Location via proxy:   [ UP ]  
[Report a bug]   [Manage cookies]                

Apple Response To Senate CDCCOVID App Letter

Download as pdf or txt
Download as pdf or txt
You are on page 1of 5

April 9, 2020

Senator Robert Menendez


Senator Richard Blumenthal
Senator Kamala D. Harris
Senator Cory A. Booker
United States Senate
Washington, D.C. 20510

Dear Senators Menendez, Blumenthal, Harris, and Booker,

Thank you for your letter of April 3, 2020, regarding Apple’s launch of a new screening
tool and set of resources, based on the latest guidance from the Centers for Disease
Control and Prevention (“CDC”), to help individuals stay informed and take proper steps
to protect their health during the spread of COVID-19.

At Apple, people come first in everything that we do. We care deeply about our Apple
community around the world, and the planet that we all share. Our dedication is
reflected in everything from our Supplier Code of Conduct, to our efforts to reduce our
comprehensive carbon footprint, and our support of fundamental human rights,
including the right to privacy. In these uncertain times, Apple’s principle of putting
individuals first led us to look at how we might use the tools and resources at our
disposal to support our broader community as we navigate this crisis. We were able to,
for example, make use of our global supply chain to procure and donate over 20 million
face masks for healthcare facilities in the United States and the hardest hit regions in
Europe. Our product design, engineering, operations and packaging teams are working
with suppliers to design, produce and ship face shields to donate to medical workers. To
help ensure individuals have access to accurate information, the Apple News App
created a section dedicated to reputable COVID-19 stories, which is highlighted for
each user upon opening the app. And, we're evaluating apps critically as to whether
data sources are reputable and that developers presenting these apps are from
recognized entities such as government organizations, health-focused NGOs,
companies deeply credentialed in health issues, and medical or educational institutions.
Only developers from one of these recognized entities should submit an app related to
COVID-19.

At the request of HHS, Apple also drew upon its engineering and clinical resources to
help develop a new COVID-19 website and COVID-19 app, in partnership with the CDC,
the White House Coronavirus Task Force, and FEMA, to make it easy for people across
the country to get trusted information and guidance at a time when the US is feeling the
heavy burden of COVID-19.

Consistent with Apple’s strong dedication to user privacy, the COVID-19 app and
website were built to protect the privacy and security of users’ data. As you note, use of
the tools do not require a sign-in or association with a user’s Apple ID, and users’
individual responses are not sent to Apple or any government organization. Access to
important information and guidance regarding individual health or the health of a loved
one should not require individuals to compromise their privacy rights. Rather, it is in
times like these, that our commitment to protecting those rights is most important. Our
COVID-19 app and website were designed with that in mind. We appreciate the
opportunity to provide the Senators with more information about the COVID-19 app and
website.

1. Please provide the specific terms of any agreement between your company
and the federal government and/or state governments.

With respect to the Apple COVID-19 app and website, Apple has entered into an
agreement with HHS (through the Office of the Assistant Secretary of Health and the
CDC) for the development of computer-based tools providing COVID-19 information to
American citizens. The agreement contains the following strong privacy terms:

Processing Data from COVID-19 Triage Tools

To the extent certain analytics and other information regarding usage of the COVID-19 Triage
Tools (whether website or app based) will be collected, used, disclosed, or processed, each of the
following terms and conditions will apply:

a. The parties will agree in writing on the specific data elements to be shared by Apple with CDC
prior to any transfer of such data between the parties;

b. Any such data transfer will be subject to a user’s express consent, which consent must
describe to users the types of information to be collected and how that information may be used
and disclosed;

c. Any such information received by the CDC will be in aggregated and de-identified form such
that an individual user cannot be identified personally;

d. Neither party will attempt to re-identify any particular user from any data received;

e. Unless explicitly agreed to by the parties in writing, the parties may use such information only
for the purpose of improving the COVID-19 Triage Tools or the Decision Tree. Prior to obtaining
the express consent of users (in accordance with paragraph 9(b)), the parties agree to discuss
additional potential uses of the information collected and to agree in writing on any additional
permitted uses of such information. After the COVID-19 Triage Tools become publicly available,
the parties agree to use reasonable efforts, and without unreasonable delay, to determine
additional uses;

f. Neither party to this Agreement may further disclose such information to any third party, unless
a party is compelled by applicable law and (i) any such information disclosed is limited to the

information minimally and reasonably necessary to comply with the applicable law, (ii) prior to any
such disclosure, the party exercises reasonable diligence in assessing any applicable exceptions
or exemptions to the disclosure of such information under applicable law, and (iii) to the extent
HHS or CDC is the disclosing party and no exception or exemption applies per (ii), HHS or CDC
will inform Apple of such disclosure, unless prohibited by applicable law; and

g. Each party to this Agreement will maintain and implement appropriate administrative, physical,
and technical safeguards, including but not limited to appropriate network security and encryption
technologies.

2. Are the Apple screening site and app governed under the terms of the
HIPAA? If not, please explain why.

The screening site and the app are not covered by or otherwise subject to HIPAA.
HIPAA applies when a covered entity (health care provider, health insurance company or
health care clearinghouse) or business associate (on behalf of a covered entity) is
using, disclosing, creating, receiving, maintaining or  transmitting certain health
information (known as “protected health information”). Here, data are entered into the
website and app directly by users, and no covered entities are involved in or otherwise
required for that interaction. Therefore neither the site nor app are covered by HIPAA.
Notwithstanding, we have applied strong privacy and security protections to the app
and the website, including designing both tools to meet some of the technical
safeguard requirements of HIPAA, such as access controls and transmission security.

3. What are the specific data retention policies regarding any and all
information entered into the website and app by individuals?

Apple does not currently collect any information entered into the website and app by
individuals. We apply the principle of data minimization to all of its consumer products
and services, and our COVID-19 resources are no exception. Guided by this principle,
Apple currently collects only the information necessary to support the operation of the
COVID-19 website and app, such as users’ usage of the tool and app; this information
does not include information entered by individuals. Apple only retains this information
for so long as is necessary to support the operation of the COVID-19 website and app.
Information no longer needed is deleted or rendered permanently unrecoverable in
accordance with industry standards.

4. Can individuals who use the website and app access and monitor the data
that Apple collects about them?

Apple is a strong proponent of fundamental privacy rights, including the right for an
individual to access personal information that a company maintains on them. In
support of these rights, Apple has developed a global privacy portal, through which
individuals can access and download a copy of their personal information. That being
said, an important component of a comprehensive privacy program is data

minimization — to only collect personal information where it makes sense to do so.


With respect to the COVID-19 website and app, Apple does not collect or retain
identifiable information about individuals. As such, there is no identifiable information
for individuals to access and monitor.

Currently, Apple does collect certain non-personally identifiable analytics information


regarding use of the website and app, such as the total number of visits to the website;
whether the screener tool has been started, cancelled, or completed; and whether any
crashes have occurred. Such non-personally identifiable analytics information is only
used by Apple to determine overall usage and improve the COVID-19 website and app.

A statement on Apple’s current collection and use of information — including non-


personally identifiable information — relating to the use of the COVID-19 website and
app are available to users in Apple’s privacy statement on the welcome screen, labeled
“Our Commitment to Privacy.”

5. Will Apple commit that it will refrain from using data collected on the website
and app for commercial purposes?

Yes.

6. Will Apple commit to refraining from sharing or selling the data collected on
the website and app to third parties?

Yes, no data collected from either the website or app will ever be sold to third parties.

Per the terms of our current agreement (noted in our response to Question 1, above),
neither Apple nor the CDC can further disclose any information to a third party unless
explicitly required by law. Even if required by law, the CDC and Apple must limit
information to the minimum necessary, must assess if there are any exceptions to
disclosing the information, and if there are no exceptions, in the case of the CDC's
disclosure, the CDC must inform Apple before any such disclosure.

If in the future we do share any of the data collected through the app and website with
third parties, any such sharing will be limited and subject to strong privacy and security
requirements, including requirements such as the following— (i) data sharing would be
limited to government and public health authorities for purposes related to managing the
COVID-19 pandemic, (ii) any data shared would be limited to aggregated and de-
identified data, (iii) pursuant to explicit user consent, and (iv) all data shared would be
subject to similar additional privacy and security terms that we entered into with the
CDC (e.g., limiting further disclosure to when required by law).

7. What specific cybersecurity safeguards will be utilized to ensure the security


of the data entered on the website and app?

Apple developed the website and app in accordance with Apple’s strong beliefs about
the importance of privacy and security. Data transmitted between customer devices
and Apple is encrypted via Transport Layer Security (TLS), to protect it during
transport. Changes to application code follow a formal change management process
requiring the code to go through multiple levels of Engineering, Information Security
and Quality Assurance review and testing. Technical and administrative safeguards are
in place to restrict access to data and source code to authorized personnel.

8. Will the website and app be accessible to those with disabilities?

Yes. Apple believes that technology is most powerful when it empowers everyone,
which is why we work to make every Apple product accessible from the very start: Every
Apple device is built with assistive technologies to support those with disabilities.
Apple’s COVID-19 app and website support features such as Apple’s VoiceOver
technology, a screen reader which describes exactly what’s happening on the screen of
an Apple device so that individuals can navigate just by listening, as well as Switch
Control and Voice Control, which support individuals with physical motor limitations to
use devices without touch.

***

We appreciate your attention to the protection of privacy rights and your concern for the
privacy and security of health information. Thank you again for the opportunity to
provide these responses.

Sincerely,

Timothy Powderly
Senior Director, Government Affairs
Apple

You might also like