Parliamentary Committee Notes: ArriveCAN
Proposed Response
To the purpose and outcomes of the ArriveCAN app during the COVID-19 Pandemic.
- ArriveCAN was built with a single business purpose - to enforce public health measures during the COVID-19 pandemic.
- It was used 60 million times during the pandemic and allowed travellers a fast, easy and secure way to show they met all public health requirements. It is still being used on a voluntary basis to the tune of approximately 300,000 times per month.
- ArriveCAN decreased processing times, allowed business and vital goods to flow, and helped the government monitor and respond to new COVID variants to keep Canadians safe.
- While the ArriveCAN app was built during an extraordinary time and on an emergency basis, recent reports from the Procurement Ombuds and the Auditor General’s have identified important gaps in procurement processes and controls. Their recommendations will serve as guideposts to addressing them.
- The CBSA is strengthening its processes and controls related to procurement planning, contract administration, corporate culture and proactive monitoring to reduce the risk of fraud.
- The CBSA has established a solid governance structure to oversee the use of contracts in the Agency, and is reducing its reliance on external contractors in a systematic and responsible way.
- It is my expectation that appropriate action will continue to be taken as review and investigative processes are completed. It’s important that these processes continue with integrity and are concluded as soon as possible.
Background:
Office of the Auditor General Report on ArriveCAN
The Office of the Auditor General’s audit findings are focused on six themes:
- The precise cost of the ArriveCAN app cannot be determined
- The CBSA relied heavily on external resources which increased costs
- Procurement decisions did not support value for money
- The requirements placed on bidders were restrictive and likely have limited competition
- Practices to manage the ArriveCAN project were missing at the most basic levels
- Deficiencies regarding security testing of the application
The CBSA is focused on actions in the following three areas that will make a material difference in improving how it manages procurement:
- Creating an Executive Procurement Review Committee to approve contracts/task authorizations;
- Requiring employees to disclose all interactions with potential vendors; and
- Increasing the capacity of our procurement group both to oversee all procurement activities and establish a centre of expertise to help employees if they have questions or do not understand their authorities and obligations.
Following the tabling of the report, Conservative Leader sent a letter to the RCMP commissioner asking to expand its investigation to include ArriveCAN. The RCMP responded that “The Royal Canadian Mounted Police is assessing all available information, including the Auditor General’s performance audit report, and will take appropriate action.”
| Statement | Response |
|---|---|
| The app cost approx $59.5 million but the exact cost is impossible to calculate because of the CBSA poor financial record keeping. | The bottom line difference between CBSA numbers and the OAG numbers is that each counted different activities in different timeframes. CBSA has reported broadly and publicly on the development and updating of ArriveCAN as a public health measure. The OAG has folded in costs that came after its use as a public health measure, as well as some general IT environment costs not specific to ArriveCAN. |
| The CBSA’s decision to continue relying on external resources throughout the app’s development, launch and updates, beyond the initial pandemic crisis, increased costs and brings into question value for money. | The CBSA is a large IT-enabled service organization, with about 180 technology systems. CBSA has always relied on outside expertise for skills it cannot recruit. CBSA still needs to outsource to some degree – but as an organization, we are working to rely less on contractors. For example, in the Chief Data Office, we are successfully recruiting in areas like biometrics and disaggregating data. We used to have almost a hundred consultants in this space. Going into next fiscal, we will have around a third of that. |
| The CBSA’s disregard for policies, controls, and transparency in the contracting process limited opportunities for competition and undermined value for money. | The pandemic context was an incredible management challenge. Across government, departments were called upon to be fast and flexible in providing services to Canadians. But, this bias to action shouldn’t have come at the price of sound stewardship. Then, as now, we needed to be focused on documenting decisions and taking care of basic management fundamentals. We have already made changes to address this and we will take further action to ensure management practices are aligned with policies and deliver value for money. |
| Evidence indicated that GC Strategies was involved in setting the requirements that the CBSA later used to tender a competitive contract. | That is not how it works. The CBSA has taken steps to ensure that all requirements flow through its Procurement team and that the CBSA’s requirements be posted, in a transparent manner, where companies can bid on them. We will also require employees to disclose all interactions with potential vendors. |
| Essential information, such as clear deliverables and required qualifications, was missing from contracts. | The CBSA’s new executive governance process is assessing all contracts and task authorizations and will approve or challenge proposed approaches with the goal of ensuring the best value for money. This is a culture change. |
| The CBSA routinely approved and paid invoices that contained little or no details on the work completed. | This is a serious issue – work performed by all contractors, no matter what they are working on, needs to be clearly delineated on invoices. How else can we know what we are paying for? The CBSA has taken a number of steps to ensure that this is always the case going forward. We have increased the capacity of our procurement group both to oversee all procurement activities and establish a centre of expertise to help employees if they have questions or do not understand their authorities and obligations. |
Procurement
The CBSA’s Internal Audit and Program Evaluation Directorate is performing work on the Agency’s procurement and contracting practices. An internal audit and review are expected to be completed in the spring/summer 2024 and the results will be posted to the CBSA’s website once complete.
The CBSA also awaits the upcoming final reports of the Office of the Auditor General and of the Office of the Procurement Ombud on McKinsey contracts and will take additional measures informed by those reports once available.
The CBSA has improved controls and oversight, including having those with procurement authority in headquarters retake their training, having a senior committee review new contracts and task authorizations and centralizing procurement responsibilities within our Agency.
Employees must always be guided by the CBSA Code of Conduct and the Values and Ethics Code for the Public Sector. The Agency will be launching an internal dialogue on values and ethics, with engagement to come over the coming weeks and months.
If pressed on procurement:
The improvements made to the CBSA procurement function in 2023 include:
- the establishment a new nationalized procurement directorate to provide consistency and greater oversight,
- updating and communicating Standard Operating Procedures to ensure compliance with the Directive on the Management of Procurement
- reviewing our financial processes to ensure compliance (Section 33),
- requiring all managers and executives in headquarters to take / retake four mandatory procurement courses,
- reviewing our process for the proactive disclosure of contracts to better transparency, and
- creating a two-tiered governance structure where a new VP led Executive Contract Review Board approves all contracts and task authorizations above $40K and all requirements over $1M are passed to Executive Committee for final approval.
False Quarantine Issue
From June 28 to July 20, 2022, 10,200 ArriveCAN users out of the approximate 2,000,000 ArriveCAN submissions, despite having submitted all the required information and their proof of vaccination using the ArriveCAN app, received automated quarantine notifications when they should not have when they crossed the Canadian border. The Consumer Law Group of Canada filed a proposed class- action lawsuit on February 16, 2024 against the Attorney General of Canada on behalf of individuals who received false automated quarantine notifications.
This issue was related to a defect in the iOS version of the application that had incorrectly defaulted a field¸ “quarantine_exempt”, to false. This flag is used by the ArriveCAN back-end system to send automated quarantine notifications to travellers.
The defect was introduced in ArriveCAN version 3,0 for iOS and was caused in a very specific scenario, where a user:
- started the “public health” data submission flow
- added the traveler information and their corresponding vaccine information
- exited the “public health” flow
- and then later returned to continue the submission
Essentially, if the user began their submission, stopped and returned later, they would be flagged for quarantine.
When the user resumed the submission, the app used the default value of the “quarantine_exempt” flag, instead of the modified value based on the traveler’s data and vaccine information. This defect was not detected during testing because this scenario was not a part of the ArriveCAN test cases.
In response to this defect, the CBSA updated their testing to cover this scenario and invested resources in building an automated testing capability for ArriveCAN so that more time can be dedicated to testing new features where defects such as this could be introduced.
The CBSA resolved this issue in 4 stages:
- On July 20th, 2022, a resolution was implemented to the vaccination flow for all new submissions. From that point on, newly created submissions were not falsely flagged as going into quarantine
- On July 23rd, 2022, a resolution was applied to correct the ArriveCAN submissions of users who had not yet crossed the border so they would not receive false quarantine notifications when cross the border
- On July 25th, 2022, a fix was implemented to stop sending false quarantine notifications to travelers who had arrived and were receiving them
- On the July 27th, 2022 the CBSA sent corrected data files reflecting the true quarantine status to PHAC to ensure that PHAC’s IT systems used to manage quarantine cases were in synchronization with CBSA’s data
- Date modified: