Telus Health ignored Alberta's privacy laws when it launched Babylon app, reports reveal
Privacy commissioner says company still not complying with recommendations
Two reports by Alberta's privacy commissioner found Telus Health ignored the province's health information privacy laws when it launched Babylon — a controversial health-care app touted by the Kenney government — last year.
The reports, released in late July, found Babylon had not complied with several key parts of both the province's Health Information Act (HIA) and Personal Information Protection Act (PIPA).
In particular, the commissioner found Telus collected more personal information than necessary from patients, including photos. She was also troubled that Telus used facial recognition technology without notifying the patient.
The telecommunications company has made some changes, but so far has refused to implement several recommendations that would bring it in line with Alberta's privacy laws.
Telus has insisted it is complying with other, global privacy standards.
Alberta Privacy Commissioner Jill Clayton said she is "not happy" with Telus's response.
"That is not very helpful," Clayton told CBC News. "I'm not interested in compliance with global privacy standards. I'm interested in compliance with Alberta's legislation."
Clayton said she expects to meet in the near future with Alberta Health, and will be asking if it will continue to fund services provided by Babylon's 14 doctors if Telus does not fully comply with the province's privacy laws.
"I think what we have here is an example of an app that was developed in another jurisdiction and was dropped into Alberta without due regard for Alberta's legislation," Clayton said.
Telus declined an interview request.
In an emailed statement, the company insisted it "meets or exceeds all privacy requirements set out in Alberta's legislation, including the matters raised by the recent report from Alberta's Office of the Privacy Commissioner."
Privacy complaints
Health Minister Tyler Shandro also declined an interview request.
A spokesperson, in an emailed statement, did not address specific issues from the reports. Instead, it only referenced the PIPA report, which found "overall [the app] collects, uses and discloses personal information for reasonable purposes and to a reasonable extent," within the bounds of the act.
Clayton however, pointed out that PIPA, which regulates companies, has a lower privacy standard than the HIA.
Launched in March in partnership with the government, the Babylon app allows people to consult with physicians, get prescriptions and referrals, and check symptoms, including those of COVID-19. The services are covered under Alberta's health-care insurance.
Critics raised concerns about the privacy implications of the service, which Premier Jason Kenney described as a virtual walk-in clinic.
After receiving several complaints, Clayton opened two investigations last year, one for each act.
The resulting reports found a laundry list of compliance breaches by the doctors who work for Babylon, starting with their failure to file a privacy impact assessment, as required by Alberta's law, before it launched.
Telus instead simply used the security policy produced for Babylon's operation in the U.K.
"Overall, there is no indication that the [Babylon] physicians are even aware of or bound to the global and local policies provided to [the commissioner] by Babylon," the HIA report stated.
The HIA investigation found Babylon collected more personal information from patients than needed, a main point of contention between the commissioner and Telus.
Babylon requires potential patients to upload a selfie and government photo ID, which the company retains, to verify their identities. Clayton found Telus did not need to collect the photos and was troubled by the company's use of facial recognition technology.
Her report notes that Telus Health emphasized that users' identities are verified to prevent fraud, which it claimed is more prevalent in virtual health care. Clayton, however, said the company was unable to provide any evidence to support its claim.
In its statement to CBC, Telus wrote that the information shared by patients is critical to ensuring doctors can provide urgent care, like calling for an ambulance, and is only used for the purpose users have consented to.
The commissioner also found that under HIA, Telus does not need to collect and retain audio and video recordings of patient consultations, even if consent is provided.
She recommended they stop the practice, but Telus has so far only discontinued video.
Lack of transparency
Clayton was especially troubled by Telus's opaque privacy policy, which she says she had read many times and still didn't understand.
"It is not transparent," she said. "It is not clear about what information is being collected, for what purpose, nor about what information may be going to countries outside of Canada."
It was only through the investigation that Clayton's office learned that Telus Health was sharing personal health information with third-party service providers in other countries, including the U.S. and Ireland.
University of Alberta assistant professor of health law Ubaka Ogbogu says Telus seemed to have no intention of complying with Alberta's privacy laws and had no plans for protecting information that was collected and then shared outside Alberta.
"I think when Albertans give up health information, they expect that the health information should stay in Alberta," he said. "And if it's going to leave Alberta, there should be a clear compliance with the law."
In its statement to CBC News, Telus insisted its data collection and storage complies with federal and provincial legislation and says it does not sell data to third parties.
Ogbogu said there is no way for the public to know if Telus is monetizing their personal health information or even if it is being anonymized.
"It seems as if they are putting their business model before the privacy of Albertans, and I think that is unacceptable," he said.
"I think if Telus wants to get involved in the virtual health-care business, they should start first by looking at Alberta laws and making sure that they're compliant.
"They are not above the law. No organization is."
If you have information for this story, or information for another story, please contact us in confidence at [email protected]