The Alberta Privacy Commissioner has completed its investigation of the Babylon Health App, concluding that the app violates the province’s Health Information Act (HIA) and Personal Information Protection Act (PIPA) on several fronts. Most notably, the Commissioner objected to the app’s use of document and facial recognition, which is used for identity verification.
On that front, the Commissioner argued that Babylon does not need to be using facial biometrics to provide health services, and that the terms of service do not make enough of a case to justify the practice. As a result, the Commissioner believes the use of facial recognition is disproportionate, and that Babylon should instead be relying on an alternative form of identity verification.
In its response, Babylon claimed that its use of facial recognition is based on international best practices for remote identity verification. The app asks users to take a photo of an ID, and then uses facial recognition to match the individual to that document. In that regard, the process is comparable to that used in finance and other highly regulated industries all over the world.
With that in mind, the Commissioner’s decision would seem to have serious implications for any app that offers face-based identity verification services. The decision essentially suggests that there is no valid reason to use facial recognition, up to and including fraud prevention. Babylon noted that biometric identification helps guard against medical fraud, but the Privacy Commissioner explicitly dismissed that argument and said face verification was unnecessary.
Babylon itself is a foreign company, though Telus has acquired and is running the company’s Canadian operation. The Commissioner was specifically investigating that Babylon by Telus Health App, and took issue with the fact that the terms of service were unclear, and referred to utilities that were not actually available through the app. It also said that many of the features of the app – including the Symptom Checker, Healthcheck, and audio recording features – violated various aspects of the HIA and PIPA laws. Babylon deleted a video recording feature in June of 2020 in response to the Commissioner’s investigation.
As it stands, it’s unclear if there is a facial recognition or health tracking application that would meet the Privacy Commissioner’s standards. However, the Commissioner indicated that it was in favor of virtual healthcare solutions, as long as they meet the province’s privacy laws.
Source: Global News
August 4, 2021 – by Eric Weiss