Privacy Policy
Effective as of October 30, 2020
This Privacy Policy describes how the Connecticut Department of Public Health (CDPH) protects the privacy of people using the new exposure notification system – COVID Alert CT. The policy explains how the data collected through COVID Alert CT is stored and processed, and the choices available to the users in terms of usage.
On iOS devices (version 13.7 or later) the exposure notification system is activated within Settings and no app installation is required. On Android devices an app is available for download. For the pilot, these functions are only made available to a limited number of users associated with higher education institutions throughout the state. On both types of devices, the privacy policy and choices are the same.
About COVID Alert CT
COVID Alert CT allows users to send and receive notifications of a potential high-risk exposure to COVID-19, in a privacy-preserving manner. The notifications will include instructions on who to contact and next steps to take.
The exposure notifications are intended to supplement the conventional contact tracing efforts undertaken by local public health authorities involving contact by a caseworker.
How it works
COVID Alert CT does not collect or exchange any personal information, as defined in the Connecticut Personal Data Act, of the user to receive notifications.
The mobile devices of users share anonymous keys (randomly generated strings of numbers) via Bluetooth. The only data used are the anonymous keys, Bluetooth signal strength (proximity), and date and duration of exposure. These data are not linked to a user’s identity or location. Each user’s keys change frequently to further protect their identity. These data are stored only on the user’s device and are never shared unless and until the user has a positive COVID-19 diagnosis and elects to share this information within the system. The data are stored for a period of 14 days and then automatically deleted. Once deleted the data cannot be restored.
A user who tests positive for COVID-19 may choose to notify other COVID Alert CT users who have been near the user. To trigger such notification, the COVID-19 positive user must enter a valid verification code provided by the public health authority.
Several times a day, the app downloads a list of all the anonymous keys associated with positive COVID-19 cases that have elected to share their keys via the app. The user’s device checks these keys against the list of keys it has encountered in the past 14 days. If there is a match, and the date, duration, and proximity align with the public health authority’s risk model to indicate a possible exposure to the virus, the user will receive an exposure notification.
The notification will inform the user of the date of exposure and instructions on what to do next.
User consent and choices
Using the system
COVID Alert CT has the potential to help stop the spread of the infection and its use is highly encouraged, but it is completely voluntary.
Users may turn the system on or off at any time, or uninstall the app on an Android device. The system does not collect, track or store users’ location, GPS information, or personal information.
Disabling exposure notifications
Users may disable COVID Alert CT at any time by uninstalling the app (Android), turning off the feature (iOS), turning off the mobile device, or turning off the Bluetooth function.
Generating exposure notifications to other users
Providing notification to other users is also completely voluntary. If a user tests positive for COVID-19, and chooses to notify others, the user has to activate notifications by entering a verification code to release the anonymous keys stored on the mobile device. When anonymous keys are released, the notifications that may be generated do not disclose the COVID-19 positive user’s identity, location, phone number, or any other personal information.
The exposure notification includes the date of the exposure, but the COVID-19 positive user’s identity is not shared. Sharing the exposure date is important to ensure the right precautions (such as self-quarantine) are taken for an appropriate amount of time based on the exposure date. It is possible that someone who receives an exposure notice could guess the identity of the COVID-19 positive individual, if they had a limited number of contacts on a given day.
A verification code is required to share a positive test result in the system. This ensures that only verified positive test results are used to generate exposure notifications. Verification codes may only be generated by a public health authority.
Sharing of information
The following categories of de-identified data may be processed and collected by COVID Alert CT:
- App installation and deletion metrics
- Exposure notification metrics
- Exposure notification interaction metrics
- Key upload metrics
- Verification code metrics
- Anonymous keys that have been voluntarily shared
The data may be used to monitor system usage, as well as for performance evaluation and statistical or scientific research purposes. This data is only collected if you explicitly opt-in. The data may also be shared with local public health authorities. This information will not include any personal or location information, nor can it be used to identify any system user.
Age requirements
COVID Alert CT is not intended for use by anyone under the age of 18.
Changes to our Privacy Policy
CDPH may update this Privacy Policy from time to time. Users will be notified of any material changes to this Privacy Policy through the app. The notification will indicate when such changes will become effective.
Users who object to a new Privacy Policy may terminate participation in COVID Alert CT by deleting or uninstalling the app (Android) or turning off the feature (iOS).
Contacting us
If you have any feedback, or any questions, comments, or concerns relating to this Privacy Policy or our privacy practices, please contact us at DPH.covidalertct@ct.gov.