- What personally identifiable information is collected from you through the App.
- What choices are available to you regarding the use of your data.
- The security procedures in place to protect the misuse of your information.
BackgroundThe NMT App is a mobile application that is intended to enhance back-to-campus safety associated with the operation of university activities during the global COVID-19 pandemic. It is intended to augment existing COVID-19 practices in place at NMT, to include those required by the State of New Mexico, including adherence to COVID Safe Practices https://cv.nmhealth.org/covid-safe-practices/). It is meant for use by the students, staff, and faculty of NMT on a strictly voluntary basis. The App is intended to provide the end-user with additional tools to use in their day-to-day access to NMT campus facilities. It is also intended to provide the NMT COVID-19 Response Team (Response Team) with additional resources to aid in a safe campus operation, to include contact tracing, management of positive cases, and safe operation of classroom, office, and residential environments on campus. The App consists of four main features:
- Location Monitoring: On a voluntary basis, a user of the App can allow their device to report their location coordinates on campus, to provide data to the NMT Response Team with additional information to augment manual contact-tracing and facility-remediation efforts in the event of a positive result. Additionally, on a voluntary basis, the App can also collect information about the WiFi Access Point that the user is connected to. In future versions, this may allow for refined location calculations.
- A COVID-19 Symptoms Self-Check: This allows the user with the ability to voluntarily walk through a questionnaire based on CDC-guidelines to determine whether or not they should avoid campus and/or seek medical help.
- A Location Self-Reporting Tool: This allows a user to voluntarily check-in and check-out of buildings on NMT main campus, to include by room number, for the purposes of providing the NMT Response Team with additional information in the event of positive cases (e.g., understanding which facilities may need temporary closure, remediation, etc.), as well as to support manual contact-tracing efforts.
- A COVID-19 Positive Test Reporting Tool: This allows a user to voluntarily report a positive test result for the purposes of providing the NMT Response Team with the ability to augment manual contact-tracing, notification, and facility remediation efforts. A positive test report will result in an email being sent to a limited number of officials on the Response Team.
Information Collection, Use, and SharingInformation gathered by the App is stored and processed by back-end software consisting of an Application Server and an Administrative Portal. Information shared when a user downloads and registers an account include:
- First and Last Name
- NMT email address
- Banner Number (900#)
- Phone Number
- Automatically generated login credentials unique to that user and device
|Full-view of App Geo-Fence of NMT Campus||Zoom-in view of App Geo-Fence of Main Campus|
Information that is collected by the App, depending on the user's opt-in and use of features, includes:
- Location: latitude and longitude in approximately 15-second intervals, to include a timestamp; WiFi Access Point (by MAC address) in approximately 15-second intervals, to include timestamp.
- Building: any buildings/rooms that the user voluntarily reported via the Location Self-Reporting tool, including timestamp of the check-in and check-out.
- Self-Check: the users responses to the COVID-19 Symptoms Self-Check questionnaire are stored for each use of the tool.
- Test: a positive test result, including test date and result date, as well as demographic information (gender and age range).
Information derived from the App by the NMT Response Team (namely, positive test results, contact tracing, and building remediation information) may be shared with the New Mexico Department of Health, if-and-as required. Any such information will first be manually curated by that team, and is not shared in an automated or semi-automated fashion. Otherwise, none of the App data is shared with any third party or private party. Additionally, access to the Administrative Portal is strictly limited to NMT administrative officials that have been selected by the NMT COVID-19 task force to make use of the Administrative Portal as part of their job duties, and a limited team of NMT staff tasked with operating the system. The data is collected solely for the purpose of implementing COVID-safe practices on the NMT campus, and any other use is strictly prohibited.
Users of the tool may request the removal of any of their data in the back-end Application server by sending a request to the App support email address. Requests will be verified to ensure the identity of the requestor. Additionally, an end-user wishing to see any data associated with their account may make a request to the same address.
As indicated above, any information other than Registration information collected by the App is retained 21 days.
SecurityThe back-end Application Server and Administrative Portal, to include the informational website for the App Suite, are all housed within servers located on NMT's campus. Specifically, the App Suite is maintained and supported by the NMT Institute for Complex Additive Systems Analysis (ICASA). The back-end servers are maintained as part of ICASA's secure, private cloud environment. Protections for these servers include: multiple layers of physical security, to include role-based access; continuous monitoring of network utilization; and role-based security and least privilege for all users of the system. Additionally, all transmission of data between the App and the back-end Application Server is encrypted in transit.
Users of the system must undergo two-factor authentication, including the use of their enterprise Banner login, and the use of a one-time password that is sent via email, before their device will be able to transmit data. Additionally, the system is designed to only allow device registration associated with an official NMT email address; As such, while the App may be available for download by the general public, it will not be functional without being a legitimate affiliate of NMT. Lastly, the back-end Application Server is hardened against insider-threat through the use of an application token that will only allow a verified user to transmit data associated with their account.
In the event of a breach of security resulting in the possible compromise of a user's data, a notification will be made via the NMT email address associated with any affected accounts.