Oregon Exposure Notifications Privacy Policy

Updated: November 6, 2020

This Privacy Policy describes how data used by the Oregon-authorized COVID-19 exposure notification system, named “Oregon Exposure Notifications,” is created, stored, and shared, and your choices as a user. The Oregon Health Authority (OHA) has published this Privacy Policy to explain how the Oregon Exposure Notifications system is designed to protect the privacy of people using it.

About the Oregon Exposure Notifications System

The Oregon Exposure Notifications system allows users who opt-in to send and receive notifications of a potential high-risk exposure to COVID-19 in a privacy-preserving manner. A notification sent through the system will include instructions to an exposed person about who to contact and next steps to take. The Oregon Exposure Notifications system has the potential to help stop the spread of COVID-19 in Oregon. Its use is encouraged, but is completely voluntary.

The exposure notification service provided by this system is intended to supplement conventional, established contact tracing efforts.  Both contact tracing and exposure notification tracing are part of Oregon’s response to the COVID-19 pandemic. Contact tracing is a statewide effort by OHA, local and tribal public health authorities, and community-based organizations. Contact tracers are people who call individuals who may have been exposed to someone who has tested positive for COVID-19. The Oregon Exposure Notification system is offered as a way to reach people that traditional contact tracing may not reach.

How to Participate in the Oregon Exposure Notifications System

On iOS devices (version 13.7 or later) exposure notification feature can be turned on with a toggle available through the “Settings” menu, meaning a user with an iOS device, like an iPhone, does not need to install a specific application (or “app”). On Android devices, an app must be installed, and is available for download in the Google Play Store. A user does not need to specifically “opt in” to notifications. For the pilot, the Oregon Exposure Notifications system is only available to a limited number of users associated with Oregon State University. For both types of devices, this Privacy Policy and choices are the same.

How Oregon Exposure Notifications Works   

Oregon Exposure Notifications does not collect or share any personal information (like your name or phone number), or any user location information. OHA will not have access to information exchanged within the system or to any information that identifies a specific individual.

The mobile devices of users share anonymous keys (randomly generated strings of numbers and letters) via Bluetooth. This data is not linked to a user’s identity or location. Each user’s keys change frequently to further protect their identity. This data is stored on a user’s device for a period of 14 days and then automatically deleted. Once deleted, the data cannot be restored. The Oregon Exposure Notifications system uses these anonymous keys to measure exposure risk factors of proximity (because of Bluetooth signal strength), and the date and duration of exposure in the event of a match with a reported positive COVID-19 diagnosis.

The anonymous keys stored on an Oregon Exposure Notifications user’s own device are not shared unless and until the user has a positive COVID-19 diagnosis, and elects to share this information through the system. A user who tests positive for COVID-19 may choose to notify other system users who have been near the user. To trigger such notifications, the COVID-19 positive user must enter a valid verification code provided by a medical provider, lab, or local public health authority. A verification code is required to share a positive test result in the system so that only verified positive test results are used to generate exposure notifications.

This verification code is generated through a process that does not require any personal information of the person testing positive, and the code is only valid for a short time after it is generated. After this time is up, the code is deleted by the system used to generate it.

Exposure notifications that may be caused by a match on another user’s phone do not disclose the COVID-19 positive user’s identity, location, phone number, or any other personal information.

The exposure notification will include the date of the exposure. Sharing the exposure date is important to ensure the right precautions (such as self-quarantine) are taken for an appropriate amount of time based on the exposure date. It is possible that someone who receives an exposure notice could guess the identity of a COVID-19 positive person, if they had a limited number of contacts on a given day.

An exposure notification is generated through a process that occurs on a user’s mobile device. Several times a day, the app downloads a list of the anonymous keys associated with positive COVID-19 cases reported via the system. The user’s device checks these keys against the list of keys it has encountered in the past 14 days. If there is a match, and the date, duration, and proximity align with the public health authority’s risk model to indicate a possible exposure to the virus, the user will receive an exposure notification. OHA’s current threshold for high risk of exposure, and therefore an exposure notification, is for someone to be within 6 feet of at least one COVID-19 positive individual for at least 15 minutes in a 24-hour period.

The notification will inform the user of the date of exposure and instructions on what to do next.

User Choices

Using the system

The Oregon Exposure Notifications system has the potential to help stop the spread of COVID-19.  Its use is highly encouraged, but it is completely voluntary.

At any time, users may turn the system on or off on an iOS device, or uninstall the app on an Android device. If you uninstall or turn off the app, your device will no longer use or exchange the information as described in this Privacy Policy, and your information created or shared within the system during your use will be automatically deleted 14 days from the date it was created.

Disabling the system

Users may permanently disable Oregon Exposure Notifications at any time by uninstalling the app (Android) or turning off the feature (iOS). Users may temporarily disable the system by  or turning off the device’s Bluetooth function, which would stop the creation of anonymous keys but not notifications, or turning off the mobile device, which would stop both Bluetooth operation and notifications.

Generating exposure notifications to other users

If a user receives a positive COVID-19 test, the user must take action before any other users receive a notice through Oregon Exposure Notifications.  Providing notification to other users through Oregon Exposure Notifications is also completely voluntary. If a user tests positive for COVID-19, and chooses to notify others through the system, the user must activate notifications by entering a verification code to release the anonymous keys stored on the user’s mobile device. Verification codes may only be generated by a medical provider, lab, or public health authority. This includes the Oregon State University Student Health Center and the Oregon State University TRACE call center.

De-Identified Usage Information

The following types of de-identified data will be created and collected by the Oregon Exposure Notifications system:

  • Count of installs of the app
  • Count of enabling and disabling exposure notifications
  • Count of exposure notifications received by users
  • Count of number of times a verification code is entered to send anonymous keys
  • Number of anonymous keys that have been voluntarily shared
  • Count of deletions of the app

This information will not include any personal or location information, nor can it be used to identify any system user. This data will be accessible to OHA, and may be used to monitor system usage and performance evaluation, and for statistical or scientific research purposes. This data may also be shared with local public health authorities and Oregon State University.

Minimum Age Requirements

Oregon Exposure Notifications is not intended for children under the age of 13. Users between the ages of 13 and 17 can only use the system after the parent or legal guardian has reviewed and provided consent.

Consent and Changes to This Privacy Policy

Your use of the Oregon Exposure Notifications system is your consent to the use of information as described this Privacy Policy. If you object to this Privacy Policy, you should permanently disable Oregon Exposure Notifications by uninstalling the app (Android) or turning off the feature (iOS).

OHA may update this Privacy Policy from time to time. Users will be notified of any material changes to this Privacy Policy through the app. The notification will say when changes will be effective. Users who object to an update to this Privacy Policy may stop participating in Oregon Exposure Notifications by uninstalling the app (Android) or turning off the feature (iOS).

Contacting Us

If you have any feedback, or any questions, comments, or concerns relating to this Privacy Policy or Oregon Exposure Notifications, please contact the privacy office, which is part of the Oregon DHS/OHA Information Security and Privacy Office (ISPO) at [email protected] or by telephone at 503-945-5780.

OHA’s privacy policies can be found here:

https://www.oregon.gov/oha/FOD/OIS-ISPO/Pages/Policies.aspx