Privacy & Data Security

The new procedures the University is implementing to protect health and safety on campus involve the collection of personal data, including symptoms, contacts, and location information. In developing and selecting the software used to collect and store this information, we have attended carefully to the recommended best practices regarding minimal information collection, encryption, firewalled storage, and regular systematic deletion of data that is no longer relevant. Each vendor has been required to particularly attend to the question of data security and privacy. Should someone test positive for SARS-CoV-2, we are mandated to report this information to the Denver Department of Public Health & Environment (DDPHE). In addition, we are sometimes required to report symptom information for the purpose of tracking symptom clusters. We report the information required by public health authorities. The number of positive cases reported to DDPHE is also reported weekly on the University’s COVID-19 website. 

Throughout the evaluation process of our contact tracking digital technology and potential integration with symptom monitoring, the security and privacy framework of the technology was paramount to our selection decision. It is critical that we not only select a firm that has years of experience with data security and privacy, but also that has the credentials, certifications, and independent oversight in place to maintain current safeguards in a landscape of more intense cyber-attacks. We prioritized venders with a comprehensive set of security requirements and controls based on the US National Institute of Standards and Technology—Security and Privacy Controls for Information Systems and Organizations, the ISO standards, and GDPR compliance will be ranked higher. 

Digital contact tracing technologies that use Bluetooth Low Energy (BLE) technology, which allows de-centrally stored data on the individual’s phone and only accessed via randomized keys, are preferred. Self-reporting by the app users when they have tested positive for the virus can trigger tracing of individuals that have come in contact with the infected person based upon the Bluetooth random key exchange. This can trigger notification to the contact management team for additional support to those at greater than minimal risk. Role-based access to restrict data to a small group of administrative users with the need for the data is a common practice at the University of Denver. Finally, it is important that of the text messages and file storage methodologies are HIPAA compliant. 

Companies and technologies that utilize system redundancy to reduce poor performance therefore improve tracking and monitoring capabilities is essential given the size of the campus. Additionally, distributed data storage and operation centers help achieve consistent performance during peak loads.