Notices of Meeting include information about the subject matter to be examined by the committee and date, time and place of the meeting, as well as a list of any witnesses scheduled to appear. The Evidence is the edited and revised transcript of what is said before a committee. The Minutes of Proceedings are the official record of the business conducted by the committee at a sitting.
We'll get going. I understand that our MPs beaming in have had their mikes checked. Thanks very much.
Welcome to meeting number 38 of the House of Commons Standing Committee on Government Operations and Estimates or, as I call it, “the mighty OGGO”.
We have witnesses today from the Canada Border Services Agency, PSPC, the Public Health Agency of Canada, Public Safety Canada, and Shared Services Canada. I won't name all the witnesses because there are so many.
Because we have so many departments today, we will skip over, with agreement of the parties, the usual five-minute openings. Some have sent us their opening statements in writing. Thank you very much. If anyone else wishes to do so, you can do so after the fact.
I would like to give each of you just a two-minute opening brief, please. Again, this is because we have so many witnesses and only two hours.
Really quickly—and this may not be a point of order—it is my understanding that when we invite witnesses to attend a committee meeting, they are invited to send us their opening remarks 72 hours before the meeting.
I would have really appreciated receiving all of the remarks the departmental officials are bringing. I do note that Ms. Casey was the only one who provided us with her comments ahead of time.
If we are now going to be given just a summary of what they may have wanted to present, perhaps we could ask all of them to provide their comments in writing to us after this meeting.
That's a good point. I did mention that, but perhaps in different words.
Perhaps the five departments would provide.... I see that Ms. O'Gorman has provided hers. However, if the other departments wish to provide their opening statements after the fact, it would be wonderful.
Apparently some have arrived late and will be distributed shortly.
It is a good note for our witnesses for this committee, or other ones, to provide the information in advance, especially for our translators but also with respect to our members of Parliament.
We'll start with the CBSA.
Would you provide us with a quick two-minute overview, please?
I'm Erin O'Gorman. I'm the president of the Canada Border Services Agency. I believe you have my remarks.
I would just briefly flag that the need for the ArriveCAN app arose when it became impractical for the Public Health Agency to manage the manual paper-based process to pass the information necessary to provinces and territories, and to carry out enforcement and compliance activities. I think we will speak more about that today.
I would point out that the CBSA has published a breakdown of the expenditures related to ArriveCAN. Again, I think we can elaborate on that further.
I would just like to point out and address the error that was contained in the CBSA's response to order paper Q-597. ThinkOn was wrongly listed as a contractor; it should have been Microsoft. The error was a human one and resulted from a one-key mistake that led to the reporting discrepancy. I apologize to the committee for that mistake, confirm that our CFO has double-checked and is satisfied that there are no other errors contained in the order paper question response, and can attest to its accuracy.
Thank you for inviting us to speak today about how PSPC can support the Canada Border Services Agency and the Public Health Agency in meeting their needs.
I would draw attention to the fact that we, as a common service provider, are really trying to make available the most agile and effective instruments to serve the needs of our clients and help them deliver their departmental needs. In this case, we were able to leverage a number of standing offers and supply arrangements to help the CBSA augment its capacity and bring on timely service to meet the pressing needs of COVID-19.
As we look at our instruments and try to improve them, we're always looking at how to make sure that we're in a market capacity and that we're also able to provide the widest range of services, so we periodically refresh our standing offers and supply arrangements to ensure value. However, in the case of an emergency, we also have to balance that with risk. In some cases, we are required to look at sole-sourced contracts and other mechanisms to be able to move quickly, but we're always doing that within the optic of trying to balance effectiveness, cost and fairness, as well as managing risk. In this case, we think we were able to work with our departments and agencies to provide the services they needed and to balance those factors.
As we go forward, Mr. Chair, I just would like to say that we will continue to look at ways that we can be fair, open and transparent in our procurements and that we will try to provide the most responsive procurements possible to serve the needs of the departments.
My name is Jennifer Lutfallah. I'm the vice-president of health security and regional operations at the Public Health Agency. I'll just underscore a few points that are contained in my speaking points, which I think you do have.
At the onset of the pandemic, monitoring health measures at the border was a paper-based process. It was a cumbersome one. It was a labour-intensive process. Further exasperating the process was the collection of forms using biohazard protocols. As you will remember, at that point in the pandemic there was suspicion that the virus could live on paper.
PHAC was responsible for collecting, organizing and shipping paper forms that were collected from travellers from all over the country and for digitizing and inputting that information into PHAC's systems. That could take up to about 14 days. We were faced with incomplete and illegible information that was contained on those forms.
In terms of the number of adjustments that were made with the OICs, there were over 80 different OICs written by PHAC as a means to respond to the evolving pandemic. Each time, in most of those circumstances, ArriveCAN needed to be adjusted to respond to those new public health requirements.
I'll finish by stating that without ArriveCAN, Canada's ability to administer the public health measures at the border would have been significantly reduced.
Thank you, Mr. Chair and committee, for your invitation today.
I'm Kristina Casey, the assistant deputy minister of the citizen and business branch at Shared Services Canada.
Shared Services provides core IT services to the Government of Canada's departments and agencies using an enterprise approach. Some of the services we offer include hosting services, including the provision of cloud services across the Government of Canada. We administer brokering services, technical expertise and tools to guide customer departments and simplify cloud adoption. SSC has established a list of pre-qualified cloud vendors that meet security requirements and that can be leveraged by departments, such as CBSA, to run their applications.
SSC's role in regard to the ArriveCAN app was to enable the cloud connectivity and monitoring and supporting infrastructure. It was about providing the foundational platform for an enterprise application to operate. Throughout the Public Health Agency of Canada and Canada Border Services Agency design, development and deployment process of the app, SSC supported the implementation of a number of networking changes to enable the application to securely exchange information between the cloud solution and the Government of Canada data centres. Specifically, this was done by securely housing the app in the cloud and routing network traffic through a secure infrastructure to protect the sensitive data of Canadians and visitors.
Right. We did provide a list of invoices. My apologies, but we are looking at about 500 invoices, and we're in the process of having those translated. We can work with the clerk to see whether you would like those provided at once or as we finish the translation.
In terms of subcontractors, we don't have that information. We just have information relating to those who held the contract directly with either CBSA or PSPC.
There was a lot of public interest following the incident that you mentioned with respect to ThinkOn. It was said they received $1.2 million, but they said they did not receive it. That information was not provided in the House—the correction. The information that the minister signed off on stands in the House.
Following that.... We're a reasonable group of people. We gave a reasonable timeline for those documents and invoices to be tabled at this committee. It does raise questions when it's been 28 days since that happened.
The government and CBSA should know where the $54 million was spent on this app and who was paid. There are definitely questions on whether this delay is the result of simply not knowing, or whether there are more accounting errors. Has there been direction given in hopes that a scandal for the government goes away, or at worst there's a cover-up happening because there's uncomfortable information for ministers or government included in there?
Which of those scenarios best describes what we're dealing with in a 28-day delay in getting invoices? It should be pretty straightforward and they don't even require translation, because they can just be tabled mostly containing total amounts and the name of the subcontractor.
In terms of the error, again, I apologize for that. CBSA is accountable for that error. I understand that the revised OPQ will be tabled, if not today then certainly this week. It did come about by somebody contacting ThinkOn, because it hadn't been caught in our system. As I mentioned, the CFO has gone through all of the other information contained in the OPQ. It was a transmittal error.
ThinkOn did not receive a contract and was not paid for anything. It was an error in the coding. That's how that came up.
I remain a bit mystified as to why there's a delay on providing what should be very straightforward information. I think most people can keep track so that if money goes out, then a receipt of payment is generated. The list of people getting paid should be quite easy to produce. The committee did not suggest that the documents should come on October 31. There was a requirement that they be here.
Other departments, when they've had issues, have asked if they can extend until a date, or release the documents in tranches. At this point, it appears that there's an unwillingness to provide the information.
On what day can CBSA commit to providing the information that was due two weeks ago?
I can't stress enough that this is certainly a matter that's in the public interest. We gave a very reasonable timeline to allow for CBSA to provide that information. It hinders the work of this committee. It causes Canadians concern when there are tens of millions of dollars with questions that have been raised. Some questions are arising of amounts being paid to groups that didn't receive them, and some are based on the entire amount of the project. I do look forward to receiving an update on when we can expect all of the documents.
Thank you to the departments for being here today.
The first thing I want to do is establish why we're here. We're here because we want to understand whether the amount spent on ArriveCAN was reasonable under the circumstances and what the amount was. Therefore, I want start by establishing what each department was responsible for.
As I understand it, Public Services and Procurement, as a common provider, went to tender and negotiated umbrella agreements to satisfy demands and specifications of client departments. Basically, this is a set of terms to which client departments could issue purchase orders for services related to ArriveCAN. It is my understanding that PSPC did not issue any such purchase orders.
Actually, there would be a combination of...they're called “task authorizations”. In some cases, the task authorization will be in a dollar value, where the departments themselves would issue the task authorizations, but above their delegated authorities, we would actually issue the task authorization.
Nevertheless, we do work with the department to make sure that the task authorizations are within the stream of work within the overall contract, to make sure that they're tasking what was in the contract in terms of the types of services that they would be getting from the firm.
Mr. Mills, are there any purchase orders or are there any contracts related to ArriveCAN expenses that are not on the document that we received from Public Safety or the CBSA that came from your department?
That was what I was asking from the beginning. Thank you.
For Shared Services, my understanding is that you provided cloud connectivity, security and monitoring services for the app, but it is my understanding that, again, you created a list of companies for cloud services that, if another department wanted to contract with, you would authorize, but you did not put forward any contracts yourself or any purchase orders yourself related to ArriveCAN to third parties. Is that correct?
I'm going to go to the department that is responsible, which is the CBSA.
For the CBSA, in the document you provided, you had some numbers that I need to better understand. You stated that $8,070,394 is the entire contract value for a contract with IBISKA for professional services. Later, in footnotes, you say that the expenditure for the contract for this time period was $110,175, not $8,070,394.
Please explain to me exactly what that means. What was the amount—the exact amount—that was paid to IBISKA related to the ArriveCAN app only?
That was not what was at.... I understand that you had a contract with IBISKA, and that a certain part of the contract related to a purchase order for ArriveCAN, but you create confusion when you provide the number of $8,070,394, leading people to believe that that entire amount related to ArriveCAN, when in fact the amount in the footnote appears to be $110,175.
Can you confirm to me—yes or no—that $110,175 was the amount paid to IBISKA for ArriveCAN and that nothing else beyond that was paid to IBISKA for ArriveCAN?
What was the total cost paid to third parties for the development of the ArriveCAN app as of the date you were mentioning of March 2022?
When I say “development”, I mean initial development costs and the costs of updating the app over 70 times. I do not want you to include costs under a contract that were not relevant to ArriveCAN or costs unrelated to development, such as telephone support to users.
What was the amount paid to third parties simply for the development and updating of ArriveCAN?
To answer your question, I can confirm that we spent $80,000 to develop the initial app, version 1.0. Then we spent a further $8.8 million to develop for free different versions of the app—one for iPhone, one for Android and one for website users—with over 70 different adjustments to the application.
Ms. O'Gorman, you responded to my colleague that you didn't have any information about the subcontractors who worked on ArriveCAN. The government has refused to identify the subcontractors for the media, citing security concerns.
If you don't know who these subcontractors are, how could you possibly ensure that they met all the security criteria required to work on an app like ArriveCAN, which collects a lot of personal information?
Mr. Chair, I would like to start by making a distinguishment between subcontracts and the professional services firm. In most cases, these were professional IT services firms. The subcontracts in this case are—
I would like to distinguish between a case with a subcontractor and a professional services firm. These were professional services firms that we are talking about, subcontractor resources who are essentially employees. Therefore, the information that we have is personal information around the employees that JDC Strategies and other companies engaged to provide the IT resources for the project.
You know the company that hired the subcontractors, but you don't know the subcontractors. However, they are developing an app that includes exceedingly personal information not only about Canadians, but also about people abroad.
How do you ensure that these individuals have the security clearance to do that when you don't know who they are?
PSPC is familiar with all of the contractors that we have arrangements with. For confidentiality reasons, the Government of Canada doesn't disclose the names of companies that have worked as subcontractors for one of its suppliers, as it is considered third party information. Within the IT industry, it's customary for firms to subcontract work or if Canada doesn't have a direct contract relationship with those subcontractors.
For an IT professional services contract with personal security requirements, Canada does verify the security clearance of all individual resources proposed by the contractor. Each of them gets an individual security clearance check, no different from any other employee or contractor working on a government priority.
With respect to the ArriveCAN app, then, I understand that the departments did not necessarily talk to each other about the subcontractors.
Kristina Casey of Shared Services Canada, the app had some significant failures that required almost constant adjustments. One of the failures was forcing people into quarantine when they met all the conditions to not be quarantined.
In your opinion, how much did these errors cost Quebec's and Canada's economy and productivity? I'm thinking in particular of the tourists who were unable to spend their money where they wanted to spend it, and of all those who were unable to go to work. Did you include those losses when calculating the real cost of the app?
Unfortunately, I can't comment on the impact on the economy, or issues related to the app, because those are the department's responsibilities. I will therefore ask my colleagues from the Canada Border Services Agency to respond.
The agency didn't detect the error because it didn't test the product. It took us a few days to find the error, and then we rectified the situation.
That doesn't erase the harm done to the 10,000 Canadians affected, which is completely unacceptable. However, given that 30 million travellers have used the app, those affected by the error are an exception.
This doesn't preclude the fact that it was completely unacceptable that the agency did not find this error before the app was used by the public.
The brief issues several very worthwhile recommendations, based in part on experiences with information technology procurement abroad. One of the recommendations is to remove the bilingualism requirement for IT staff, to expand the available talent pool.
I'd like to hear your thoughts on that recommendation. Would you support it? Also, what would acting on a recommendation like this mean for francophones?
First, I want to start by thanking you for attending and for your important work as Canada navigated the pandemic. It's greatly appreciated.
The point is to get to transparency here so that processes can be improved.
I'll start with Ms. O'Gorman. Perhaps you can help me. We heard at an earlier meeting with the national president of the Customs and Immigration Union that frontline officers were never consulted on the development of the app or any of its more than 70 updates. We also heard that because of the app, officers had to act as de facto “IT consultants”. This added to the strain of officers who were already experiencing understaffing due to previous cuts from previous governments.
Can you explain why officers working on the front line weren't consulted at any stage?
When ArriveCAN was created, it was done within a month. Regrettably, there was no consultation, and that is not how we would typically roll out something new—new technology in the agency. That's not how we would typically operate.
I will say that BSOs, as they used ArriveCAN, did provide feedback on how it was working. That feedback was taken into account as updates were done and to our operational guidance. Absolutely, the feedback that we received from individual BSOs was much appreciated and highly valued. And—
I was just going to note that BSOs did help individual travellers fill out ArriveCAN, and that was greatly appreciated. Many of the 30 million users didn't need assistance from BSOs, but certainly I want to acknowledge that they did help travellers coming in by both land and the air.
Can you provide any details of any estimates for developing, updating, maintaining and promoting the ArriveCAN app that were prepared using the Treasury Board's guide to cost estimating? If you don't have any precise information readily available, would you say the cumulative costs of the app have exceeded what was estimated?
The ArriveCAN app wasn't undertaken as a project. It was developed quite quickly, and changes were made over the course of the pandemic as the health measures changed. There is a budget of $54 million until the end of this fiscal year, of which $41 million have been spent.
With regard to Treasury Board guidance on costing, it does relate to projects, but I will invite our CFO to talk about his costing approach for the ArriveCAN app.
Initially, the ArriveCAN app was managed by the Public Health Agency, and they provided us $12.37 million in 2021-22 as part of a supplementary estimates (B) budget transfer. That was based on our forecasts for expenditure in 2021-22.
We received an additional $12.4 million via an IRCC-Treasury Board submission, which was given in supplementary estimates (C), and that was particularly around the PVC, the proof of vaccination certificate.
What's the long-term plan with the ArriveCAN app? Can you talk about how much the app is expected to cost on an annual basis? You talked about it wrapping up at the end of the year. What analysis has been done to assess whether Canadians will be getting adequate value for money now that the app is voluntary?
We have moved from a mandatory app to a voluntary app. We have called for an advance declaration, which was formerly the paper E311, which people can now fill out voluntarily in advance of landing at, I think, up to five airports now. We're rolling it out across the country one airport at a time, with a view to eventually expanding it to the land border. Early reports are that it's the difference between taking 120 seconds at a kiosk and taking 80 seconds. We're tracking that time and usage.
We are currently spending $1.5 million in non-salary dollars to maintain the advance declaration portion, but I don't have the long-term budget for that. As we roll it out and as we take the lessons learned and work with our contractors, we're looking at doing a knowledge transfer to our employees to be able to maintain the app.
Mr. Chair, that would depend on the nature of the work specified and the task authorization in the contract. It would vary from contract to contract, but it could be anywhere from “enhanced reliability” up to “secret”.
It's 47419-198132. It was a response to a question with respect to security clearance. It indicated that work could commence and the subcontractor could start to work without security clearance in place.
Is that unusual for a subcontractor who's dealing with Canadians' personal information, private health information and biometric information?
In effect, the waiving of the individual security clearance would be highly situationally dependent. Without the details of that particular task authorization, I can't speak to the specifics of why that might have been the case.
Generally speaking, how these professional services contacts are used and how the resources in them are employed is a business requirement that's established by the client departments we work with. I'm assuming this was a CBSA contract, but the specifics of why waiving that might be appropriate in a unique case would be operationally dependent and they would have to speak to that.
It would be helpful for this committee to know why someone wanting to be a network analyst with what would normally require secret security clearance would then be able to work on information systems specifically with access to Canadians' personal information, private health information and biometric data, especially at a time when we're becoming increasingly aware of cyber-threats to our country.
I would look to the witness panel, if they can't provide us a fulsome answer today, to perhaps provide in writing or return to the committee with information on the frequency with which this is permitted and the potential risk that Canadians were exposed to as a result of this. As well, ultimately, who is the signing authority that can waive security clearance requirements?
I can't speak specifically to this case, but the contractors and consultants we used did not access the personal information. Only employees had access to the databases with any personal information. Those employees would have had the proper security clearance to do so.
Mr. Chair, my concern is that people who are developing it and have access to our systems can develop ways to access them after the time that their work is completed, particularly someone who doesn't have reliability status, secret clearance, top-secret clearance or any enhanced top-secret clearance and is dealing with the most sensitive information.
We don't know. We're hearing a lot about state actors from other countries who are interfering in our democracy here. We have people who are potentially working on our information management systems to develop an app that's specifically collecting Canadians' personal information and we don't know who they are. We don't know that they would ever receive security clearance, even if their application was in progress.
I can make an application and it could never be approved. If the only requirement to get workers is that you file the paperwork, I think the exposure for Canadians is quite serious.
Of those appearing before us today, who can identify themselves as being able to get the information on who can sign off on the waiving of security clearance, the potential implications of that, and whether a threat assessment is done before, during or after that contractor has done work? Can they provide that information to the committee in writing? I imagine it will take a little bit of research.
I'm not sure, Mr. Chair, if we can just get someone from the witness panel to identify that they would be able to do that.
The CBSA has now published on its website a full analysis of the ArriveCAN costs that have been incurred by the agency.
For example, $7.5 million was spent with Service Canada on the call centre. Those individuals answered more than 650,000 calls from users of the ArriveCAN application. Another example would be data management. We spent $5.2 million providing data management facilities both to us and the Public Health Agency.
We spent $4.6 million on data storage and cloud services. This is around the storing of that data on secure cloud.
We spent $4.5 million on integrating the ArriveCAN application with the other basic systems within the organization that would allow the border services officers to see the information on ArriveCAN at the primary inspection kiosks.
We spent $2.3 million on security around the application, and we spent $1.7 million on accessibility.
All of those details are reported on our website and open to scrutiny.
My previous answer around the $80,000 for the first version, and the $8.8 million, relates to the application. The rest of the expenditure relates to how the public health process operated over the last two and a half years.
Based on your answers to the previous questions and this one, you said that the total amount was, I believe, $8 million and then $80,000.
You said that the total amount paid to third parties was in these buckets. Can I correctly assume that the total cost paid out to third parties related to the ArriveCAN app...? As of today, what's the exact total?
As of today, we have $34.8 million paid to third parties. As I explained before, that's not necessarily to companies; that includes $7.5 million to Service Canada. It covers contracts, but also memoranda of understanding.
Moving on, 18 million people downloaded the ArriveCAN app, so it's fair to say that its usage was ubiquitous amongst Canadians.
Can you tell the committee what kind of support an application needs, whether from an HR perspective or a data storage and cloud service management perspective, to maintain an app that is being used as frequently as this one was?
I can maybe start and then invite my colleague to add some detail.
It was also the monthly changes that were made to the application, both in terms of improvements and responding to the changing health measures. Sometimes those were significant: plugging into provincial and territorial proof of vaccination systems, providing COVID test results, and also facilitation techniques, having people being able to save their profiles. That was very helpful for truckers going back and forth across the border and to our nurses in Windsor, to not have to put their profile in every time they crossed. So there were two aspects, two changes, that took place virtually on a monthly basis.
When we talk about the app, the cost of making those changes as well as the security and the accessibility, as you mentioned, plugging into CBSA's systems and the cloud maintenance, I can invite my colleague Kelly to give some details on that. I just wanted to paint the picture of what the app looked like over the two and a half years in which it was being used.
Above and beyond what Ms. O'Gorman noted, there was additional work required around cloud expertise, back-end systems and, as noted, cybersecurity and accessibility, which were the core pieces to keeping the application running.
Ms. Casey, I'm going back to my question about bilingualism among information technology staff. As I was saying, Carleton University made a recommendation about that, and I'd like to hear your thoughts about it, and on the impact it could have on staff.
I have not seen the report, so it's very hard for me to provide an answer. I will have to provide an answer in writing.
I will say that we ensure the bilingualism of our IT resources. When we hire IT resources, we ensure that they meet bilingual requirements and we have a program to ensure that we maintain bilingualism through training.
We will be happy to provide a more detailed answer in writing.
Mr. Cormier, according to various databases, the two owners of GC Strategies do not appear to have lobbied anyone in the government, nor did they contribute to any election campaigns or partisan funds. That's great. The company is nothing more, nothing less than a talent recruitment agency, active in IT, among other fields.
For years, we've heard from small and medium-sized businesses about how difficult it is to gain exposure and win contracts from the government.
How, then, did a tiny business gain the government's trust to the point of entering into contracts with various departments totalling over $9 million to recruit staff to design ArriveCAN?
Also, how do you explain the government's decision to give a sole-sourced type contract to GC Strategies, which is essentially a talent recruitment agency, instead of approaching IT businesses that already specialize in developing health-related apps?
GC Strategies as a company has been registered in a supply arrangement with PSPC for a number of years. The task-based informatics procurement, or TBIPS, supply arrangement is where they're presently registered. They are a tier 2 supplier, which requires them to have done business for a minimum of three years and to have proven invoices for over $12.5 million in historic contracting in the domain in which they're being assessed to be able to provide services.
GC Strategies, in particular, was already in the TBIPS instrument before the pandemic began. They were also already working in the CBSA environment on other mobile applications.
Seizing on the “enterprise-wide” comment, this was enterprise-wide. In fact, it was extremely specific, stemming from the Public Health Agency's efforts to try to manage a paper process.
It was in that context that they came to CBSA to ask us to develop the app extremely quickly. It was so quick that we didn't have enough expertise in our workforce to do it. At the same time, the department was trying to manage the border and its employees in the context of the pandemic.
Looking back, with the information we had at the time and the request we had, the posture of the agency was to be as helpful as possible. It used, as my colleague referenced, whatever tools it could to enhance its workforce to be able to deliver on the app.
You can understand from the public's perspective that GC Strategies took a cut of $1.3 million, or upward of $2.7 million. We don't know which number it is. Hopefully, you can share that today with this committee, because I think the public deserves to know.
That's a lot of money. I believe that money could be better spent in the public service, hiring people who can do that work. They're not even experts in tech. This is concerning for everybody.
Do you not believe that the Government of Canada should have the in-house capacity in 2022 to develop a mobile app?
First, I'll agree completely. It is a lot of money. It's important to understand how that money was spent. I agree.
At the time, when CBSA was asked to develop the app, it went out to three service providers to receive offers. We simply didn't have the people on staff to allow us to develop the app, as well as to maintain our 180 other IT systems.
You went to the expensive consultants, who hired expensive consultants. This is becoming a pattern. This is the problem. How do we stop that? How do we create that in-house and save taxpayers' money? This is why we're here.
Okay, so if bonuses or pay incentives were created, they would have been created within GC Strategies. Thank you for that.
I'm now going to turn to some discrepancies within this sessional paper, which my colleague started to discuss. It was recently reported in a Globe and Mail article that federal outsourcing last year increased by 24%, to $14.6 billion. According to the sessional paper, PHAC sole-sourced a contract to KPMG for $1.08 million, for operations and maintenance, yet this, apparently, at the same time was under the purview of Canada Border Services Agency.
What's the difference between the work that KPMG did and then CBSA, please, Mr. Allison?
Mr. Chair, I can't speak to the work that KPMG did for CBSA.
For PHAC, we spent approximately $3.9 million, through KPMG, on services provided since fall 2020 for program management support to address gaps or needs such as accessibility, providing operational policy support and managing public health requirements at the border.
Perhaps while you're consulting those notes we can go back to Mr. Allison.
I'm going to focus now on advertising contracts for ArriveCAN, awarded to both Cossette communications agency and Banfield Seguin Media, for $19.7 million and $1.2 million, respectively. This information was not disclosed in the initial sessional paper.
Okay, that's very interesting. I think we'll look into that more.
Mr. Allison, do you have the list of the contracts under the national security exception? You do not as yet have that. Perhaps you could table them with this committee for us to review at a later time.
I'm going to go to the fall economic statement. Again, my colleague touched on this. It includes $137 million for CBSA to enhance its frontline capacity and hire additional officers to help alleviate border pressures.
Will any of this new funding go to ArriveCAN, and if so, what would that be for, specifically, please, Ms. O'Gorman?
An October 6, 2022, Globe and Mail article citing CBSA officials stated that the department budgeted a further $25 million for work on ArriveCAN and other matters this fiscal year, about half of which has been spent so far. Is this funding for maintenance, as budget 2022 suggests?
We're rolling out advance declaration first in the air environment, with a view to rolling it out into the land environment next summer. It's with a view to people having a faster border experience when they do voluntarily submit their declaration information ahead of coming into contact at the port of entry.
Mr. Moor, it's worth reiterating once again: What is the cost to Canadians of developing, building, the actual ArriveCAN app? That's not the back-end stuff, not the marketing, none of that, just the actual building of the app itself.
Version 1 of the ArriveCAN app cost $80,000. Then it was subject to 70 different amendments; our colleague from the Public Health Agency referred to 80 different OICs. Each of those OICs required some additional work to be done on the app. That accounted for $8.8 million to update the apps.
You have to remember that the ArriveCAN app was merely a tool to operationalize the OICs. The OICs were the meat of the Canadian response. It was a multi-layered approach to protecting Canadians' health, as well as our health care system.
From our perspective, based on a number of assessments, the OICs that were operationalized by ArriveCAN have obviously contributed to protecting the health and safety of our population.
Being from a border community here in Windsor, I can tell you that about 400 million dollars' worth of goods cross the border each and every day. You're talking about auto parts that keep our factories going during COVID, and PPE and vaccines that cross the border.
Ms. O'Gorman, you talked about 1,600 nurses in Windsor who cross the border every single day to work at hospitals. What role did the ArriveCAN app play in making sure that we had the free flow of people and goods across that border, which was vital during COVID? How important was the ArriveCAN app to making sure that the border flows freely?
It was critical. We had the experience at the beginning of the pandemic with paper and individuals having to communicate to border service officers the information that was being sought by the Public Health Agency. That was being inputted manually—I'm referring to the land border—by border service officers. What were approximately one-minute interactions before the pandemic became about seven-minute interactions, before ArriveCAN became mandatory and people were able to send their information ahead. What happened is that they would send their information ahead, and it would be validated by ArriveCAN with its interaction with other systems. The border service officer would see a green check mark.
It didn't go back down to one minute, but it became approximately a two-minute interaction. So when we're comparing it, it's not really prepandemic versus pandemic; it's the paper time during the pandemic versus the ArriveCAN time during the pandemic. Because those lanes are shared between commercial and travellers, holding them up had a significant implication beyond just travellers having to wait, but to back up the trucks that were crossing as well.
ArriveCAN kept Canadians safe, kept the economy going, kept the flow of essential, vital goods across the border in a just-in-time manner.
Privacy was also a key consideration. Can you talk to me a little bit about how much investment went into making sure that the privacy of Canadian data information is protected? We know the Privacy Commissioner of Canada has said that privacy is a fundamental right for Canadians.
Can you tell us a little bit about the efforts and how we prioritized protecting the privacy of Canadians through this development?
The Treasury Board Secretariat issues requirements with regard to security and accessibility for public-facing applications such as ArriveCAN. We did spend money, approximately 4% of the overall funding, on security requirements.
The Leader of the Opposition has described ArriveCAN as an app that could have been designed over a weekend. Had we taken the Conservative Leader of the Opposition's advice and built an app over a weekend, could it have protected the safety of Canadians? Would it have guaranteed the free flow of essential goods across the border and would it have protected the privacy of Canadians?
I want to thank our witnesses for joining us today for this really important conversation.
On July 28, 2022, the Minister of Public Safety stated that ArriveCAN was created for COVID. However, the RFPs long precede COVID, and the documentation the CBSA submitted to our committee stated that contracts used for the development of the ArriveCAN app were issued prior to the pandemic, some as early as 2017.
I'm wondering if you could describe for us the purpose of the contracts to MGIS and eight other vendors that began long before 2020.
With respect to the MGIS contract, that was used for numerous items, such as project management, across CBSA prior to COVID. We did have other contracts as well that we did leverage throughout COVID for things like cybersecurity and some mobile app development, as well as for our back end and cloud. So the actual contracts that are listed, the ones that predated COVID, had been used for other IT systems within CBSA prior to COVID, and we continue to use those today for those items.
The original concept for the app itself was to digitize the intake of the contact trace form that PHAC did have prior to the pandemic. My understanding—and I'll turn it to Jennifer as well—is that it was the standard form that was used. We were asked to digitize that form.
We did anticipate, though, that there would be additional needs, such as integrating it with our systems and integrating it with the PHAC systems, and the contracts that were created did include room for that additional work as well.
I want to go back to some questions around GC Strategies. Their website states, “GC Strategies was asked to help with ongoing development and maintenance needs of the COVID Alert app”. I'm just wondering who would have contacted GC Strategies. When they appeared before the committee, they weren't able to tell us who had asked, but perhaps someone in this room knows who approached GC Strategies to help with the ongoing development.
Initially, when the request came in from the Public Health Agency, CBSA approached three companies—GC Strategies, Apple and Deloitte—to seek feedback from them on our requirements. We assessed the two responses that we did receive, and we felt that GC Strategies aligned with what we knew we would have to do in terms of security and what we anticipated in terms of some but not all of the changes that we thought might come again.
The decisions we made in 2020 didn't have the benefit of hindsight, so it wasn't clear how long we would have to maintain the app, but we felt that the staff augmentation proposal from GC Strategies and the ability to use the CBSA cloud were the most appropriate for what we knew we needed.
I'll hand it over to my colleague, but I will just go back in time to March 2020, the request we had and the fact that there was no time to issue a competitive contract to be able to have an app within the month.
In terms of the broader rules, I'll invite PSPC to add anything.
With respect to sole-source contracts, there is a requirement for the department wanting the contract to provide a justification. There are a number of reasons for justification in terms of national security or an urgent emergency issue. In this case, as we were dealing with COVID in a pandemic situation, we were trying to move and act on the most urgent basis possible, so we would have had a justification for moving quickly in terms of meeting the needs of the government to respond to COVID.
Canada has two privacy acts. The first, obviously, is the Privacy Act, which covers how the federal government handles personal information. The second is the Personal Information Protection and Electronic Documents Act, which covers how businesses handle personal information.
Understanding that we have the added layer of health information in the ArriveCAN app, Ms. O'Gorman, would you speak to the challenges you and your department faced in developing support for the ArriveCAN app based on the sensitivity of health information?
We were very conscious from the outset, knowing that we would have personal information contained in the app, with regard to the handling and the security requirements. Our colleagues at PHAC did engage with the Privacy Commissioner directly, and through them we ensured that we met the requirements.
I would invite my colleagues to discuss their interactions with the Privacy Commissioner.
Ms. O'Gorman, 18 million people downloaded the ArriveCAN app. Can you tell the committee what kind of support the application needed, whether from HR, data storage or cloud service management perspective, in order to maintain an app that was used and adapted as much and as frequently as ArriveCAN?
There are a number of features and a number of things we do need to do in order to ensure that an app like this is supported. We need to make sure that we meet the Government of Canada's standards on cybersecurity; integrate the app with the rest of the CBSA ecosystem and also the Public Health Agency ecosystem; ensure that those apps are accessible to users; introduce the new functionality throughout the two and a half years; and then monitor the integrity of the data and operations.
That's just an overview of what's required as part of that support moving forward.
Considering the 30 million submissions, and obviously the monumental amount of data, could you talk a little more specifically about the safeguards that were built in to ensure that all privacy regulations were maintained?
We did dedicate IT security expertise. We looked at it as a “security by design” approach. When we developed and implemented ArriveCAN, we needed security assessment and authorization as per the government processes that Ms. O'Gorman mentioned earlier. For each release, we did a review at the beginning of the release to determine the amount of functionality changes that we would have. If the functionality changes were significant and we felt that it warranted a full review, we did do full security assessment and authorization processes for those.
We did 11 of those in total across the 70 functionality releases. Those were for our major releases when we were introducing such things as pre-arrival testing and the validation and verification of the proof-of-vaccination credentials.
We're now going to change the order a tiny bit. We'll go to Mrs. Vignola and then to the NDP for five minutes each. They will then, two rounds from now, give up their two and a half minutes—we'll just combine the two.
I can begin to respond on behalf of Canada Border Services Agency, the client of Public Services and Procurement Canada in this matter. I will provide the background, and let my colleagues speak to the process in detail.
At the time, the situation was pressing and the Public Health Agency of Canada had an urgent need. So we asked three companies if they could help us and create an application in a month. Two companies responded. We didn't have the expertise or the time to put it out to bid in March 2020. We ended up doing it later with help from the department.
I'm surprised that barely one or two companies responded that they could do it in a month, as opposed to companies that specialize in the field. From what I hear, it was quicker to use a company that had to recruit people rather than a company that already had specialized people on staff.
I have a hard time getting my head around how a company made up of two individuals, who have to look for specialized people and hire them to think about the issue and design an application, is able to do it faster than a company that already has the people and the expertise. I don't see how that's possible.
I mentioned two companies. However, one of the two companies came to us with the model that provided information security without using the Canada Border Services Agency cloud. Since we wanted to use that cloud, we felt that was not the best choice.
Under the terms of their contract, the other company had people with the expertise to meet our specific needs, and they could make them available to us fairly quickly.
Mr. Cormier, another $5.9 million contract awarded to GC Strategies was not released, again for national security reasons.
Which contract is that? What rule or policy specifically prohibits the release of this contract, other than the national security exception? What is so special about this contract that it cannot be released?
I believe this is the contract that was awarded on December 18, 2020 for ArriveCAN to meet the accessibility requirements of the Government of Canada. That contract had a value of $5.9 million, and $4.8 million of it was actually committed for work. The contract was covered by a national security exemption that was in place in response to the COVID-19 pandemic and its national security implications for Canada.
Ms. O'Gorman, the national president of the Customs and Immigration Union told this committee that ArriveCAN is “one example in a long line of far-reaching technological band-aid solutions in search of a problem, solutions that ultimately fail to enhance border security and effectiveness in any real way.” He also indicated that the agency is short-staffed by between 2,000 and 3,000 officers, and that 500 officers could have been hired for the same cost as the ArriveCAN app.
Do you think that Canadians received a good value for the $54 million that was spent, or would our borders be under less pressure if more investments were made in staffing?
Sure. The number of BSOs at any port of entry will fluctuate depending on travel patterns. Certainly as we come out of the pandemic, we're trying to figure out whether those travel patterns are being re-established.
I don't agree with the number of 2,000 to 3,000. I'm very happy to have the money in the fiscal update. We will be putting that, as I indicated, towards border service officers.
The agency also received funding specifically for firearms and drugs.
As I said earlier, our modernization agenda is an effort to alleviate some of the more lower-value roles of the border officers, so that they can focus on higher values, higher threats and higher targets.
I'll take that question, but I'll turn to Chris to provide additional information.
In terms of the apps that are developed on behalf of PHAC, such as the ArriveCAN app, the investment, as the president of the CBSA has indicated, is $54 million. With respect to the other apps that were developed, those were predominantly led by Health Canada; therefore, we cannot speak to the cost of those apps.
If the 27 contracts disclosed by the CBSA were sole-sourced, in addition to a sole-sourced contract to KPMG by the Public Health Agency of Canada, given the number of sole-sourced contracts involved in this app and the significant public attention on this issue, would you support a procurement practice review by the office of the procurement ombudsman?
Going back to one of my earlier questions around the initial estimated cost for the app.... To be clear, I'm not asking about what was spent. We've heard that the preliminary development of the app was around $80,000 and that the costs grew over time. I'm trying to find out whether those increases in cost were anticipated and, as the costs grew, was there an analysis done at each stage whether any of the work could be done in-house?
I want to clarify that, while I appreciate that the CBSA has undertaken to provide information about what assurances were taken with respect to the waiving of security clearances, I'd like to know if a single minister would have the signing authority or be the one to authorize that kind of action?
Okay. It's concerning. I'm revisiting it because we know that a passport in progress doesn't get you on the plane, but a security clearance in progress might get you access to the biometric, personal and health information of the more than 8,000,000 people who downloaded the app.
For example, I downloaded the app and put in the passport and personal information for my family, so there are more than just 8,000,000 people. We're talking about tens of millions of folks whose information is jeopardized by this type of thing.
On process, PSPC would not be the department responsible for the waiving of the security clearance. Is that correct?
Mr. Ron Cormier: That's correct.
Mr. Michael Barrett: Okay, but previously the CBSA said that they don't know who the subcontractors are. If PSPC is responsible for knowing who the subcontractors are, how could the CBSA waive the security clearances for companies that they don't know are doing work or are prospectively going to do work?
The first point, as Ms. Belanger said previously, is that those contracted resources didn't have access to the data, full stop. I appreciate the concern with clearances.
The second point I would make is that it sounds like this is a scenario where somebody was allowed to begin work pending the review. I think, as we get back to you with information, that it could have a period of days. We should know now whether or not they passed the security check.
The first thing that should set your mind at ease is that these contracted resources did not have access to the data, full stop. They built the tool. Second, what was the period of time for this pending...or waiver? It could be days or weeks, and we would have known the answer by now, whether or not they passed the clearance.
I think that coming back to the committee with that information should address the concern.
With all due respect, having the opportunity to do work on it versus intentionally being given access to the personal information of Canadians are two separate things. A bad actor who has not been cleared by our intelligence services could build in future access. That's why it's so important that we have assurances about what risk mitigation was done and whether there have been any breaches. This is really important.
My mind is very much not at ease. We don't know how many times security clearance was waived. We don't know for whom security clearance was waived and we don't know if those folks who had it waived were ever even approved.
There are a lot of ways that foreign state actors can test our systems and our processes, and this looks like a great opportunity for them to do that. It's important to note that this information is not information that was exchanged between government officials. It was disclosed to a public individual—not a member of government—that they could work on our information management systems without having the clearance.
I'm not sure if you want to comment on that with my remaining time. My mind is very much not at ease because although not intentional, I think we're open to a lot of risk. The risk can't be overstated.
I think our goal is to provide factual information. I think the concern that Canadians would have, which you're verbalizing here today, is really an important one.
There are overlapping controls, though. I mentioned the fact that developing the tool is different from having access to CBSA systems or people's data. Also, the fact is that this was tested by public servants—tested by an independent group who had been looking for those kinds of vulnerabilities.
Again, I think in the fullness of time, with ability to look at the specifics of the situation, we may be able to document a series of controls that would help assure Canadians that their information was protected.
Contractors building the tool didn't have access to the data. That tool was distinct from CBSA's systems, and then all products were tested before being released and put into production.
Thank you, Mr. Chair, and thank you to all the witnesses.
I'm going to start with Ms. O'Gorman.
During this testimony, we heard about two purposes, at least, for ArriveCAN. We heard about advance declaration and we also heard about a public health tool. Can you give us an idea which one of these purposes came first and what the driver was for them?
The public health measures at the beginning of the pandemic were the absolute driver. It was the fact that the Public Health Agency was collecting the information it needed from incoming travellers in paper and was not able to process that paper in a timely way to get provinces and territories the information they needed. It was for enforcement and compliance to be undertaken by the Public Health Agency.
This was very quickly discovered, which is why, the same month that the pandemic was declared, the request came to CBSA to develop an application that could digitize those forms.
I know my colleagues have confirmed this about a hundred times by now. The total cost of the initial application was $80,000. The subsequent cost was $8.8 million for development of nearly 70 updates, which relate to the 80 OICs. Is that correct?
We talked about 80 OICs. For Canadians who might not be aware of what “OIC” stands for, can you tell us what it stands for and quickly give us an example of an OIC? We hear about 80 OICs and 70 requirements. Can you quickly give us a sense of what it is?
I can speak to some of the requirements that changed over the course of the pandemic. I believe it was in April of this year that the government decided to implement a vaccine-differentiated border. By that I mean that those individuals who were vaccinated and double-dosed were accorded certain benefits by being vaccinated, once it was proven that vaccination was an effective mechanism to protect individuals.
Those who were unvaccinated would be subject to a different regime. What I mean by that is that they would have to have the pre-arrival test, which could have been a PCR or RAT. They would have to be tested on day one and day eight. They would have been subject to quarantine or isolation, depending on the situation as well.
ArriveCAN needed to reflect those two different streams of travellers. When it came to the vaccination status, I believe Kelly would be—
I'll just paint the picture: We had to develop an application in less than a month. We started working with PHAC to get roughly 70 requirements to be able to do it, and we leveraged PSPC's existing standing purchase order to be able to facilitate this.
I have to say that I echo Mrs. Vignola's comments regarding the questions that she had about the choice of GC Strategies, who in their own testimony confirmed that they weren't tech experts, that they weren't developers and that they brought teams together because they themselves didn't have the expertise.
Where I'm going with these questions is that you also stated that you have no information on the subcontractors. Do you know who they are?
It is a requirement of the contract. The issue was raised of whether there was an individual who may not have completed the security requirement process. I don't have that information, so we will come back in writing on the process and who makes those approvals. So I understood the question—
I am not asking about that specific individual. I'm wondering who provides oversight to a company like GC Strategies, and who is dealing with all subcontractors that we cannot know anything about. Who's providing oversight to ensure that they are vetting those subcontractors to the same level that they themselves are being vetted for security clearance?
Mr. Chair, yes, the contract would have the security requirements. We have a contract security program. GC Strategies would be required to ensure that any resources they were using met those requirements. They would bring forward the information on those individuals and they would be vetted through the contract security program of the Government of Canada.
Thank you very much, Chair. Thank you, MP Block, for those excellent questions, and MP Barrett as well.
Look, we're here today and the government is trying to convince Canadians that this was a pandemic environment and this app was done in an effort to keep Canadians safe. Our job here as a committee is to determine that it was done in the most cost-effective, most transparent and most secure way possible.
Let's take a look at what we've seen here today. On the cost, as we've discussed previously, for this app, which ended up costing $54 million, it was reported in The National Post on October 11, 2022, that two companies, Lazer Technologies and TribalScale, said they could have created this app for $250,000. It simply doesn't meet the costing factor.
There's the transparency factor. We look at the ThinkOn discrepancy, as raised by my colleague Michael Barrett. We look at the national security exceptions, which we still don't know about after I asked twice here today. And then there's the release of documents, which we still don't have here today.
Finally, there's the integrity of data, which clearly my colleague, Mr. Barrett, has brought into clarity of question as a result of the clearance questions.
Was this app created in the most cost-effective, most transparent, most secure way possible? We're not convinced. We're not convinced on this side of the table, and I don't think Canadians are either, Mr. Chair.
In response to Mrs. Kusie's most recent statement, I'm going to quote from former Conservative Prime Minister Kim Campbell:
It is quick and easy to attack, to make an accusation, true or false, and disparage someone. Answering and refuting always takes more time. There is an old saying that a lie is halfway around the world before the truth can get its pants on.
I think one thing that is incredibly misleading is this claim that it could have cost $250,000 to create the ArriveCAN app. That's basically, to me, like saying, I have spent two years creating the best possible sports car. I invested tons of research into it. I made 70 upgrades to the car. I tested it at a level that it could run on every racetrack on every surface in the world to meet the highest safety standards. Then someone, two years later, comes along and builds the core of the car, never having had to actually drive by anybody, never having to meet any safety standard, and saying it's the same thing.
Even the people who ran these companies do not suggest it could have cost $250,000. They even admit that they built the front end of an app. They copied the front end of an app, with no back-office link to the CBSA's system, with no security with respect to vaccinations that was required for multiple jurisdictions, etc.
My question for the CIO of the CBSA is, can you please tell me, is it true that you could have built this app for $250,000?
There were, as you mentioned, over 70 functionality changes. We had exemptions for essential workers we had to include the business rules for: for the truckers, the nurses, the cross-border workers. We had to ensure that the free flow of goods and services into the country continued. We had traveller self-service reporting. We had symptoms and quarantine we had to look at. We had scanning of documents. We had pre-arrival testing we had to include.
As you said, there was proof of vaccination, ensuring that we could validate and authenticate those items. We had to then look at, as we were reopening the border and reopening to foreign nationals, how to do that. How do we get those people in to increase the number of travellers crossing the border?
There's absolutely no way we could have done all of that for $250,000.
I really appreciated your testimony today. You've always been very clear in all your answers.
My question now is for the CFO of the CBSA.
Another oft-repeated theme that I've heard 20 times today is that you spent $54 million on the app. Previously, you gave me a number of $34.8 million that you said was spent, including amounts that you've internally accounted for.
Let me again go back: Does the $34.8 million number that you gave me include the $8 million for IBISKA, or the $110,000 dollars?
I think I'll have to get back to you on the detail of that, because what we accounted for in the $34.8 million is all of the external costs we incurred. That includes the public sector, but it also includes the private sector.
Ms. Thompson, I laugh with joy at your dogs back there. It's great.
That's our time, folks.
I see you, Mr. Johns. I'll get to you in a moment.
We've received all of the speaking notes, but I require the committee's consent on an issue. To be formal, I'll read it out: That speaking notes presented today by CBSA, PSPC, Public Health Agency of Canada and Shared Services be taken as read and appended to the evidence of today's meeting.
(Motion agreed to)
[See appendix—Remarks by Erin O'Gorman]
[See appendix—Remarks by Michael Mills]
[See appendix—Remarks by Jennifer Lutfallah]
[See appendix—Remarks by Kristina Casey]
The Chair: That's wonderful.
Witnesses, thank you very much.
I want to follow up on a couple of things. There were quite a few questions left outstanding that you promised to get back to us on. I would ask that you please provide that to the committee in a swift manner and not leave us trying to chase you down.
Ms. O'Gorman, I realize that it's a lot of documents. I will state, as chair, that I am disappointed at the delay in getting even an estimate from the CBSA on how long the documents will be for translation. I would ask that you get back to us as soon as possible. I express, as chair, my disappointment at CBSA for continuing to drag this out.
Mr. Johns, we have a hard close at one o'clock, but please go ahead.
I think we can get this wrapped up in under that, Mr. Chair.
On Friday I sent a letter to the procurement ombudsman on behalf of the NDP with respect to the ArriveCAN matter. As you are all aware, the House recently passed a motion recommending that the Auditor General conduct and prioritize a performance review of the app, something that we also pushed for here at the committee. I believe there are some elements of a review of the ArriveCAN app that would fall under the mandate of the procurement ombudsman, which includes assessing whether a department's acquisitions of goods and services are conducted in a fair, open and transparent manner.
Last July, the office conducted a procurement practice review of non-competitive contracts involving WE Charity, following requests by three members of Parliament. In the case of ArriveCAN, several sole-source contracts have been awarded. I believe it's in the public interest to determine whether the exemptions from holding competitions were met in those cases. I believe the Office of the Procurement Ombudsman has the expertise to look into this issue and could perhaps provide a more expedited answer than waiting on a possible Auditor General review on all aspects of the app. As such, I'm asking for the committee's support in recommending that the procurement ombudsman conduct a review.
Therefore, Mr. Chair, I'd like to move the following motion:
That the Committee recommend the Procurement Ombudsman assess whether contracts awarded by departments in relation to the ArriveCAN application were issued in a fair, open, and transparent manner, and whether contracts awarded on a noncompetitive basis were issued in compliance with the Financial Administration Act, its regulations, and applicable policies and procedures.
I did circulate this motion in both official languages, so everybody on the committee has it.
This is a pretty straightforward motion. I am hoping that the committee will support this request and this motion.