COVID Alert Data and Privacy
The COVID Alert PA App (App) is made available by the Pennsylvania Department of Health (DOH). The App is designed to assist in alerting individuals who came in close contact with someone who later tests positive for COVID-19, and to provide information about the virus and steps for controlling the spread of the virus.
COVID Alert PA was designed to protect user privacy and security.
- The app will never collect, transmit, or store your personal information and users remain completely anonymous.
- The app does not use GPS, location services, or any movement or geographical information.
- The app detects if users are in close contact with another app user, using Bluetooth Low Energy (BLE) technology. It is the same technology that your phone uses to connect to wireless headphones or your car.
Learn more about how the app works.
The use of this App is entirely voluntary, and it is available to download for free from the Apple App Store and the Google Play Store. The App runs on iPhones that support iOS 13.5 and higher, and Android phones running Android 6.0 and higher. The App is not intended for use by persons under 18 years of age. Users will be asked to confirm that they are 18 years or older the first time the App is opened.
Data Collected and Processed
Information processed in the App is collected in three different ways:
- Provided by you as the user (if you choose to provide it);
- Generated by services on the phone; and
- Automatically collected from your phone.
1. Provided by you, if you wish to share:
When you get an Exposure Alert, you have an option to share your phone number to request a call back from a public health representative. Phone numbers are considered to be Personally Identifiable Information (PII). If you request a call-back, the App will send your number to DOH's contact tracing team. The App and the App servers will immediately delete your phone number once it is transferred to DOH. A public health representative will then call your phone number to guide you as to what you need to do to keep yourself and others safe and answer any questions you may have.
If you choose to use the symptom check-in feature, you have the option of sharing the following information anonymously:
- COVID-19 symptoms such as fever, cough, shortness of breath;
- Gender identity;
- Sexual orientation;
- Age-range; and
- County of residence.
App usage data do not identify you and are used to view trends on how the App is being used. Here is a list of the App metrics, which, with consent, are collected from the App:
- The type of operating system running on the device (iOS or Android);
- Whether the App on your phone is in use;
- Whether the App was deleted or dropped during the on-boarding screens;
- Whether the App has exposure notification services switched on, if a permission is not provided during on-boarding;
- Whether the App has received an Exposure Alert Notification;
- Whether the App has uploaded diagnosis keys;
- The number of diagnosis key matches per exposure notification. (Note: Number of diagnosis key count does not equate to number of people); and
- The ratio of exposure notifications to positive cases.
2. Generated by services on the phone:
The following data is generated by Exposure Notification Services (ENS) running on your phone if you choose to turn it on:
- Random IDs sent and received between phones that have ENS turned on;
- Random IDs uploaded to DOH if you tested positive for COVID-19 and you agree to upload them; and
- Random IDs downloaded from DOH to your phone for matching.
The above Random IDs cannot be used to identify you or anyone else. These are generated, collected and matched on your phone if you enable ENS.
3. Automatically collected from your phone:
After an Exposure Alert is sent out, the individual has an option to request a call-back from DOH. Your IP address is provided by your phone device automatically when it transmits your phone number to DOH. DOH does not need your IP address and this data is deleted as soon as your phone sends it to DOH. Your IP address is considered personal data.
There are third-party companies that provide services to the App for DOH:
- NearForm is the App developer that will be providing technical support for the administration of the App as well as maintaining the server that generates and verifies the 6-digit validation codes;
- Amazon Web Services (AWS) provides cloud storage and cloud services for the symptom check-in data submitted from your phone App; and
- Association of Public Health Laboratories (APHL) provides a national server for seamless interstate data sharing of diagnosis keys. APHL uses Microsoft Azure for cloud storage.