part. QR process:
So, 100% for QR process is number of downloaded positive test results / 54% is number of keys shared via QR code? And then there are those who call the hotline and get a TeleTAN. No relationship to any test results on the server.
What is 100% here? 100% is number of all requested TeleTANs / 54% is number of used TeleTANs? |
@alanrick how can the RKI have knowledge of this number? |
The RKI publishes statistics every Friday so I assume they have access to the server metrics. I've tried to explain how this number can be calculated from the message-flow monitoring. |
I think what confuses me is: the number of users uploading their keys ("54%") is only loosely related to the number of downloaded positive test results ("100%"). With less QR codes and more TeleTANs used you could get above 100%.
That's a valid assumption. After all, they are the 'owner' of the app. |
Let me quickly summarize, if I understand everything correctly, this question has to be answered, or?: |
Part a) was "Is there a legitimate reason for the checkbox?" |
@ndegendogo I don't exactly understand what you mean here, but you cannot get above 100% with TeleTANs. The 100% is not the number of downloaded results, it is the number of positive results verified through the app (via QR code or TeleTAN as stated in the document). TeleTANs are verified individually by the verification server. Should have made this more clear when I said "reported" results.
@alanrick I think we can fetch these numbers, but it would help if you stated what you want to find out with these numbers before I make the request-
Just to clarify: This percentage is skewed because it considers all
I have checked the documentation and the answer is in the data privacy notice (Link) in Question 3. Corona-Warn-App Open Source Team |
@heinezen ... I think I start to understand now ... In both process variants (QR code and TeleTAN), the user gets a registration token, and the number of all such registration tokens corresponds to 100% of shareable key sets. In the TeleTAN process, the user has already decided to share their keys. So the fraction of missing uploads in this variant is hopefully very small, and we may attribute them all to technical problems or bad user interface of the app / or the process. In the QR process, the fraction of missing uploads can have several reasons:
Strategy to improve fraction of users sharing their keys should address the specific reasons to be as effective as possible. Is there any statistics available (or would it be possible to generate such a statistics) separately for each of the two procedures? |
Oh - a statistics of "current" / recent numbers could give much better insights ... is such a statistics available? |
Background: I want to know how much the efficiency of the CWA would increase if labs ignore this checkbox. We know that:
I believe the answer is in section 12.b of this privacy notice. This makes it very clear that there is no need for an additional checkbox. In fact the checkbox is not mentioned anywhere in the whole privacy notice. So my most pressing question is
Yes, I'd realized that. And like @ndegendogo I was surprised that the RKI hadn't introduced a weekly chart so that the impact of the 1.7.1 release was not skewed. Nevertheless, I'd anticipated that in order for the RKI to suggest this new function the improvement would need to go up by at least 20% to make it worthwhile, and this should have shown up as a blip in the skewed results already. Particularly with the new UK variant, the speed of returning the result to the patient is extremely important when fighting the spread of the disease. There are nearly a dozen EU Apps available, but the German CWA App is the only EU app capable of returning the test result instantly to the user. This superfluous checkbox undermines the potential success of this feature. |
You and @heinezen are mixing up the CWA data protection and regulations for the labs and doctors.
To sum it up. The field 9 of the 0C/OEGD forms has nothing to do with the CWA itself and is thus completly out of scope for SAP/Telekom and even the RKI. Even if it looks different at first glance. This is also the reason @alanrick was note able to find anything about the 0C/OEGD forms in the CWA DPS and the mentioning of a DPS at the field 9. The only way to get rid of field 9 is probably a law which regulates the CWA. But the government decided against this way. Little disclaimer at the end, I have simplfied some things here and it is late. Hope this brings some clarity regarding this issue. |
First off, many thanks for answering in so much detail and I won't dispute what you've described. I also understand that it is too complex for me to begin to understand in detail. Documenting my own reaction...
a) It does seem counterintuitive that this consent is not given by the patient. But I guess as you've explained in your answer the whole thing is too complex for the patient to grasp anyway. b) It is also counterintuitive to me that consent is needed for providing data anonymously, but I've heard of scandals where anonymous data was fed into medical systems so there must be a good reason here. c) Ideally, the test-lab could query the CWA server for the patient's approval, before submitting the result (my naïve assumption that the patients approval outweighs the health worker's) but I guess this is not possible due to the hashing of the qr-code (ironic - CWA privacy works almost too well). d) It is counterintuitive to me that a legal framework exists that cannot be enforced or even verified as being followed. e) I wondered how the labs can report the results the health authorities but I guess that is covered by a separate legal framework (pandemic laws) and even though they may have the right to feed the test-result with qr-code back into the server to make its way to the app, that would involve all sorts of technology and process changes - but perhaps something to consider for the SORMAS system in future. Hey, ho! It's a complex world we live in. My hopes that data-privacy concerns could be clearly formulated so the citizen can understand that they are in their best interests have been dashed. Many thanks @codejus for answering the question. And @heinezen many thanks for offering to ask about the statistics. If you get a chance, that would be great. |
As I said, the answer is in Section 3 of the privacy notice. The CWA and all connected systems process health data under Art.9(2)(a) GDPR which requires explicit consent from the user/patient. A test result is such data, therefore we need consent to upload and store it on the test result server. The privacy notice emphasizes the required consent in section 6b)
It is not specified how exactly you give consent, but we have to ask for explicit consent for this specific purpose as required by the GDPR.
I don't think there is a way to get numbers for this because there is no way to differentiate between a checkbox that is unticked because a patient has not given consent and a checkbox that was unticked because the staff made an error. The RKI can only investigate extreme irregular reporting behaviour.
What you write here contains a lot of speculation, so I will carify:
|
As @heinezen inezen has already mentioned a pre checked form would be a data protection violation, because the processing of the data then happens without any allowance. Regarding the information part, every patient must be handed out the "Datenschutzerklärung", which is mentioned on the 0C/OEGD form. this DSE should normally be a different one than the CWA one and explains the sending of the test result into the CWA infrastructure. A valid DSE explains all the patient gives his consent to in clear manner, etc. Ah a little sidenote, every time the lab hands someone a pre checked form and the test result gets transferred into CWA infrastructure they are required by law to report this date breach within 72h to the data protection authority. :D
If the test result would be anonymous, which is not the case because the Lab always knows which ID your QR code has, there would be needed no consent, as the GDPR and connected laws would then not be applicable, because no personal data is present. The most things normal people refer to as anonymous data are just pseudonymous data, because there is very often a way to establish a connection to a person, etc.
The lab is required to report COVID-19 infections according to § 6 I 1 t) IfSG (The data protection legal allowance will be Art. 6 I c) GDPR in connection with § 6 I 1 t) IfSG) to the responsible health authority and happens independently from the CWA infrastructure via FAX or DEMIS (it the lab and the health authority is connected to it. You see it is the same problem as with CWA). A little addition to my post from this night:
So, it is not working without field 9. Probably there is an other way to work around that by app design etc. But the construction of such a solution will be not that easy and time consuming. Man legal and technical aspects would hav to be considered. |
@heinezen I think we agree on much of this but I'm struggling with the term pseudonymous which I couldn't find in the privacy agreement. My understanding was that it only becomes identifiable once Antje connects to collect her results (like Schrodinger's cat), and even then on the server nothing has changed, the test-result is only identifiable on her own phone. And even then, nobody has anyway of determining from the data in the system which result belonged to Bernd, and which to Carsten. So is pseudonymous = identifiable at a later stage, or through a software bug (e.g. Bernd's IP address accidentally preserved on the server) ? |
@alanrick well, everybody who knows the relationship between the true name and the QR code could attribute the test results to the person. |
@heinezen @codejus But I was hoping that this result could be treated as anonymous if it was stripped of all personal data when fed into the server. That's why I was so hung up on the term pseudonymous. Thanks for your support - and I guess you're right, @heinezen, no measurement from the RKI would clarify how much the checkbox is being left accidentally unchecked since theoretically someone using the app may scan the code but not want the results to go to the CWA ( even though I can't figure the logic behind such a behaviour.) |
Yes. But not in the CWA ecosystem. And that was my only focus. Getting the test-result back to the patient as quickly as possible (particularly with this new mutation) - the advantage of the CWA App over all other EU Corona apps. |
It doesn't matter who can make a connection between the QR code and the person behind it. So, a once pseudonymous data stays pseudonymous whether or not the processor can establish the connection to the natural person. This means they are still personal data and and the date protection regulations still apply. Pseudonymisation is always only a securtiy measure to reduce the risk of the exposure to thind parties. For a better understanding of the terms personal, pseudonymious and anonymised data I recommend this site here: ICO- What is personal data? Hope that helps to clarify. |
Thanks. That's a good link. |
I'd like to close the question with an answer that is simple to understand but doesn't stonewall. oooooooo When a patient is tested, the result of the test can be returned to the patient's app. The result data is personal data of especially sensitive nature so it requires strong protection. The result is pseudonymised to provide additional security and can be retrieved by noone other than the patient who scanned the test's qr-code during testing. Note: This data is pseudonymised, but not anonymous, so GDPR requirements still need to be fulfilled. Although the patient's scanning action could be treated as explicit approval for storing the result temporarily in the CWA system (assuming the necessary accompanying text in the CWA screen and ToU/AGB), the lab entering the test-result in the system will NOT have access to this information, so a separate channel is needed to authorize the lab to enter the test result into the CWA system. This is the 10C/OEGD field 9 checkbox, which the health-center is legally committed to complete according to the patient's will. oooooooo I realize I've missed much of the detail provided above (particularly the different legal frameworks) , and I suspect there are other aspects such as audit-trails which play a role, but is this a reasonable alternative to simply "legal requirements"? |
Since all questions in here seem to be answered, I'll close this issue. Corona-Warn-App Open Source Team |
Your Question
Why does the test-center need to mark a checkbox in order for the patient to receive the test-result in the CWA?
If the patient wants to receive the result in the CWA, for example to be informed sooner and without overloading the health center or telekom hotlines, then they should be able to make this decision themselves. Somebody else marking the checkbox does not add value (privacy etc) to the process and is major a source of error. ~50% of positive results are not returned to the app, and this extraneous checkbox could be a major contributor to this poor result.
According to the CORONA-WARN-APP SOLUTION ARCHITECTURE, and in particular figure 2 in the documentation, the process for receiving the test result in the CWA consists of the following actions:
A1. Step 1: User receives test-kit (S1-1) and scans the QR-code with the CWA app (S1-2) to prepare receiving the unique Test-ID.
A2. CWA stores the Test-ID locally on the mobile phone as part of the CWA App data and transfers it to a server (S1-3) to subscribe to the result.
A3. User performs test
A4. User informs the test-center that they want the test-results on the CWA and later (or immediately) a member of the test-center marks the 10C/OEGD checkbox.
A5. Step 2: Test and 10C/OEGD (including QR-code and patient details) is sent to laboratory
A6. Laboratory process test
A7. Step 3: Personal details are extracted from the 10C/OEGD and sent with the test result to the health center (if positive) and the test-center (always)
A8. Test-ID (extracted from QR-Code) and test result (positive/negative) is sent to the Laboratory Information System, but without any personal details. From there is is transferred to the Test Result Server, again without any patient details.
A9. Step 4a: CWA queries the Test Result Server for the test result referenced by Test-ID (see action A2)
A10. If query is successful, the result of the test is shown in that user's CWA.
My interpretation is that the Test Result server does not contain any information about the patient. It just contains the Test ID, and the test result, and perhaps a timestamp.
So the test result in the Test Result Server is anonymous. Furthermore, it contains no data about the patient, only the Test-ID and Test result which cannot be used to identify a person. It is totally anonymous just as it it was totally anonymous before reaching the test-center. Only the patient's CWA (noone elses) can determine if it matches, and only then if the patient has previously scanned the QR-Code into the CWA. Before scanning the patient will have accepted the ToU (AGB) of the CWA and been informed in different ways (wizard, graphics...) about all the consequences and is in a position to determine whether or not to scan and receive the results in the app.
So why does the 10C/OEGD form need the test-center to mark the checkbox in order for it to be sent to the Test Result Server anonymously?
Reading the text of the checkbox on the 10C doesn't help.
"Das Einverständnis des Versicherten zum Übermitteln des Testergebnisses" für Zwecke der Corona Warn-App auf den vom RKI betriebenen Server wurde erteilt. Dem versicherten wurden Hinweise zum Datenschutz ausghändigt."
Why is permission for this server required and not other servers, which may be hosted on third-party Cloud platforms? Why is the test-center allowed to make this statement without a signature from the patient? Surely the privacy agreement is part of the app and up-to-date in the app, rather than relying on a copy (out-of-date) in the test-center....
Bottom line - This checkbox prevents the test result being returned when it is accidentally/hurriedly left unchecked even when the patient wants the results in their CWA app; but what value does it add?
The text was updated successfully, but these errors were encountered: