This is an archive of news stories and research from the National Union of Public and General Employees. Please see our new site - https://nupge.ca - for the most current information.
Ottawa (11 Aug. 2021) — Late last month the Alberta Information and Privacy Commissioner released 2 reports which found serious privacy issues with Babylon by TELUS Health in Alberta. The issues included failures to meet the requirements of the Health Information Act (HIA) and Personal Information Protection Act (PIPA).
There is already considerable concern about what will happen to patients’ confidential information when virtual health care services are controlled by for-profit corporations; these reports will add to those fears.
Requirements that electronic copies of ID and selfies be provided of 'particular concern'
The investigation found the collection and use of copies of government ID and selfies by Babylon by TELUS Health to be “of particular concern.” This practice goes beyond what is recommended by a number of organizations including the Alberta Health Service, the Canadian Medical Association, the College of Family Physicians of Canada and the Royal College of Physicians and Surgeons of Canada.
Adding to the concern is that “Babylon then transfers the images to a third-party service provider in order to validate the individual’s identity” and that this service provider is outside of Canada.
Personal information stored outside of Canada
Another significant concern was that there were no agreements with Babylon to address how people’s personal information is collected, stored or used. What made this particularly worrying is that the investigation found that some very sensitive personal information was being processed in the United States. This included:
- audio call recordings
- consultation notes and prescriptions
- government-issued photo identification (e.g. driver’s license, passport, and identity card)
- video call recordings
When sensitive personal information is stored or processed in the United States it is subject to the U.S. Patriot Act. As explained in a legal assessment of the potential impact of privatization on people’s privacy, under the Patriot Act, U.S. authorities can legally require that personal information stored in the United States be released to them.
Collecting location data problematic
The Information and Privacy Commissioner also criticized the collection of location data saying, “collecting precise location in order to direct individuals to the closest pharmacy and 'approximate location from your IP address' are not essential to the provision of health services.” This raises questions about having virtual care delivered by for-profit companies that are not restricted to Babylon and TELUS Health.
For virtual health care corporations, partnerships with pharmacies are a potential source of revenue. An example is the partnership agreement that Maple, a for-profit virtual health care corporation has with Shoppers Drug Mart. If apps are unable to collect the location information needed to direct people to nearby pharmacies, it’s likely that partnership agreements will be less attractive for pharmacies.
TELUS asked to report back within 6 months
While TELUS has issued a statement saying that it’s takeover of the Canadian operations of Babylon Health will address the remaining issues in the Information and Privacy Commissioner’s report, the Commissioner has asked TELUS to report back within 6 months on how it is complying with the outstanding recommendations. However, even if the Commissioner’s concerns are addressed, it is safe to assume that other issues with having health care delivered by for-profit corporations will remain.