Babylon Health app. (Lethbridge News Now)

By David Opinko

Numerous privacy issues found with “Babylon” app, Telus Health commits to improvements

Aug 9, 2021 | 11:09 AM

LETHBRIDGE, AB – Note: This story has been updated since being initially published, now including a full statement from Telus Health.

Alberta’s Privacy Commissioner has issued a series of recommendations after looking into concerns about a popular virtual health app.

Telus Health launched Babylon in Alberta in March 2020, with Premier Jason Kenney touting it as a “new innovative way to connect more Albertans with healthcare.”

Prior to the launch of the app, Telus Health submitted a privacy impact statement (PIA) and says they continued to work with the Privacy Commissioner.

What's Happening in Lethbridge this weekend: September 20, 2024

Sep 20, 2024

What's Happening in Lethbridge this weekend: August 30, 2024

Aug 30, 2024

What's Happening in Lethbridge this weekend: August 23, 2024

Aug 23, 2024

Shortly afterward, the Office of the Information and Privacy Commissioner (OIPC) received numerous questions and inquiries from the public, requesting an “urgent and immediate investigation.”

The NDP’s Health Critic David Shepherd added, “Babylon’s terms and conditions and privacy policy are cause for concern. Our caucus has heard from Albertans and we are seeking a formal evaluation from your Office regarding whether or not the Terms and Conditions, and the Privacy Policy, are compliant with legislation in Alberta.”

Privacy Commissioner Jill Clayton has completed her report, making 31 findings and 20 recommendations.

“Of particular concern, the investigations found that the collection and use of individuals’ government-issued ID and selfie photos through the app for identity verification and fraud prevention by using facial recognition technology was not compliant with PIPA and HIA,” reads a press release from OIPC.

“With respect to PIPA (the Personal Information Protection Act), Babylon did not establish that it is reasonable to collect this extent of personal information in order to verify identity, and detect and prevent fraud. With respect to HIA (the Health Information Act), collecting and using copies of government-issued ID and selfie photos from patients through the Babylon app goes beyond what is essential to verify identity and provide health services. Other simpler, effective methods exist for this purpose, and are consistent with provincial and national guidelines for verifying identity for virtual health care purposes.”

Clayton also found that Babylon’s collection and use of audio and video consultations go beyond what is essential to provide a health service.

The report states that many of the findings relate to the app’s privacy policy, “which has been found to be unclear, lengthy, and contained inaccuracies.

“For example, the privacy policy did not clearly identify the purposes for which personal information is collected, and it was not clear what information was associated with each purpose. The privacy policy also referred to functionality that was not enabled or available to individuals.”

While the investigation was ongoing, physicians employed by Babylon has implemented or started to introduce some of the recommendations, including ending the practice of recording video consultations. However, they told OIPC that “it cannot discontinue” its collection and use of government-issued ID and a selfie photo, and it continues to offer audio recordings of consultations with physicians.”

In January 2021, Telus acquired all Canadian operations of Babylon Health and has committed to utilizing better privacy policies under Telus’ own program.

Telus said in a statement to LNN that the investigation only covered how the app functioned when it first launched more than a full year ago and they have taken steps to improve the situation since then.

Their statement, in full, can be read below:

“We are confident the TELUS Health MyCare virtual care service meets or exceeds all privacy requirements set out in Alberta’s legislation, including the matters raised by the recent report from Alberta’s Office of the Privacy Commissioner (OIPC).

Since submitting our Privacy Impact Assessments prior to launching the service in March 2020, we have constantly enhanced our privacy program and recently updated our privacy policy, internal data policies, and agreements with our physicians; and we continue to work cooperatively with the OIPC. Notably, we have been very transparent with our patients and doctors about our new policy, which adheres to both global and Canadian best practices — while respecting the privacy legislations in the areas in which we operate.

All TELUS Health MyCare data is stored in Canada in strict compliance with federal and provincial privacy legislation. The information shared with us by patients is critical to ensuring our doctors can provide urgent care, like calling for an ambulance, and is only used for the purpose our users have consented to; we do not sell data to third parties.

Protecting our customers’ privacy and safeguarding their personal information is paramount and we want to assure users of TELUS Health MyCare that their privacy is and has always been respected.”

Full details can be found in the two OIPC reports below:

Investigation into the use of Babylon by TELUS Health by Alberta physicians

Investigation into Babylon by TELUS Health’s compliance with Alberta’s Personal Information Protection Act