The Office of the Information and Privacy Commissioner of Alberta (OIPC) has issued its findings and recommendations after investigating the Babylon by Telus Health app under the Health Information Act (HIA)and Personal Information Protection Act (PIPA).
“I support virtual health care solutions and innovations, and I hope the lessons learned from this investigation help other healthcare professionals and organizations take the steps necessary to comply with Alberta’s privacy laws,” said Information and Privacy Commissioner Jill Clayton.
In total, there were 31 findings and 20 recommendations made in the investigations.
The OIPC’s investigations found that clinical services offered by physicians through the app are subject to Alberta’s HIA, which applies to certain regulated healthcare professions.
Other features of the virtual health care product – Symptom Checker, Healthcheck and clinical services provided by dietitians and mental health counsellors – are subject to PIPA, Alberta’s private sector privacy law.
Of particular concern, the investigations found that the collection and use of individuals’ government-issued ID and selfie photos through the app for identity verification and fraud prevention by using facial recognition technology was not compliant with PIPA and HIA. With respect to PIPA, Babylon did not establish that it is reasonable to collect this extent of personal information in order to verify identity, and detect and prevent fraud. With respect to HIA, collecting and using copies of government-issued ID and selfie photos from patients through the Babylon app goes beyond what is essential to verify identity and provide health services. Other simpler, effective methods exist for this purpose, and are consistent with provincial and national guidelines for verifying identity for virtual health care purposes.
The HIA investigation also found that collecting (recording) and using audio and video consultations through the Babylon app goes beyond what is essential to provide a health service and, again, is not consistent with provincial and national guidelines for providing virtual health care. (Babylon said video recording functionality was disabled in June 2020, but recording audio consultations remains available.) Policies and procedures implemented by the physicians also did not reflect the roles, responsibilities and accountabilities required by HIA.
Many of the findings from the PIPA investigation relate to the app’s privacy policy, which was found to be unclear, lengthy and contained inaccuracies. For example, the privacy policy did not clearly identify the purposes for which personal information is collected, and it was not clear what information was associated with each purpose. The privacy policy also referred to functionality that was not enabled or available to individuals.
Babylon also did not meet PIPA’s requirements to develop policies and practices that include information regarding the countries in which personal information is collected, used, disclosed or stored, and the purposes for which service providers outside of Canada are authorized to collect, use or disclose personal information.
During the investigations, Babylon and the physicians implemented or started introducing some of the recommendations, including discontinuing the practice of recording video consultations. However, despite accepting many recommendations, Babylon said that “it cannot discontinue” its collection and use of government-issued ID and a selfie photo, and it continues to offer audio recordings of consultations with physicians.
In January 2021, the OIPC was advised that, “TELUS acquired the Canadian operations of Babylon Health. The acquisition includes all of the Canadian operations, including the clinic, and we have licensed from Babylon the software platform upon which the virtual service runs. From a privacy perspective, this means that the Babylon operations in Alberta are now part of TELUS and will now be operating under the TELUS privacy program.”
Despite this, the investigations were concerned with the operation and implementation of the app at the time the investigation was initiated in April 2020.
The investigation reports, including Commissioner’s Messages, are available on the OIPC’s website:
Source: Office of the Information and Privacy Commissioner of Alberta
Prior coverage: No privacy review completed of controversial Telus Health Babylon app