Initial development work for the government’s contract tracing app was undertaken by the Department of Home Affairs at the request of the Digital Transformation Agency, a senate inquiry has heard.
Home Affairs secretary Mike Pezzullo told the inquiry probing the government's COVID-19 response that the DTA had asked the department to assist with the early development of a potential app due to the DTA's workload.
He said work had begun on or around March 23 at the request of the DTA’s “head of digital” - likely the DTA’s chief digital officer - “simply on the basis that they were very much focused on the coronavirus information app”.
“The [DTA] on the 23rd March … said, ‘We don't have the capacity at this stage to look into this, we’re working on the earlier app - the information app, not the tracing app - would you mind having a look at it?’ We were very happy to help out,” Pezzullo said on Tuesday afternoon.
Pezzullo said Home Affairs was asked as it had undertaken “some early development work based on some early international comparators” in its National Coordination Mechanism, which was activated by Prime Minister Scott Morrision in early March.
Following the request by the DTA, the department conducted a procurement process and engaged with three “commercial parties” from whole-of-government standing offers to assist in the conceptual prototype.
In answers to questions on notice from Centre Alliance senator Rex Patrick also published on Tuesday, the department said Amazon Web Services, the Boston Consulting Group and CTO Group were engaged.
The three contracts cost a total of $416,196, the majority of which flowed to BCG ($220,000) and AWS ($164,996).
Both BCG and AWS were retained by the DTA for the development of the government’s final COVIDSafe app when work around the prototype design was handed off by Home Affairs on April 3, though Pezzullo said the “DTA conducted their own procurement”.
“They [the DTA] engaged their own partners - Amazon Web Services in the end to undertake the production version and the deployment version of the app,” he said, adding that all other “knowledge, information [and] intellectual capital” was passed across.
Other local providers to work on the final app include Melbourne-based Shine Solutions and Canberra-based GoSource.
COVIDSafe and the US CLOUD Act
Pezzullo was also forced to address questions at the inquiry on whether data from the COVIDSafe app would be accessible under the United States’ Clarifying Lawful Overseas Use of Data Act (the CLOUD Act).
Concerns have been raised in recent weeks that the data from the COVIDSafe app, which is stored in AWS’ Sydney region, could be accessible to US law enforcement under the controversial law.
Australia is currently in the process of negotiating a bilateral agreement under the CLOUD Act, but this relies on passage of legislation currently before the Parliament to allow for “reciprocal cross-border access to communications data” for law enforcement purposes.
Both Prime Minister Scott Morrision and government services minister Stuart Robert have denied that this would be possible, despite the fact that AWS is subject to the CLOUD Act as an US-incorporated business, which was reiterated by Pezzullo on Tuesday.
“We’re very confident that there’s no issue there [with the CLOUD Act],” he said, adding that the department had sought and received legal advice on the matter.
He said interim determination issued by health minister Greg Hunt under the Biosecurity Act when COVIDSafe was launched last week, as well as the The Privacy Amendment (Public Health Contact Information) Bill 2020, would prevail over US laws.
“We’re very confident in the negotiations generally that we’re undertaking with the US department of Justice before COVID ever came on the scene, that there would be no clash of laws, that our laws would prevail, as would American laws in relation to data stored in America,” he said.
“The health minister's direction is absolutely binding on all officials. No purported direction request access instrument would be able to penetrate his absolute direction under the biosecurity determination that he has made.
“And then once the Parliament sees fit to legislation more generally for CLOUD, that same level of protection will be applicable, not only in relation to CLOUD down the track because that’s still before parliament, but in relation to any domestic legislation that is put in place prior to that in relation to the app itself.”