Alberta’s Privacy Commissioner investigated the Babylon by Telus Health app and found that parts of the virtual health-care app weren’t complying with the Health Information Act (HIA) and Personal Information Protection Act (PIPA).
Of particular concern, the commissioner’s office noted, was that “the collection and use of individuals’ government-issued ID and selfie photos through the app for identity verification and fraud prevention by using facial recognition technology was not compliant with PIPA and HIA.”
Scroll down to read the OIPC reports in full.
Clinical services offered by doctors through the app are subject to Alberta’s Health Information Act (HIA), the commissioner explained, which applies to certain regulated health-care professions.
Other features of the app, like the Symptom Checker, Healthcheck and clinical services provided by dietitians and mental health counsellors, are subject to PIPA, Alberta’s private sector privacy law.
“I support virtual health care solutions and innovations, and I hope the lessons learned from this investigation help other healthcare professionals and organizations take the steps necessary to comply with Alberta’s privacy laws,” Information and Privacy Commissioner Jill Clayton said in a news release Thursday.
In total, there were 31 findings and 20 recommendations made in the investigations.
PIPA concerns
The investigation found that Babylon did not establish “that it is reasonable to collect this extent of personal information in order to verify identity, and detect and prevent fraud.”
The investigation flagged concerns with the app’s privacy policy, which it found “unclear, lengthy and contained inaccuracies.” It did not “clearly identify the purposes for which personal information is collected, and it was not clear what information was associated with each purpose,” the report found.
“The privacy policy also referred to functionality that was not enabled or available to individuals.”
The investigation also found that Babylon “did not meet PIPA’s requirements to develop policies and practices that include information regarding the countries in which personal information is collected, used, disclosed or stored, and the purposes for which service providers outside of Canada are authorized to collect, use or disclose personal information.”
HIA concerns
The investigation found that “collecting and using copies of government-issued ID and selfie photos from patients through the Babylon app goes beyond what is essential to verify identity and provide health services.”
The privacy commissioner said that other “simpler, effective methods exist for this purpose,” and they follow provincial and national guidelines for verifying identity for virtual health care.
The investigation found “that collecting (recording) and using audio and video consultations through the Babylon app goes beyond what is essential to provide a health service and, again, is not consistent with provincial and national guidelines for providing virtual health care.”
The findings noted that Babylon said video recording was disabled in June 2020 but audio recording was still available.
The investigation also found: “Policies and procedures implemented by the physicians also did not reflect the roles, responsibilities and accountabilities required by HIA.”
Telus’ response
Telus defended the app and its privacy settings on Thursday.
“We are confident the Telus Health MyCare virtual care service meets or exceeds all privacy requirements set out in Alberta’s legislation, including the matters raised by the recent report from Alberta’s Office of the Privacy Commissioner (OIPC),” Dr. Keir Peterson, Telus’ Chief Medical Officer for Consumer Health, said in a statement to Global News.
“We are constantly enhancing our privacy program and we recently updated our privacy policy, internal data policies, and agreements with our physicians; and we continue to work cooperatively with the OIPC.
“Protecting our customers’ privacy and safeguarding their personal information is paramount and we want to assure users of TELUS Health MyCare that their privacy is and has always been respected.”
Babylon response
On Thursday evening, Babylon issued a statement to Global News in response to the investigation. You can read the statement in its entirety below.
“The service Babylon built and provided to Canadians through Babylon by TELUS Health put transparency, choice, privacy, safety and quality at the forefront at all times.
We are pleased that the report by the Office of the Information and Privacy Commissioner of Alberta (OIPC) found Babylon’s overall use and disclosure of patients’ personal information to be reasonable.
We are concerned by some of the interpretations and points raised by the OIPC that go against the foundation of globally accepted standards of high-quality care and clinical governance, such as the suggestion to stop certain ID-verifying technologies, as well as the audio recording of digital consultations. These features were introduced after careful consideration by Babylon with feedback from regulators in other territories.
These functions are often seen as not only necessary to protect patient privacy and data, but as the gold standard. They help to ensure patient safety, offer patient choice and deliver a high quality of service to Albertans. In a sector that is quickly evolving to democratize health care, we appreciate and recognize the challenges that both regulators and industry face in developing best practices, and believe a collaborative and objective approach is required by all.
Current health-care systems are neither accessible nor affordable to many, and Babylon remains committed to our mission to change this. Further to its acquisition of Babylon Health Canada, we are confident that TELUS Health will continue to respect and protect the privacy of Albertans.”
Alberta Health response
In a statement, Alberta Health stood behind the app but said it would examine the report closely.
“The Information and Privacy Commissioner’s report indicates that, ‘overall, [the Telus Babylon app] collects, uses and discloses personal information for reasonable purposes and to a reasonable extent.’
“That said, Alberta and the other provinces who have pioneered the use of this app — which was a useful tool in keeping Albertans safe and healthy during the pandemic — will examine the OIPC’s reports carefully,” communications director Chris Bourdeau said.
“We understand TELUS has already implemented some of the commissioner’s recommendations, and is best suited to provide further details as needed.”
Implementing recommendations
The privacy commissioner said Babylon and the physicians implemented or started implementing some of the recommendations during the investigation.
Those changes included stopping the recording of video consultations.
But, according to the privacy commissioner, “Babylon said that ‘it cannot discontinue’ its collection and use of government-issued ID and a selfie photo, and it continues to offer audio recordings of consultations with physicians.”
The office of the privacy commissioner said it was told in January 2021 that “TELUS acquired the Canadians operations of Babylon Health” and that “the acquisition includes all of the Canadian operations, including the clinic, and we have licensed from Babylon the software platform upon which the virtual service runs. From a privacy perspective, this means that the Babylon operations in Alberta are now part of TELUS and will now be operating under the TELUS privacy program.”
“Despite this, the investigations were concerned with the operation and implementation of the app at the time the investigation was initiated in April 2020,” the privacy commissioner explained.
Global News has reached out to Babylon and Alberta Health for comment. This article will be updated when we receive a response.
OIPC reports into Babylon by Telus Health
Babylon app – Alberta Privacy Commissioner investigation by Emily Mertz on Scribd
Babylon app – Alberta privacy commission: PIPA by Emily Mertz on Scribd
Comments