COVID-19 Response Privacy
Vanderbilt is utilizing software and tools to manage the Return to Campus response to the COVID-19 pandemic. The central repository for data will be housed on secure Vanderbilt servers. Special purpose software, Mazikcare, will be fed data from existing university systems as well as from the Public Health Central Command Center (“Command Center”). Along with the data feeds from existing university systems, the Command Center will enter data from Student Health, Occupational Health, results from the university’s COVID-19 testing program (which are made available to the Command Center through a secure web portal), and its own Contact Tracers (collectively “COVID-19 Data”) in an effort to improve safety on campus.
This Privacy Q&A is designed to inform you about how Vanderbilt collects and uses information provided when you or the Command Center use the COVID-19 Data and how Vanderbilt processes your personal information.
How Do We Use Your Information?
Vanderbilt has a legitimate interest in processing your data in order to better ensure the safety of the Vanderbilt community by aggregation and analysis of the data provided by or about each individual community member. The Command Center and other campus partners may use the COVID-19 Data to identify (for example through use of the VandySafe symptom checker) and respond to positive cases, to identify Close Contacts, and to manage quarantine and isolation. Privacy by design principles are imbedded in this process. Information is shared only to the extent necessary to address the risk to a particular individual and to community members with whom the individual may have come in contact.
Who Has Access to Your Information?
Vanderbilt’s guiding principle in the use of this data is to only permit access data to those with an absolute need to know the information. The data is only accessible by Contact Tracers, the Command Center staff and a limited technical support team with explicit permission to access the data and only with the controls of single sign-on and multi factor authentication. These individuals may share individual community members’ information with others (including those with a need to know such as, the Dean of Students, Staff supervisors, PIs, Building managers, et. al.) but only to the extent necessary. This data is only being utilized to ensure a safe campus environment. Vanderbilt does not share your information with third parties for any commercial purpose. (The data stored in the Mazikcare application is not accessible to anybody outside of Vanderbilt’s authorized users.)
How Long Does Vanderbilt Keep Your Information?
Vanderbilt will practice data minimization and only retain your information for as long as necessary to respond to the COVID-19 pandemic.
How Does Vanderbilt Protect Your Information?
Vanderbilt takes very seriously its obligation to protect the confidentiality of your personal information and use of such information complies with applicable privacy laws including HIPAA and FERPA as well as non-discrimination laws including the ADA and the FMLA. In addition, Vanderbilt uses a combination of process, technology and physical security controls to help protect your information from unauthorized access, use, or disclosure. The Mazikcare application, which is the technological hub of Vanderbilt’s response to the COVID-19 pandemic is behind the single sign-on. A redundant security control for Mazikcare application is multi-factor authentication. Authorized users are bound by agreement to keep confidential all personal information which they access. These authorized uses have received training specific to their roles including training on privacy (including applicable privacy laws) and cybersecurity.