Federal Privacy Commissioner Philippe Dufresne is launching another investigation into the government’s handling of privacy aspects related to ArriveCan, bringing the total number of probes into the app for international travellers to more than a dozen.
Conservative MP Michael Barrett wrote to Mr. Dufresne earlier this month asking him to investigate whether the Canada Border Services Agency contravened the Privacy Act by potentially allowing private contractors working for the government to obtain the personal information of Canadians without the necessary security clearances.
In a response letter obtained by The Globe and Mail, Mr. Dufresne confirms that he has assigned a senior adviser in his compliance directorate to “investigate this matter.”
Mr. Dufresne’s office has previously investigated and reported on one specific problem with the app that occurred in the summer of 2022. The commissioner’s office reported last year that erroneous orders from the app that urged more than 10,000 Canadians to quarantine that summer under threat of heavy fines violated the Privacy Act.
The Privacy Commissioner’s new investigation is the latest in a long line of reviews into federal procurement issues triggered by revelations over the cost of the app and the government’s interactions with the private contractors that worked on the project.
Public Sector Integrity Commissioner Harriet Solloway recently revealed that her office is investigating alleged wrongdoing as well as allegations that two senior officials were suspended without pay as a form of reprisal for criticizing their superiors.
Other active reviews include an internal investigation by the Canada Border Services Agency; an RCMP investigation that is not directly focused on ArriveCan but is based on allegations that involve companies that worked on the app; around “15 or 20 cases” under review by Access to Information Commissioner Caroline Maynard that may be linked to ArriveCan; Procurement department investigations into ArriveCan contractors that have led to the suspension of three companies; Indigenous Services Canada reviews and audits related to the Procurement Strategy for Indigenous Business, a program that was frequently used by now-suspended ArriveCan contractors Dalian Enterprises and Coradix Technology Consulting; a Treasury Board review of how federal contracts are pro-actively disclosed; and reviews by the government operations committee and the public accounts committee.
In addition, two reviews are now complete: Earlier this year, Auditor-General Karen Hogan and Procurement Ombud Alexander Jeglic both released very critical reports about the government’s handling of the app, which cost an estimated $59.5-million.
The ArriveCan app was created in early 2020 as a way for travellers to upload mandatory contact-tracing information during the pandemic, such as their address. It was updated many times to also include health information such as vaccination status to present when crossing the border. The app is no longer mandatory as of Sept. 30, 2022, but remains a voluntary option.
Ms. Hogan’s report said that GCStrategies was paid $19.1-million to work on the app, which ultimately cost about $59.5-million. GCStrategies disputes the figure attributed to the two-person IT staffing company, saying it includes spending for IT work that was not related to ArriveCan.
Among Ms. Hogan’s many findings, she concluded that the CBSA issued two task authorizations to GCStrategies for ArrriveCan worth $743,000 that required subcontractors, commonly referred to as resources, to have a reliable security status yet some workers did not have that clearance.
“We found that some resources that were involved in the security assessments were not identified in the task authorizations and did not have security clearance. Although the agency told us that the resources did not have access to travellers’ personal information, having resources that were not security-cleared exposed the agency to an increased risk of security breaches,” Ms. Hogan’s report stated.
The government operations committee heard from GCStrategies managing partner Kristian Firth on Wednesday, followed by a Thursday appearance by company co-owner Darren Anthony, who said obtaining security clearances for subcontractors was one of his main responsibilities.
During Thursday’s hearing, NDP MP Taylor Bachrach asked Mr. Anthony to respond to the Auditor-General’s concern about security clearances.
“What the Auditor-General and the Procurement Ombud have both found is that the contract itself, in order to sign the contract, GCStrategies needed to have this specific security clearance. You are the chief security officer, but you were not aware of that requirement prior to Mr. Firth signing the contract and you did not review the contract for security requirements prior to him signing it. Is that correct?” Mr. Bachrach asked.
“That’s correct,” Mr. Anthony replied.
“What part of ‘Chief Security Officer’ involves the security part?” Mr. Bachrach asked rhetorically. “I’m having trouble struggling with this question of how you actually exercise that role with regard to the contracts that your company signed.”
After Mr. Anthony’s testimony, the committee unanimously approved a motion Thursday asking the Privacy Commissioner to investigate the issue of security clearances related to ArriveCan contractors and whether the privacy of personal information was adequately protected, “with a view to presenting a special report to Parliament.”