The Arizona Department of Health Services (ADHS) in conjunction with the University of Arizona, Arizona State University and Northern Arizona University developed the Wehealth Notify mobile application (the “App”) to help you find out if you may have come into contact with the coronavirus, the virus that causes COVID-19, without having to share your Personal Information. Our goal is to preserve your privacy, so contacts exposed to the SARS-CoV-2 virus can be notified without divulging your identity or giving up your rights. This App was built in direct collaboration with Wehealth.Org, the public benefit organization that built the App technology.
What Data Does the App Collect?
When you use the App, the App does not collect any Personal Information about you. By Personal Information, we mean information that could be used to identify you.
- Random IDs: The App pairs with the Apple-Google Exposure Notification technology. This means you must first make an explicit choice to turn on the technology on your iPhone or Android phone for the App to work. If you have enabled the technology, your phone will generate a random sequence of numbers every 10-20 minutes. Random IDs are not tied to your location or identity. The only time Random IDs are collected is if you choose to report that you tested positive for COVID-19.
- Potential Exposure Data (Date, Duration, Signal Strength): The date, duration, and signal strength of nearby Random IDs are stored locally on your phone for 30 days for the purpose of being able to give you recommendations regarding next steps you can take if potentially exposed. To preserve privacy, the “Date” has no hour, minute or second component; the “Duration” is limited to 30 mins. This Potential Exposure Data stays on your phone unless you choose to delete and no longer use the App.
- Diagnosis Data (Verification Code, Symptom Start Date, Possible Infection Date, Test Date): If you test positive and receive a Verification Code from the Local or State Health Authority, the App asks for it to verify a positive test result. Verification Codes are one-time codes that the App asks for when you choose to report your results and input them into the App. The App does not receive any Personal Information from the Local Health Authority or from Licensed Health Care Professionals. Symptom Start Date, Possible Infection Date, and Test Date are collected to provide you with information about your potential period of infectiousness for the past 14 days. The App will confirm your Verification Code with the Local Health Authority to verify a positive test result.
- Community Preference: Selecting a community will let you see community healthcare resources without ever having to share your location. This can be changed at any time.
How Does the App Collect Data?
Any Random IDs that relate to you are generated from and stored locally on your phone. If you are near someone else who is using the App with the Apple-Google Exposure Notification technology enabled, your phones will share a Random ID with each other through the Bluetooth signals on your phones. The Random ID is constantly changing to help prevent anyone from tracking or identifying you. For example, if you see someone on Monday morning and again Tuesday morning, your phones will share two different Random IDs. Each phone will locally store a log of the Random IDs it encounters. The only time Random IDs are collected is if you choose to report that you tested positive for COVID-19. When you enter a Verification Code, Symptom Start Date, Possible Infection Date and Test Date for the App to confirm your positive test result, the Random IDs stored in your phone for the past 14 days are sent to the App’s secure Key Server. You will then get notified based on Data, Duration, and Signal Strength of potential exposures when the app downloads Random IDs from the Key Server, performs exposure detection and determines whether your phone was nearby someone infectious, based on their Random ID(s).
How Will the App Use or Share Data?
Once the App receives Random IDs and confirms the Verification Code of a user who tested positive, other App users who have the Apple-Google Exposure Notification technology enabled may receive a notification that they have come into contact with someone who has tested positive. To make this work, each App users’ phone periodically downloads the list of Random IDs for everyone who has tested positive in their region. Then, if any Random IDs of users who tested positive match Random IDs on your phone, you receive an exposure notification. Exposure notification is only done on your device under your control. The App cannot personally identify you or anyone who tested positive through the data it collects. However, there is a chance another App user may be able to infer or guess who you are based on your contact with them.
How Does the App Store Data?
Random IDs are stored locally on each user’s phone. Any Random IDs the App collects after someone reports they tested positive will be stored on the App’s cloud Key Servers which are housed by Wehealth.org in the United States. The Key Servers will only retain these Random IDs for 14 days, after which point they are permanently erased. The App deletes any Verification Codes it receives as soon as they are confirmed.
What are Your Rights?
Using the App and enabling the Apple-Google Exposure Notification technology is completely voluntary. You may stop using the App or delete it at any time. Sharing your positive SARS-Cov-2 test result is also voluntary, and you may choose not to report a positive test. Though voluntary, public health highly encourages you to report a positive result to help others stay safe, make informed decisions about their health, and help save lives.
Controlling Collection of Analytics or Other Information by Your Phone’s Provider
Many application stores collect analytics and usage data about the apps you use. Unfortunately, this App cannot control this, but you can. For more information on how to control the information your provider may collect, visit the Settings app on your phone.
Your Health Information
The App does not receive any Personal Information from the Arizona Department of Health Services, a local health agency or Licensed Health Care Professionals. If you have any questions or concerns regarding your health information, including your ability to exercise any rights with respect to this information, please contact your local health authority or Licensed Health Care Professional.
The App processes the data you provide based only on your consent, which is collected when you sign up and again should you choose to report that you tested positive for SARS-CoV-2. You may withdraw your consent at any time by ceasing to use the App and deleting it from your phone. However, this will not undo the fact that you may have chosen to report that you tested positive and it will not undo any notifications previously sent to others that they came into contact with someone who tested positive.
Because the App does not collect Personal Information, there is no meaningful way to respond to data subject access requests. However, if you have questions or concerns about how the App treats the data, please contact firstname.lastname@example.org. Wehealth hopes you will raise any issues with them first, but you have the right to file a complaint with your supervisory authority, whose contact information you may locate here (TBA).
Disclosure to Third-Parties
This app uses Google's Cloud infrastructure to store your anonymous Random IDs if you choose to share them when submitting a positive diagnosis. Similarly, your Diagnosis Data (Verification Code, Symptom Start Date) is shared with our Verification Server deployed on Google's Cloud infrastructure in the United States.
Data about Children
The App is not intended for children under 13. The App does not knowingly collect any information from children under 13.