By Zachary Zanussi, Statistics Canada

Have you ever wished that there was a way to access data to perform analytics while preserving the privacy of the data itself? Homomorphic encryption is an emerging privacy preserving technique with potential applications that will allow for greater access while keeping data encrypted and secure.

The first article in the series, Brief Survey of Privacy Preserving Technologies introduced privacy preserving techniques (PPTs) and how they are poised to enable analytics while protecting the privacy of the data. This article will build on that topic by taking a deeper look at one of these techniques, homomorphic encryption (HE), including what it is, how it works and what it can do for you.

This article begins with an overview of HE and introduces some common use cases. It gives an honest evaluation of HE's advantages and disadvantages. Then it will cover some of the more technical details to prepare you to dig into these techniques yourself! By the end of this article, hopefully you will be inspired to continue your learning by picking an HE library and making your own encrypted circuits.

Homomorphic encryption is currently being considered by international groups for standardization. The Government of Canada does not recommend that HE, or any cryptographic technique, be used in practice before standardization by experts. While HE is not yet ready for use on sensitive data, this is a great time to explore its functionality and potential use cases. Expect a future article on the standardization activities related to HE including expected timelines and schemes.

What is homomorphic encryption?

A traditional encryption scheme maps human-readable plaintexts into masked ciphertexts to protect data from prying eyes. Once masked, these ciphertexts are immutable; changing even a single bit in the ciphertext may return an unrecognizable plaintext message upon decryption. This makes traditional encryption quite static. By contrast, a homomorphic encryption scheme is dynamic; given two ciphertexts, you can perform operations on the underlying plaintexts. For example, a homomorphic 'add' operation will return a ciphertext that, upon decryption, returns the sum of the two original plaintext messages. This allows you to delegate computing to another party so that they can manipulate it without accessing the data.

A typical cloud computing protocol involves a client sending its data to the cloud. Since internet connections are inherently insecure, this transfer is facilitated by a form of transport security protocol that involves encryption, such as HTTPS. Upon receipt, the cloud decrypts and begins computation. However, what if you want to keep the data secret from the cloud? If you encrypted with a homomorphic scheme, not only would the data be protected during transport, but it would also be protected during the entire computation process. Upon completion, the cloud would forward the encrypted results back to the client, who could decrypt and view the results at their leisure.

The term "homomorphic" comes from Greek, roughly translating to "similar form." In mathematics, a homomorphism is a map from one mathematical structure to another that preserves the operations of the first structure. To construct a homomorphic encryption scheme, you need an encryption map that scrambles the data enough that no one can figure out what they are, while simultaneously preserving the structure of the data so that operations on ciphertexts result in predictable results in the plaintexts. These paradoxical goals underscore the difficulty in constructing such a scheme.

Figure 1: An illustration of the benefits of HE. On the left is ordinary encryption; to apply the desired analytics, the data need to first be decrypted using the private key. To make the results safe for transport, it must be re-encrypted. In addition, the data are vulnerable for the duration of the computation. On the right is HE; the computing party doesn't require any sensitive information to perform the calculation and the data and results are protected by encryption.

What can you do with homomorphic encryption?

There are a number of different computing paradigms that can be enhanced with HE, including delegated computing, data sharing and data release. These different paradigms all revolve around the fact that the data holder, analyst and computing platforms are often different parties entirely and the aim is to reduce or remove the privacy concerns that arise when one of these parties shouldn't have access to the data. It is important to note that HE uses a weaker security model than traditional cryptography and that care will need to be taken to ensure that it is used securely in practice.^{Footnote 1}

Possibly the simplest application involves a data holder delegating their computing to another party, such as the cloud. In this scenario, a client encrypts their data and sends them along with some instructions to the cloud. The cloud can carry out those instructions homomorphically and return the encrypted results, learning nothing about the input, output or intermediate values. These instructions are modeled as circuits, which are sequences of arithmetic operations applied to some input. It should be noted that creating correct and efficient circuits with HE is not always straightforward, but theoretically there is no limit to the computations that can be run. For example, Statistics Canada has completed proof-of-concepts^{Footnote 2} applying statistical analysis and neural network training on encrypted data.

As an extension of the delegated computing scenario, consider a case where there are multiple data holders. These data sources want to share their data, but are prevented due to privacy issues. The exact outline depends on the trust model; however, HE may allow these different parties to each encrypt their data and share them with a central authority who has the power to compute homomorphically. These data sharing applications can allow for better analytics in scenarios where data are limited and sheltered. An example is an oncologist who wants to test their hypotheses; patient data are typically restricted to the treating hospitals and combining these sets not only increases the strength of the model, but removes geographic data biases. Therefore, allowing multiple hospitals to share their encrypted data and allowing the oncologist to compute on this joint encrypted dataset allows for better healthcare research and outcomes.

Consider also scenarios with a central data holder and several parties who want to perform analysis on these data. An example of this is Statistics Canada's Research Data Centres, which are hosted across Canada in secure facilities managed by the organization. Accredited researchers can gain special approval to access microdata within these secure sites. While secure, the approval process takes time and the researchers must be able to physically access these sites. With HE, the data centres may be able to host the data encrypted and give access to any party who requests it. This would cut down the administrative costs of adding a new researcher and would broaden access to data in line with Canada's Open Data Initiative.

Figure 2: Illustrations of the three paradigms. First is delegated computing; the data holder encrypts and sends their data to the cloud, who returns the encrypted results after performing homomorphic calculations. Second, multiple parties encrypt and send their share of a distributed dataset which the cloud can use to perform analytics without compromising the privacy of each data holder. Third, a central data holder can give analysts access to an encrypted dataset. The analysts can be subjected to less scrutiny and restrictions because they never have direct access to the data.

HE can help with more than numerical calculations. For example, Private Set Intersection (PSI) allows a client in possession of a sensitive dataset to learn its intersection with a server's dataset without the server learning the client's dataset and without the client learning anything about the server's data beyond the intersection. Private String Matching is a similar protocol that allows the client to query a textual database for a matching substring. Using these and other cryptographic primitives, you can envision a broad privacy-preserving suite linking data dispersed across different government departments and public institutions. While such a system is ambitious and the exact implementations are not yet clear, it gives a taste of the types of systems that you can aspire to as more complicated tasks are completed using HE and other PPTs.

Downsides of homomorphic encryption

While there are many benefits to the use of HE, as with any technology, there are potential downsides. The price of cryptographic security is the computational cost; depending on the analysis, encrypted computation can be several orders of magnitude more expensive than unencrypted. There is also a data expansion cost that can be quite significant. This data expansion cost is exacerbated by the fact that most HE protocols involve transferring encrypted data; while cloud storage is relatively inexpensive, data transfer can be costly and complicated.

There are also a restricted set of computations allowed natively by HE. Only addition, subtraction and multiplication are native to most arithmetic schemes and all other computations (such as exponentials, activation functions, etc.) must be approximated by a polynomial. One should note that this is true in general with all computers, but while a modern computer hides this fact from the user, HE libraries currently require the user to specify how to compute these non-trivial functions.^{Footnote 3} In some schemes, one also has to be wary of the depth of computations attempted. Indeed, these schemes introduce noise into the encrypted data to protect it. This noise is compounded through successive computations and, unless reduced,^{Footnote 4} would eventually overtake the signal, at which point decryption will no longer return the expected output. One's choice of encryption parameters is important here. Given a circuit, there exists a parameter set large enough to accommodate it, but dealing with larger parameters increases the computational cost of the protocol.

Can the extra costs in terms of computation and circuit creation be justified? Well, HE allows for computations that might not be possible otherwise. This is true with particularly sensitive datasets, such as health data. There is a huge cost inherent in obtaining permissions for an analyst to work on such data, as well as additional complications such as controlled computing environments. And once the data are shared, how do you verify that the analysts are following the rules? Some data holders may be reluctant to allow anyone access to their data at all; without some additional measures such as HE, this analysis might be impossible. The choice between "expensive computation" and "no computation" is much easier to make.

Moreover, the various schemes and their implementations are an active area of research and the library implementations regularly release improvements to their data compression and homomorphic computation algorithms. There has also been a significant amount of investment in hardware acceleration for HE recently. This is similar to the hardware that is installed on most computers, which contains specific electronic circuits designed to perform encryption and decryption operations as fast as possible. This could allow HE-accelerated cloud computers to perform analysis on encrypted data at speeds closer to that of unencrypted data.

In spite of the downsides, there are reasons to believe that HE will become an important tool for preserving privacy. That makes the present a fantastic time to begin to examine what can be done with these techniques.

The mathematics of homomorphic encryption

Now this article will delve into the inner mathematical workings of HE, including cryptographic details; hopefully even non-mathematical readers will be able to grasp the basics of how these schemes work. It should be noted that the rest of this section provides details pertaining to the scheme of Cheon, Kim, Kim and Song, which they named Homomorphic Encryption for Arithmetic of Approximate Numbers but the cryptographic community usually refers to as CKKS. That said, most of what is mentioned here applies to the other schemes with only slight modifications.

At the heart of every public key cryptosystem is a mathematical problem that is believed to be hard to solve unless you have access to a special piece of information called a secret (or private) key. A related public key can be used to encrypt plaintext data producing a ciphertext, but only knowledge of the secret key enables one to recover the original plaintext from this ciphertext. Since the public key cannot be used to decrypt, the public key can be shared with anyone wishing to encrypt data with confidence that only the secret key holder can decrypt the ciphertext to access the plaintext.

Most HE schemes use some variant of the Learning With Errors hardness assumption. This describes the ring variant, called Ring-Learning With Errors (RLWE). Rather than integers, it deals with polynomials with integer coefficients. More precisely, you want the space of polynomials with integer coefficients modulo $q$ of degree less than $N$ ; this is denoted by $R_q=Z_q\left[X\right]/⟨X^N-1⟩$ . You can think of this space simply as lists of $N$ integers, each less than $q$ . Typically, you would take these values to be quite large; for example $N=2^{15}=16,384$ and $q ~ 2^{800}$. This makes $R_q$ large enough to hide secrets in! Figure 3 gives a toy example of the type of space we would work with.

Figure 3: A toy example of a ring of the type that might be used for HE, as well as a few of its elements. Note that the sum or product of these elements is another element in the ring.

Given two polynomials, you can add them or multiply them. The result of these operations is always another polynomial.^{Footnote 5} This makes $R_q$ a kind of a sandbox that you can move around freely within. Mathematicians call a set with this property a ring and the way that these operations affect the elements of the ring is what is meant by structure. The special property of homomorphic encryption is that there exist operations in the ciphertext space that correspond homomorphically to the operations on the underlying plaintext space. The use of polynomial rings is preferred because the operations are efficient and the RLWE problem is believed to be difficult.

How does one hide a secret in a mathematical space? Suppose you have four random polynomials^{Footnote 6} in $R_q$ , called $a,s,e$ , and $b$. The RLWE hardness assumption states that it is very hard to distinguish a series of pairs that are either of the form $(a,a\cdot s+e)$ or of the form $(a,b).$Here, "very hard to distinguish" means "parameters can be set such that all the best computers in the world working together using the best known algorithms would still not be able to solve the problem. The polynomials $a$ and $b$ can be sampled uniformly at random from all of $R_q$, but the others have a special form. In CKKS, we take $s$ to have coefficients of $\pm 1$ or $0$, and sample the coefficients of $e$ from a discrete Gaussian distribution over $Z_q$ centred around $0$. For the rest of this post, we will just refer to these polynomials as "small", because in both cases their coefficients are close to $0$.

The hardness of the RLWE problem allows you to keep a secret in the following way: notice that the first pair is correlated; there is a factor of $a$ in both polynomials, while in the second there is no correlation between the randomly selected $a$ and $b$. Now imagine someone handed you many pairs that are either all of the form $(a,a\cdot s+e)$ for many different values of $e$ and $a$ constant $s$, or all just completely random pairs. According to the hardness of RLWE, not only could you not reliably find $s$ when given the $(a,a\cdot s+e)$ pairs, you couldn't even reliably determine which of type ofthe pairs you were given! Figure 4 gives a toy example of this problem for you to try at home.

Figure 4: Four pairs of polynomials in$R_{17}=Z_{17}\left[X\right]/⟨X^{16}-1⟩$ broken into two groups. One group is distributed as form $(a,a\cdot s+e)$ for some fixed "small" $s$ and two different random "small" $e$ and the other two are of group is of the form $(a,b)$. Can you tell which is which? What if $17$ is changed to $2^{800}$ and $16$ to $16,384$? Now imagine trying to figure out what $s$ is. Note that in the RLWE assumption, you would be given just one of these groups, not both.

The security of schemes based on RLWE follows from the fact that given $a,s$ , and $e$ it is easy to compute $a\cdot s+e$, but it is practically impossible to find $s$ given $a$ and $a\cdot s+e$. You can construct a public key encryption system as follows:

• Fix your space $R_q$ by picking a coefficient modulus $q$ and a polynomial modulus degree $N$ .
• Pick a random "small" secret key $s$ , a uniformly random $a$, and a random "small" $e$ to construct your public key $(a,-a\cdot s+e,a)$. Note the negative in this pair; this makes the encryption process more straightforward but does not affect the security of RLWE.
• Share your public key with the world and no one will be able to find your secret key! Hence, anyone in possession of this public key can encrypt the data and send them to some party to perform computations on it, homomorphically. In the end, the results also can only be decrypted and viewed using the secret key.

To encrypt the data, the data must first be encoded as a vector $v$ of real numbers. This is straightforward when you are working with numerical data and is a standard practice when working with textual or other types of data. To encrypt, the data vector $v$ is first encoded as a polynomial^{Footnote 7} $m$ in $R_q$ combined with by the public key to get a ciphertext, which will be denoted by $\left[v\right]$ . Now, send this off to the computing party who will perform homomorphic additions and multiplications to implement the calculation that is of interest. Figure 5 outlines a simple circuit computing a polynomial function. Once the computations are completed and output ciphertexts are returned, you can use your secret key to decrypt and view the results.

Figure 5: A visualization of a homomorphic circuit. A vector of values can be encrypted into a single ciphertext and computed on at once. Pictured is just one realization of a circuit to compute the polynomial $f\left(x\right)$. Values with padlocks are encrypted and are thus unreadable to the computing party.

While this article did not explore all of the details of how these operations are implemented mathematically, the description of HE given so far provides the background needed to further learn about HE.

How to get started with homomorphic encryption

To get started with HE, take a look at some of the available open-source HE libraries; you can try Microsoft SEAL, PALISADE Homomorphic Encryption Software Library, TFHE: Fast Fully Homomorphic Encryption over the Torus, or even Concrete: Open-source Homomorphic Encryption Library if you are a Rustacean also known as someone who uses Rust. These different libraries implement multiple HE schemes between them and you can pick the one that's best for your use case. We reiterate that, until the standardization process has finished, the Government of Canada does not recommend using HE with any sort of sensitive data.

While all of the different HE schemes will implement most use cases, some schemes will perform better on some problems. The CKKS scheme is designed to work on real numbers; if you are interested in statistics or machine learning, you should probably start here! Brakerski/Fan-Vercauteren and Brakerski-Gentry-Vaikuntanathan are great for integer arithmetic and implementing the computer science primitives such as private set intersection or string matching. TFHE implements logical gates natively and refreshes the ciphertext noise with every operation, allowing improved efficiency with longer circuit depths. Readers who are interested are encouraged to try some simple circuits using each scheme and compare the results and performance!

If you would like more information on the cyber security aspects of homomorphic encryption, including standardization activities, contact the Canadian Centre for Cyber Security at contact@cyber.gc.ca, (613) 949-7048 or 1-833-CYBER-88.

Conclusion

This article took an in-depth look at homomorphic encryption, from its applications to the RLWE problem. Next, this series on privacy preserving techniques will look at some proofs-of-concept that have been completed by applying HE at Statistics Canada! It will also cover some of the more advanced aspects of the CKKS interface, including rotations, choice of parameters, packing, bootstrapping, scale and levels.

Want to keep in the loop about these emerging technologies, or want to share your work in the field of privacy? Check out the Privacy Preserving Technologies Community of Practice page (Government of Canada employees only) to discuss this series of privacy articles, connect with peers interested in privacy and share resources and ideas with the community. You can also give feedback on this topic or leave suggestions for future articles in this series.

Note: We wish to acknowledge the input provided on this article by the Canadian Centre for Cyber Security and the Tutte Institute for Mathematics and Computing, both part of Communications Security Establishment.

By: Jihoon Choi, Deirdre Hennessy and Joel Barnes, Statistics Canada

Personal protective equipment (PPE) has become an important part of the lives of all Canadians as the pandemic changed the way we interact with one another and protect ourselves. The rapid rise of the novel coronavirus, severe acute respiratory syndrome coronavirus 2 (SARS-CoV-2), also referred to as COVID-19, has put unprecedented demands on the Government of Canada to provide timely, accurate and relevant information to inform decision-making around a host of public health issues, including PPE procurement and deployment of PPE to the provinces and territories.

The global pandemic caused by SARS-CoV-2, poses a serious public health concern for Canadians.^{Footnote 1} As of October 2021, over 1.71 million diagnosed cases have been reported in Canada, meaning it is essential that Canadians have access to PPE when they need it.

PPE refers to commodities such as masks, gloves and gowns that are worn to provide protection against potential exposure to infectious pathogens. The pandemic has brought severe stress to the supply chains for PPE in Canada, causing a significant disruption in supply among sectors where PPE stocks are essential (e.g., hospitals, long-term care facilities).^{Footnote 2} For this reason, forecasts on the pandemic trajectory and its effect on the supply, demand and inventory of PPE have become a crucial element in decision-making.^{Footnote 3}, ^{Footnote 4}

Epidemiological models can contribute valuable insights in public health decision-making by generating a number of 'what-if' scenarios under different assumptions. Furthermore, it can help estimate how different public health intervention measures can affect the outcome of the epidemic (i.e. deciding the critical timing to introduce lockdowns/reopening in each provinces).^{Footnote 5} Different variations of epidemiological models exist and many of these are compartmental models where the population is divided into multiple compartments and are moved from one compartment to another at a defined rate.^{Footnote 6}

The Susceptible-Infectious-Recovered (SIR) model is one of the most basic forms of a compartmental model (Figure 1). This model consists of three compartments, where S is the number of susceptible individuals, I is the number of infected individuals and R is the number of recovered (and immune) individuals.

Figure 1 – Structure of a basic epidemiological model.

Figure 1 shows the base structure of the SIR model. The initial population starts in the susceptible compartment and flows into the infectious compartment at an infection rate β, then moves into the recovered compartment at a recovery rate defined by λ.

The origin of compartmental models in epidemiology dates back to the early 20th century. Specifically, the foundation was built based on the theorem outlined by Ronald Ross, William Hamer, Anderson McKendrick and William Kermack, along with important influences from a statistical perspective by John Brownlee.^{Footnote 7} Since their development, compartmental models have proven useful in modelling for numerous communicable diseases, such as malaria and plague.^{Footnote 8}, ^{Footnote 9}

As the SARS-CoV-2 outbreak became a serious public health concern for Canadians, Health Canada commissioned the Data Science Division (DScD) and the Health Analysis Division (HAD) at Statistics Canada to create an epidemiological model that could forecast the trajectories of the outbreak in Canadian provinces. The forecasted cases and hospitalizations produced from the epidemiological model are used in the PPE Project to estimate the PPE demand in various sectors across the provinces. The PPE Project aims to inform decisions related to procurement, allocation and domestic production investment in PPE through evidence-based reports on the current status and projections of PPE supply and demand, in diverse epidemiological scenarios.

Creating the initial model for PPE demand: Susceptible – Infected – Recovered – Death (SIRD) model

The initial SIRD model first used Bayesian methods to estimate the number of active infections in Canadian communities based on SARS-CoV-2 mortalities. The number of total SARS-CoV-2 infections (diagnosed and undiagnosed) were reverse-estimated from SARS-CoV-2 fatalities by province and territory, using a similar method to that used by Flaxman et al.^{Footnote 10} Estimated number of infections, deaths and recoveries were fed into a simple compartmental model, composed of four compartments. The first three compartments are equivalent to the base SIR model (Susceptible, Infected and Recovered), but this model has an additional compartment D, which represents the population in deceased state (Figure 2).

Figure 2 – Structure of a SIRD epidemiological model.

Figure 2 shows the base structure of SIRD (Susceptible – Infected – Recovered – Death) model. The initial population starts in the susceptible compartment and flows into the infectious compartment at an infection rate β, then moves into the recovered compartment at a recovery rate defined by λ or into the deceased compartment at a mortality rate defined by γ.

This model also produced a dynamic historical Reproduction Number, R(t). The R(t) is an important concept in infectious disease epidemiology, providing information about the transmission potential of an infectious agent. In other words, it shows how contagious an infectious disease is at time t in the study population. Generally, if R(t) is greater than 1, the disease will start to propagate in the population, whereas if R(t) is less than 1, the number of new cases will decrease.

R(t) is often estimated from observing the number of new infections across a time period. However, the number of SARS-CoV-2 cases was not traced accurately in the beginning of the pandemic, due to a limitation in resources such as insufficient availability of testing kits.^{Footnote 11} As a workaround, the SIRD model estimated the historical R(t) from the number of SARS-CoV-2 fatalities, which was a much more reliable measure than actual case counts during the initial periods of the outbreak. An infection fatality rate (IFR) for SARS-CoV-2 from the research literature was used to backwards-compute the historical R(t).

To forecast the future R(t), the team generated different pandemic scenarios each with varying assumptions about public health intervention measures in effect:

• The SARS-CoV-2 containment scenario—attempts to model a situation where strict public health intervention measures are in place (i.e., lockdowns). Under this scenario, R(t) is always kept under 1.
• The Resurgence Best Estimate scenario—allows the epidemic to resurge in tandem with the reopening of the economy and allows the R(t) to stay high.
• The Peaks and Valleys Scenario—allows the epidemic to resurge in tandem with the reopening of the economy until hospital intensive care unit (ICU) occupancy reached 30% of the provincial maximum. Then an intervention plan is triggered to bring the R(t) back down to lockdown level.

The SIRD model was used as the main epidemiological model for the PPE project until the beginning of 2021. The model has shown decent accuracy in forecasting the pandemic during the initial phase of the outbreak. However, this model had a number of limitations. In particular, it did not take age structure of the population into account. These limitations led to the creation of another version of the epidemiological model with additional compartments that can take more complex characteristics of the pandemic into consideration.

The current model: Susceptible – Exposed – Infected – Recovered – Deceased – Vaccinated (SEIRDV) model

Early in the pandemic, DScD and HAD at Statistics Canada worked with the Public Health Agency of Canada (PHAC) to develop an age-structured, multi-compartmental SIR model. This collaboration yielded the SEIRDV model, which was adapted by the Statistics Canada PPE epidemiological team, in collaboration with Health Canada, for use in the main PPE demand and supply model. This model has been used as the main epidemiological model in the PPE project since January 2021 (Figure 3).

Figure 3 – Simplified structure of a SEIRDV epidemiological model.

Figure 3 shows a simplified structure of the SEIRDV (Susceptible – Exposed – Infected – Recovered – Death – Vaccinated) model. The population starts in the susceptible compartment and then can flow into exposed and infectious compartments upon contracting the disease. Some of these infections are detected from contact-tracing efforts or SARS-CoV-2 testing. Individuals whose infections have been detected are sent to the quarantine path and will have a reduced likelihood of spreading the disease to others. Upon infection, individuals with severe symptoms will seek medical attention. The severely symptomatic population can end in two terminal states: deceased or recovered. People who are only mildly symptomatic or asymptomatic will flow into the recovered compartment over time. In addition, the population can be vaccinated in this model. If an individual is vaccinated, their chances of flowing into the infection compartments are reduced by the protection rate of the vaccine. Similarly, the vaccinated population has a reduced probability of developing severe cases, and therefore, of flowing into the health care system (i.e. Hospital/ICU).

The four major modifications made by introducing the SEIRDV model are:

1. The model allows the study population to be age stratified

In the SEIRDV model, the population is divided into six distinct age groups (0-9 years, 10-19 years, 20-39 years, 40-59 years, 60-74 years, 75+ years), which allows different parameters to be set for each age group and to take age-related differences into account.

For instance, reports show that younger age groups have a reduced likelihood of hospitalization and mortality compared to older age groups.^{Footnote 12} Since the SEIRDV model allows users to set different flow rates for each age group, it is capable of modelling this effect.

Similarly, certain age groups are known to interact at a higher frequency than others (i.e., parents with their children) and therefore have increased chances of transmitting the disease to each other. In the SEIRDV model, this effect can be taken into account by using an interaction matrix that models the average contact rate between two age groups.

2. Estimation of the transmission rate (β) has been improved

Instead of relying on a single measure, such as R(t), to estimate the transmission rate, the model now uses three different parameters to calculate the rate of transmission.

First is β, which in this model represents the "probability of transmission upon contact". This number is estimated from literature and calibrated in accordance with the dominant strain of SARS-CoV-2 in each province. This measure is multiplied by a contact matrix, which is a numeric matrix that illustrates the average number of contacts that people in each age group make with another age group. Lastly, a contact multiplier is applied to take variances in contact rates into account. When different public health intervention measures are in effect (e.g., lockdowns), the rate of contact among the population will change accordingly. These variances are captured by calibrating the contact-multiplier to the reported number of daily active cases in each province every week.

3. The effect of vaccination is taken into consideration

Two main effects of vaccination are a reduction in the stress on the health care system (by providing protection against developing a severe case requiring hospitalization) and transmission of the disease within the community (by providing protection against infection, ultimately promoting herd immunity). The current design of the SEIRDV model takes this into account by introducing a distinct vaccination pathway. The vaccinated population will flow into this pathway, where they will have reduced chances of contracting the disease as well as reduced likelihood of developing a severe symptom requiring hospitalization.

The model also takes into account the two-dose vaccination plan set out by the National Advisory Committee on Immunization. The vaccination data were retrieved from PHAC and COVID-19 Canada Open Data Working Group (CCODWG) to estimate the number of doses that can be given out each day per province. In addition, the different rates of protection given by the two-stage vaccination plan were modelled by dividing our vaccination path into four distinctive compartments. This process is summarized in Figure 4.

Figure 4 – Design of the vaccination compartment

The study population is divided into six distinct age groups (0-9 years, 10-19 years, 20-39 years, 40-59 years, 60-74 years, 75+ years) and vaccines are distributed in the order of older to younger age groups, while distributing a small number of doses to an age group that represents the health care professionals in the early phase. Upon receiving the first dose, the freshly vaccinated population flows into the first vaccination compartment which represents the population who have received their vaccine but have not had the chance to develop any immunity yet. Then this population flows into the second vaccination compartment after a set period, at which point they develop a partial protection against SARS-CoV-2. The population stays in this compartment until phase 1 (i.e. giving out first dose) completes. Once phase 2 of the vaccination plan starts, the population flows into the third vaccination compartment where they receive their second dose, then flows into the last vaccination compartment where they develop the maximum immunity that they can gain from the vaccination.

4. Impact of variant of concern (VOC) can be modelled

A number of different strains of SARS-CoV-2 have been sequenced around the world as a result of viral mutation, some having shown higher rates of transmission or mortality.^{Footnote 13} These variants are called variants of concern (VOC) and became a crucial factor to consider in epidemiological modelling of SARS-CoV-2. The SEIRDV model is capable of modelling these by altering the probability of transmission (β) to model the increased transmission rate, as well as altering the flow into the hospitalization or the deceased compartment to model the effect of increased symptom-severity of the variant. Using this mechanism, the team has successfully modelled the effect of the B.1.1.7 (Alpha) variant in our model.

Conclusion

Through continuous development, enhancement and calibration efforts, the epidemiological model has yielded a valuable contribution in modelling the trend of the SARS-CoV-2 pandemic in Canada. Specifically, findings from this model have allowed the PPE Project to estimate the PPE demand across Canadian provinces to ensure that all sectors acquire sufficient PPE stocks in advance of large outbreaks.

Furthermore, this article demonstrates how applications of data science, combined with statistics, computer science and epidemiology, can be utilized in public health planning as well as decision making for resource requirements during the COVID-19 pandemic.

How was this achieved?

• By using open-source software
  The SEIRDV model is programmed R and the core methodology of the model has been published in an open access journal (Assessing the impact of varying levels of case detection and contact tracing on COVID-19 transmission in Canada during lifting of restrictive closures using a dynamic compartmental model) and R package, which is available on the Statistics Canada GitHub account.
• By adapting various development platforms to construct our model
  The team used multiple platforms and programming languages for development, including: R and Python to develop the main model, SQL to construct and revise databases and tables, Power BI and R Shiny for visualization and product delivery and Azure Data Factory for pipeline construction and management.
• By optimizing and automating the pipeline for maximum efficiency
  All modelling tasks were parallelized to utilize the power of multi-core processing. The team also automated many of the procedures, including construction of reports, sensitivity analysis and quality assurance tests.

Areas of further study

Given that SARS-CoV-2 is still an on-going pandemic, there may be more work that needs to be done. Some potential future areas of study include:

• New variants
  With the high rate of mutation observed in the SARS-CoV-2 strain, new variants are constantly sequenced around the world. While the effect of the B.1.1.7 variant has been considered in the model, there are still several other VOCs that may need to considered (e.g., Delta variant). The team is closely monitoring the spread of VOCs across the country to determine if other variants need to be taken into account in the model.
• Waning immunity
  Studies have shown that immunity gained from vaccination (or infection) does not last indefinitely. Immunity will wane over time, causing a progressive loss of protective antibodies. This phenomenon is called waning immunity. This will need to be taken into account in the model to prepare for a future scenario, such as when a large portion of the population will require another dose of vaccination to maintain their immunity.

The PPE epidemiological modelling team:
Jihoon Choi (DScD), Deirdre Hennessy (HAD), Joel Barnes (HAD).

Project team and contributors:
Rubab Arim, Statistics Canada; Kayle Hatt, Health Canada