Canadian regulator finds biometric data privacy compliance gaps in Telus’ health app
Provincial government officials in Alberta, Canada say they have found significant privacy compliance gaps, some involving face biometrics – in a mobile health app that was only launched in Canada in 2019.
Also, physicians using the app to communicate with patients have followed policies and procedures that “did not reflect the roles, responsibilities and accountabilities required by” Canada’s Health Information Act.
The app in question, MyCare, is operated by the IT firm Telus Health, a division of Telus. MyCare was launched in Canada initially as Babylon by Telus Health in 2019. It is marketed to health care consumers living in remote locations and to those who for other reasons need remote care.
Telus executives have said in a prepared statement that their app meets or exceeds applicable privacy regulations.
Complaints about the app’s privacy policies from politicians and the public were sent to the province’s privacy commission. An investigation by the Office of the Information and Privacy Commissioner of Alberta led to a 68-page report.
Regulators found that Telus has obfuscated policies, including one that would directly impact biometric data.
They found that the company was vague about why personal information, including selfies created for the app by customers for biometric identity verification, were being collected.
The firm did not adequately document, as required by federal law, about which countries would in some way touch Canadian consumers’ biometric data.
Telus Health Canada has relationships with 20 third-party service providers.
Of particular note, the app enabled physicians to record and store video and audio from online consultations, a function — which was used — that was not supported by the company in terms of privacy.
The privacy commission noted that, during the investigation, Telus made some changes.
Adequate policies and procedures were created for physicians using the app, for example. And Telus executives said video would no longer be recorded.
However, according to the report, Telus has said “it cannot discontinue” collection and use of audio of consultations, government-issued ID or selfie images.
MyCare originated in the United Kingdom in 2013, the product of a partnership between Telus and digital carer Babylon Health.
Telus bought Babylon Health Canada and, according to the digital health care firm, “continues to work closely with Babylon Health Partners,” a separate IT company. The app’s name was changed to MyCare in the buyout.