Updated: November 6, 2020
The Oregon Exposure Notifications system allows users who opt-in to send and receive notifications of a potential high-risk exposure to COVID-19 in a privacy-preserving manner. A notification sent through the system will include instructions to an exposed person about who to contact and next steps to take. The Oregon Exposure Notifications system has the potential to help stop the spread of COVID-19 in Oregon. Its use is encouraged, but is completely voluntary.
The exposure notification service provided by this system is intended to supplement conventional, established contact tracing efforts. Both contact tracing and exposure notification tracing are part of Oregon’s response to the COVID-19 pandemic. Contact tracing is a statewide effort by OHA, local and tribal public health authorities, and community-based organizations. Contact tracers are people who call individuals who may have been exposed to someone who has tested positive for COVID-19. The Oregon Exposure Notification system is offered as a way to reach people that traditional contact tracing may not reach.
Oregon Exposure Notifications does not collect or share any personal information (like your name or phone number), or any user location information. OHA will not have access to information exchanged within the system or to any information that identifies a specific individual.
The mobile devices of users share anonymous keys (randomly generated strings of numbers and letters) via Bluetooth. This data is not linked to a user’s identity or location. Each user’s keys change frequently to further protect their identity. This data is stored on a user’s device for a period of 14 days and then automatically deleted. Once deleted, the data cannot be restored. The Oregon Exposure Notifications system uses these anonymous keys to measure exposure risk factors of proximity (because of Bluetooth signal strength), and the date and duration of exposure in the event of a match with a reported positive COVID-19 diagnosis.
The anonymous keys stored on an Oregon Exposure Notifications user’s own device are not shared unless and until the user has a positive COVID-19 diagnosis, and elects to share this information through the system. A user who tests positive for COVID-19 may choose to notify other system users who have been near the user. To trigger such notifications, the COVID-19 positive user must enter a valid verification code provided by a medical provider, lab, or local public health authority. A verification code is required to share a positive test result in the system so that only verified positive test results are used to generate exposure notifications.
This verification code is generated through a process that does not require any personal information of the person testing positive, and the code is only valid for a short time after it is generated. After this time is up, the code is deleted by the system used to generate it.
Exposure notifications that may be caused by a match on another user’s phone do not disclose the COVID-19 positive user’s identity, location, phone number, or any other personal information.
The exposure notification will include the date of the exposure. Sharing the exposure date is important to ensure the right precautions (such as self-quarantine) are taken for an appropriate amount of time based on the exposure date. It is possible that someone who receives an exposure notice could guess the identity of a COVID-19 positive person, if they had a limited number of contacts on a given day.
An exposure notification is generated through a process that occurs on a user’s mobile device. Several times a day, the app downloads a list of the anonymous keys associated with positive COVID-19 cases reported via the system. The user’s device checks these keys against the list of keys it has encountered in the past 14 days. If there is a match, and the date, duration, and proximity align with the public health authority’s risk model to indicate a possible exposure to the virus, the user will receive an exposure notification. OHA’s current threshold for high risk of exposure, and therefore an exposure notification, is for someone to be within 6 feet of at least one COVID-19 positive individual for at least 15 minutes in a 24-hour period.
The notification will inform the user of the date of exposure and instructions on what to do next.
The Oregon Exposure Notifications system has the potential to help stop the spread of COVID-19. Its use is highly encouraged, but it is completely voluntary.
Users may permanently disable Oregon Exposure Notifications at any time by uninstalling the app (Android) or turning off the feature (iOS). Users may temporarily disable the system by or turning off the device’s Bluetooth function, which would stop the creation of anonymous keys but not notifications, or turning off the mobile device, which would stop both Bluetooth operation and notifications.
If a user receives a positive COVID-19 test, the user must take action before any other users receive a notice through Oregon Exposure Notifications. Providing notification to other users through Oregon Exposure Notifications is also completely voluntary. If a user tests positive for COVID-19, and chooses to notify others through the system, the user must activate notifications by entering a verification code to release the anonymous keys stored on the user’s mobile device. Verification codes may only be generated by a medical provider, lab, or public health authority. This includes the Oregon State University Student Health Center and the Oregon State University TRACE call center.
The following types of de-identified data will be created and collected by the Oregon Exposure Notifications system:
This information will not include any personal or location information, nor can it be used to identify any system user. This data will be accessible to OHA, and may be used to monitor system usage and performance evaluation, and for statistical or scientific research purposes. This data may also be shared with local public health authorities and Oregon State University.
Oregon Exposure Notifications is not intended for children under the age of 13. Users between the ages of 13 and 17 can only use the system after the parent or legal guardian has reviewed and provided consent.
OHA’s privacy policies can be found here: