The application was revealed in early May as a method of tracking the spread of COVID-19 in the province.
Officials have since urged Albertans to download the free app, which uses Bluetooth to identify people who may have been exposed to a carrier of the coronavirus.
In a 66-page report, Clayton writes that she discovered that the app collects less data than its similar counterparts around the world and that its voluntary use helps reduce the risk of over-collection.
However, the commissioner said that certain risks were increased for Apple owners, due to the guarantees necessary to run the application which are “beyond his control”.
For example, Apple requires ABTraceTogether to run in the foreground, which leaves devices unlocked and potentially more vulnerable to theft.
“We recognize the challenges [Alberta Health] has been confronted in this regard because the required guarantees are beyond its control. However, given the need to run ABTraceTogether in the foreground on Apple devices, there is a security risk, “wrote Clayton.
This means that employers in the public, private and healthcare sectors have an increased obligation to protect information under provincial privacy laws, she said.
“We have asked AH to keep us informed of the progress made in solving this problem and to [Privacy Impact Assessment] amendment if a solution is implemented. ”
The report also highlights some inconsistencies in the length of time the app keeps Bluetooth meeting logs.
Information provided on the Google Play Store and the Apple App Store indicates that meeting logs are kept for 14 days, but Alberta Health said in its initial privacy assessment that contacts are saved for 21 days.
The report also concluded that users may not have known they had to contact the Health Information Act help desk to delete their phone number from the app database.
“The FAQ and the privacy statement inconsistently indicate the information deleted when withdrawing participation,” said the report. “In a document, AH states that the phone number and user ID are deleted. In another document, it indicates that only a user’s phone number is deleted. ”
Clayton also found that to properly protect the privacy of all users of the app, the app had to be ultimately dismantled.
The ICDO has asked Alberta Health to let them know when it is time to dismantle ABTraceTogether and provide a public update of its decommissioning plans.