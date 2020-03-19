Two reports by Alberta's privacy commissioner found Telus Health ignored the province's health information privacy laws when it launched Babylon — a controversial virtual healthcare app touted by the Kenney government — last year.

The commissioner's reports, released in late July, found Babylon had not complied with several key parts of both the province's Health Information Act (HIA) and the Personal Information Protection Act (PIPA).

The telecommunications company has implemented some changes but so far has refused to implement several recommendations that would bring it in line with Alberta's privacy laws.

Alberta Privacy Commissioner Jill Clayton said she is "not happy" with Telus' response. Instead of agreeing to comply with the recommendations, Telus has insisted they are complying with other global privacy standards.

"That is not very helpful," Clayton said. "I'm not interested in compliance with global privacy standards. I'm interested in compliance with Alberta's legislation."

Clayton said she expects to meet in the near future with Alberta Health and she will be asking if the ministry will continue to fund health services provided by Babylon's 14 doctors if Telus does not fully comply with the province's privacy laws.

"Our investigation under the Health Information Act looked at five or six different issues and found that there was no compliance by the [Babylon] physicians on any of those issues," Clayton said

"I think what we have here is an example of an app that was developed in another jurisdiction and was dropped into Alberta without due regard for Alberta's legislation."

Telus declined an interview request.

Although, the company has so far failed to comply with several key recommendations from the privacy commissioner, Telus, in an emailed statement, insisted it "meets or exceeds all privacy requirements set out in Alberta's legislation, including the matters raised by the recent report from Alberta's Office of the Privacy Commissioner."

Health Minister Tyler Shandro declined an interview request. An emailed statement did not address specific issues from the reports.

Instead, the statement only referenced the Personal Information Protection Act report which found "overall [the Telus Babylon app] collects, uses and discloses personal information for reasonable purposes and to a reasonable extent."

Clayton however, pointed out that PIPA, which regulates companies, has a lower privacy standard than the Health Information Act.

Privacy complaints

Launched in March in partnership with the UCP government, the Babylon app allows people to consult with physicians, get prescriptions and referrals, and check symptoms, including those for COVID-19. The services are covered under Alberta's health-care insurance.

Critics raised concerns about the privacy implications of the service, which Premier Jason Kenney described as a virtual walk-in clinic.

After receiving several complaints, Clayton opened two investigations in April last year.

The reports from the investigations found a laundry list of compliance breaches by the doctors who work for Babylon, starting with their failure to file a Privacy Impact Assessment, as required by Alberta's law, before it launched the Babylon app.

The company instead simply used a security template produced for Babylon's operation in the United Kingdom.

"Overall, there is no indication that the [Babylon] physicians are even aware of or bound to the global and local policies provided to me by Babylon," the HIA report stated.

The HIA investigation found Babylon collected more personal information from patients than it needed, a main point of contention between the commissioner and Telus.

Babylon requires potential patients to upload a selfie-photo and government-photo ID, which the company retains, to verify their identities. Clayton found Telus did not need to collect the photos and she was troubled by the company's use of facial recognition technology.

Telus Health however, continues to insist it needs the photos to prevent fraud, which it claimed is more prevalent in virtual health care. Clayton however, said the company was unable to provide any evidence to support its claim.

The commissioner also found that under the HIA Telus does not need to collect and retain audio and video recordings of patient consultations, even if consent is provided. She recommended they stop the practice but Telus has so far only discontinued video.

Lack of transparency

Clayton was especially troubled by Telus' opaque privacy policy, which she said she had read many times and still didn't understand.

"It is not transparent," she said. "It is not clear about what information is being collected, for what purpose, nor about what information may be going to countries outside of Canada."

It was only through the investigation that Clayton's office learned that Telus Health was sharing personal health information with third-party service providers in other countries, and which countries.

University of Alberta health law professor Ubaka Ogbogu said Telus seemed to have no intention of complying with Alberta's privacy laws and had no plans for protecting information that was collected and then shared outside Alberta.

"I think when Albertans give up health information, they expect that the health information should stay in Alberta," he said. "And if it's going to leave Alberta, there should be a clear compliance with the law."

In its statement to CBC News, Telus insisted its data collection and storage complies with federal and provincial legislation and says it does not sell data to third parties.

Ogbogu said there is no way for the public to know if Telus is monetizing their personal health information or even if it is being anonymized.

"It seems as if they are putting their business model before the privacy of Albertans and I think that is unacceptable," he said.

"I think if Telus wants to get involved in the virtual health care business, they should start first by looking at Alberta laws and making sure that they're compliant.

"They are not above the law. No organization is."

If you have information for this story, or information for another story, please contact us in confidence at cbcinvestigates@cbc.ca