Emily Breneisen, Ana Martinez, Ayana Chowdhary, Jerry Xin
Our Bass Connections team set out to delve into the details of the data management practices outlined in the Duke Compact to reveal any potential privacy concerns. We gathered the following information from Duke communication to students, the Return to Duke website, and by interviewing faculty and staff involved in OIT, contact tracing, and Student Affairs. The results of our research on the SymMon app and surveillance testing are as follows:
The Duke Compact
On May 29th, 2020, President Vincent Price sent out a message to the Duke Community detailing the components of the Duke Compact, a signed agreement that required signees to comply with specific practices designed to keep the community safe and healthy amidst the growing COVID-19 pandemic. Every student, faculty, and staff member at the university was required to agree to the Duke Compact before the start of the fall semester in August and again before the start of the spring semester in January (the details of which can be found at this link: https://returnto.duke.edu/the-duke-compact/).
The agreement is broken into two sections, the first of which lists health and safety requirements set by Duke as well as local and state authorities. It mandates students follow certain health protocols, such as wearing a mask in public spaces, social distancing, and washing one’s hands often. It also notably states that students must keep health information of themselves and others confidential. The second section of the Compact focuses on the more unique requirements of all students to protect the community’s health. These include participation in COVID-19 surveillance testing, contact tracing, self-isolation if required by the university, getting the flu vaccine, adhering to travel restrictions (students are expected to stay in the Durham area), and consenting to the use of institutional data. This last item is of most interest to our data privacy research. By signing the Duke Compact, students consent to the university gathering data from their DukeCard to access building/parking facilities as well as financial transactions, WiFi data which can pinpoint student location based on their access point, campus housing details, and class rosters. Duke states that the data is used primarily for symptom monitoring, Compact compliance, contact tracing, modeling for surveillance testing, and reporting aggregate trends such as positivity rate and isolation numbers. The data is protected using the Office of Information Technology’s (OIT) standards for sensitive data. Signing the Duke Compact is required to have access to campus and the FAQs of the Compact state that refusal to sign and comply may impact your student status.
Each day, members of the Duke community submit symptom information into an app developed by Duke’s Office of Information Technology (OIT) called SymMon. This involves answering a series of questions about COVID-19 related symptoms an individual may have and whether or not the individual has been in contact with someone with a positive COVID-19 test. To activate one’s DukeCard each day, an individual must report on the app that they have no symptoms and no recent exposure to someone with COVID-19. The app is also used to scan test kits used during surveillance testing, to link each test to individual students or faculty via their Duke NetID.
The only information that the SymMon app captures is reported symptoms and scanned test kits (which does not include test results). Our team was informed by a representative at OIT that there are a number of “reasonable measures” in place to ensure the security of this information. These measures include data encryption from the phones of students and faculty that connect back to the OIT database and limiting access to a select group that needs to work with it for analysis or roll-up reporting. The servers that collect this data store it in secure enclaves administered by OIT, including a managed cloud enclave for rapid data processing and analysis. We were assured that the data storage meets or exceeds the IT Security Office’s security standards and is in line with industry-standard best practices.
The symptom information is used to identify potentially COVID-19 positive students or faculty. When symptoms related to COVID-19 or potential exposures are reported via the SymMon app, this information is relayed to Student Health, which contacts the student of interest to conduct further interviews to assess their health situation. Depending on the circumstances, the student may have to speak with members of the contact tracing team or the isolation care team and take a COVID-19 surveillance test at the university.
Surveillance Testing & Modeling Data
Another practice that members of the Duke community agreed to within the Duke Compact is to participate in mandatory surveillance COVID-19 testing, which can occur one to two times a week. Surveillance testing operates by having randomly selected students and faculty participate in testing to detect people with asymptomatic COVID-19. Surveillance testing began being regularly conducted the week of August 17th. Results typically take less than 48 hours to process, and Student Health only contacts those with a positive test.
A representative at OIT informed our team that data collected from surveillance testing (positive test results) is used to conduct broader surveillance testing of specific groups if positive cases are determined to be within a cluster of people.
These decisions to conduct further surveillance testing of specific groups of people, such as members of Greek organizations, are based on infection modeling data, which is managed by a team of people interested in capturing a “ripple effect” of positive cases. Infection modeling data can be defined as a tool to visualize and study how diseases spread, predict potential future outbreaks, and assess strategies to control a pandemic.i While surveillance testing is random, modeling data may be used to increase the frequency of surveillance tests for people in certain groups, such as people living in the same geographic area of campus, if it is deemed necessary. The data collected from surveillance testing and the modeling data is also stored in the OIT-managed secure enclave. Similar to the symptom data, this information is secured by measures such as limited access (only the lead contact tracers and data modelers can access the Azure data), data encryption, which only allows data access with a specific key, and firewalls, which monitors incoming and outgoing networks.
In our next post, we’ll dive into the data collection practices of contact tracing and isolation/quarantine protocol.