Telus Health App Ignored Privacy Laws in Alberta, Says Privacy Commissioner [Update]

According to Alberta’s privacy commissioner, the Telus Health app (formerly known as Babylon) has ignored privacy laws in the province.

Reports released back in July by the privacy commissioner said the Telus Health app did not meet requirements of the Health Information Act (HIA) and Personal Information Protection Act (PIPA), reports CBC News.

Specifically, the Telus Health app was collecting more info from users than necessary and also facial recognition was being used, without explicitly stating its usage to patients. The Telus Health app leverages camera selfies and government photo ID to verify user identities.

While Telus has updated the app, it has not implemented recommendations to comply with Alberta’s privacy laws. The company failed to file a privacy impact assessment before it launched in the province, as mandated by Alberta law. Telus used its security policy from Babylon’s UK operations instead. Update: Telus says it did submit its PIA prior to the app’s launch last year.

The commission also said Telus should not collect and store video and audio recordings of patients, even if it was granted permission to do so. Telus has since stopped storing video.

Telus told CBC News it is rather instead complying with global and Canadian privacy standards. Telus said it “meets or exceeds all privacy requirements set out in Alberta’s legislation, including the matters raised by the recent report from Alberta’s Office of the Privacy Commissioner.”

Upon hearing Telus’ response, Alberta Privacy Commissioner Jill Clayton said she was “not happy” with the answer. “I’m not interested in compliance with global privacy standards. I’m interested in compliance with Alberta’s legislation,” said Clayton.

Clayton’s investigation also found Telus Health was also sharing personal health info with third parties in the U.S. and Ireland. Telus told CBC News it does not sell any data to third parties and its data collection and storage practices adhere to federal and provincial laws.

The Telus Health app launched last March in Alberta and currently has 14 doctors funded by Alberta Health. The app allows users to have a virtual visit with a doctor using their smartphone, to get prescriptions, get referrals and more.

During the height of COVID-19 lockdowns, the Telus Health app saw “incredible demand” and long wait times, as users referred to the app instead of visiting doctor’s offices and clinics in person. We’ve reached out to Telus for their full statement on the matter and will update this story accordingly.

Update August 11, 2021: Telus sent iPhone in Canada the following statement via email:

We are confident the TELUS Health MyCare virtual care service meets or exceeds all privacy requirements set out in Alberta’s legislation, including the matters raised by the recent report from Alberta’s Office of the Privacy Commissioner (OIPC).

Since submitting our Privacy Impact Assessments prior to launching the service in March 2020, we have constantly enhanced our privacy program and recently updated our privacy policy, internal data policies, and agreements with our physicians; and we continue to work cooperatively with the OIPC. Notably, we have been very transparent with our patients and doctors about our new policy, which adheres to both global and Canadian best practices — while respecting the privacy legislations in the areas in which we operate.

All TELUS Health MyCare data is stored in Canada in strict compliance with federal and provincial privacy legislation. The information shared with us by patients is critical to ensuring our doctors can provide urgent care, like calling for an ambulance, and is only used for the purpose our users have consented to; we do not sell data to third parties.

Protecting our customers’ privacy and safeguarding their personal information is paramount and we want to assure users of TELUS Health MyCare that their privacy is and has always been respected.