NMT MinerSafe App: Privacy Policy

This privacy policy discloses the privacy practices for the NMT COVID-19 MinerSafe (App). This policy applies solely to the information collected by either the Android or the Apple version of the App, and serves to notify you of the following:

What personally identifiable information is collected from you through the App.
What choices are available to you regarding the use of your data.
The security procedures in place to protect the misuse of your information.

Background

The NMT App is a mobile application that is intended to enhance back-to-campus safety associated with the operation of university activities during the global COVID-19 pandemic. It is intended to augment existing COVID-19 practices in place at NMT, to include those required by the State of New Mexico, including adherence to COVID Safe Practices https://cv.nmhealth.org/covid-safe-practices/). It is meant for use by the students, staff, and faculty of NMT on a strictly voluntary basis. The App is intended to provide the end-user with additional tools to use in their day-to-day access to NMT campus facilities. It is also intended to provide the NMT COVID-19 Response Team (Response Team) with additional resources to aid in a safe campus operation, to include contact tracing, management of positive cases, and safe operation of classroom, office, and residential environments on campus. The App consists of four main features:

Location Monitoring: On a voluntary basis, a user of the App can allow their device to report their location coordinates on campus, to provide data to the NMT Response Team with additional information to augment manual contact-tracing and facility-remediation efforts in the event of a positive result. Additionally, on a voluntary basis, the App can also collect information about the WiFi Access Point that the user is connected to. In future versions, this may allow for refined location calculations.
A COVID-19 Symptoms Self-Check: This allows the user with the ability to voluntarily walk through a questionnaire based on CDC-guidelines to determine whether or not they should avoid campus and/or seek medical help.
A Location Self-Reporting Tool: This allows a user to voluntarily check-in and check-out of buildings on NMT main campus, to include by room number, for the purposes of providing the NMT Response Team with additional information in the event of positive cases (e.g., understanding which facilities may need temporary closure, remediation, etc.), as well as to support manual contact-tracing efforts.
A COVID-19 Positive Test Reporting Tool: This allows a user to voluntarily report a positive test result for the purposes of providing the NMT Response Team with the ability to augment manual contact-tracing, notification, and facility remediation efforts. A positive test report will result in an email being sent to a limited number of officials on the Response Team.

The App also allows a user that has opted in to Location Monitoring to see a live map of the locations that the App has recorded for them in near-real time. For more information about NMT's overall response to the COVID-19 pandemic, please see: https://www.nmt.edu/covid19/.

Information Collection, Use, and Sharing

Information gathered by the App is stored and processed by back-end software consisting of an Application Server and an Administrative Portal. Information shared when a user downloads and registers an account include:

First and Last Name
NMT email address
Banner Number (900#)
Phone Number
Automatically generated login credentials unique to that user and device

This information is retained for each user of the system. The user's Banner Password, used for the initial login only, is not retained. All other information collected by the App is listed below. Self-Reporting information is only shared upon an explicit approval by the end-user. Location information is shared only if the user explicitly enables that feature via the settings available in the App, and this feature is initially disabled. Moreover, the user is notified that the App is actively sharing location information via the built-in mechanisms of both the Android and iOS platforms. Lastly, the application will only share location information when the user is within the boundaries of the NMT campus. This is strictly enforced by the App. Two depictions of the current boundaries used by the App are included below for reference.

Full-view of App Geo-Fence of NMT Campus	Zoom-in view of App Geo-Fence of Main Campus

Information that is collected by the App, depending on the user's opt-in and use of features, includes:

Location: latitude and longitude in approximately 15-second intervals, to include a timestamp; WiFi Access Point (by MAC address) in approximately 15-second intervals, to include timestamp.
Building: any buildings/rooms that the user voluntarily reported via the Location Self-Reporting tool, including timestamp of the check-in and check-out.
Self-Check: the users responses to the COVID-19 Symptoms Self-Check questionnaire are stored for each use of the tool.
Test: a positive test result, including test date and result date, as well as demographic information (gender and age range).

Other than registration information, all other data collected by the App is stored for 21 days, after which it is automatically purged from the Application Server. There are no backup copies of this data.

Information derived from the App by the NMT Response Team (namely, positive test results, contact tracing, and building remediation information) may be shared with the New Mexico Department of Health, if-and-as required. Any such information will first be manually curated by that team, and is not shared in an automated or semi-automated fashion. Otherwise, none of the App data is shared with any third party or private party. Additionally, access to the Administrative Portal is strictly limited to NMT administrative officials that have been selected by the NMT COVID-19 task force to make use of the Administrative Portal as part of their job duties, and a limited team of NMT staff tasked with operating the system. The data is collected solely for the purpose of implementing COVID-safe practices on the NMT campus, and any other use is strictly prohibited.

Users of the tool may request the removal of any of their data in the back-end Application server by sending a request to the App support email address. Requests will be verified to ensure the identity of the requestor. Additionally, an end-user wishing to see any data associated with their account may make a request to the same address.

As indicated above, any information other than Registration information collected by the App is retained 21 days.

Security

The back-end Application Server and Administrative Portal, to include the informational website for the App Suite, are all housed within servers located on NMT's campus. Specifically, the App Suite is maintained and supported by the NMT Institute for Complex Additive Systems Analysis (ICASA). The back-end servers are maintained as part of ICASA's secure, private cloud environment. Protections for these servers include: multiple layers of physical security, to include role-based access; continuous monitoring of network utilization; and role-based security and least privilege for all users of the system. Additionally, all transmission of data between the App and the back-end Application Server is encrypted in transit.

Users of the system must undergo two-factor authentication, including the use of their enterprise Banner login, and the use of a one-time password that is sent via email, before their device will be able to transmit data. Additionally, the system is designed to only allow device registration associated with an official NMT email address; As such, while the App may be available for download by the general public, it will not be functional without being a legitimate affiliate of NMT. Lastly, the back-end Application Server is hardened against insider-threat through the use of an application token that will only allow a verified user to transmit data associated with their account.

In the event of a breach of security resulting in the possible compromise of a user's data, a notification will be made via the NMT email address associated with any affected accounts.

Disclaimers

The App is in no way intended to provide, supplement, and/or replace medical guidance from a licensed professional. The App is provided as a tool to the NMT administration in providing a safe campus, and no guarantee can be made as to the perfect accuracy of certain features, such as Location Services, which are dependent on the limitations of commercial GPS systems. The App suite, to include a back-end Application Server and Administrative Portal software was derived from the NMSU oCT COVID Application suite, provided to NMT under license by Dr. Thanh Nguyen. Implementation of the App suite is under the auspices of the NMT COVID-19 Task Force.