Canada Border Services Agency (Re), 2026 OIC 46

Date: 2026-05-28
OIC file number: 5823-04465
Access request number: N/A

Summary

In February 2024, the Information Commissioner initiated a systemic investigation into the Canada Border Services Agency’s (CBSA) handling of access to information requests related to ArriveCAN. The investigation examined the completeness of responses provided to ArriveCAN-related access requests and whether the CBSA provided timely access to ArriveCAN information.

Publicly reported allegations suggested that a CBSA senior official permanently destroyed e-mails and other records that may have been relevant to access requests. The investigation found no evidence to substantiate these allegations.

The investigation did determine however that the ArriveCAN project team used the communication and collaboration platform Slack between 2020 and 2023 to communicate about the development, testing and maintenance of the ArriveCAN application. The Slack workspace was permanently deleted in May 2023 without consultation with the CBSA’s Access to Information and Privacy (ATIP) unit and without a documented review of its contents.

The complaint is well founded because the Commissioner found that the CBSA failed to conduct reasonable searches in response to six ArriveCAN-related access requests because Slack was not searched, despite the likelihood that it contained responsive records. The investigation also identified weaknesses in information management practices, including the use of non-government email accounts, reliance on informal storage practices and insufficient governance over third-party collaboration tools.

With respect to timeliness, the investigation confirmed that the CBSA failed to respond to a number of ArriveCAN-related requests within the legislated timelines. That said, the investigation did not identify any unique concerns related to the timeliness of the CBSA’s responses to access requests related to the ArriveCAN initiative.

The Commissioner made several recommendations which were all accepted by the CBSA who committed to implementing corrective measures, including new governance policies, enhanced training and improved information management controls.

In June 2026, the Commissioner tabled her Annual Report to Parliament which includes a special report on the investigation.

Complaint

Based on allegations of the destruction of records that were the subject of access requests made under the Access to Information Act to the Canada Border Services Agency (CBSA), I initiated an investigation into matters related to requesting and obtaining access to information regarding ArriveCAN.

The CBSA began receiving access requests related to ArriveCAN in April 2021 and, at the conclusion of this investigation, had received 189 such requests. These numbers include requests that sought records specific to the ArriveCAN application, the parliamentary study of ArriveCAN, and the third parties and individuals involved in developing the ArriveCAN application. Other requests sought records related to the broader issues that emerged during public discussion of ArriveCAN, a company involved with the project (GC Strategies), contracting practices and alleged misconduct by CBSA employees.

The scope of my investigation includes the public allegations of destruction of records, the access requests received by the CBSA and complaints submitted to the OIC, as well as matters arising during the investigation. The investigation does not address issues such as contract award or administration, procurement practices or alleged violations of the Values and Ethics Code for the Public Sector, nor is it an audit. This investigation also did not examine whether records were or should have been created on particular subjects, as the Access to Information Act applies only to records that exist at the time an access request is made. This investigation was limited to assessing whether existing records were adequately retained, identified, and searched in response to access requests and whether the CBSA provided timely access to ArriveCAN-related requests. The investigation is guided by the principles of procedural fairness, my mandate and the responsibilities and obligations found in the Act.

Context

In March 2020, the Prime Minister announced various measures to respond to the COVID-19 pandemic, including travel restrictions and enhanced airport screening.

The CBSA plays a critical role in protecting Canadians and maintaining national security and public safety through integrated border services. The Public Health Agency of Canada (PHAC) relied on the CBSA to collect information from travellers, including contact and health information, in response to emergency orders issued by the government and under the Quarantine Act.

Due to various limitations of the existing paper form, PHAC asked the CBSA to develop a digital form to collect travellers’ information. The digital form became the ArriveCAN mobile and web application that launched on April 29, 2020, and changed over time to adapt to new emergency orders and technical requirements.

The CBSA's handling of ArriveCAN has faced intense scrutiny due to alleged high development costs, poor project documentation, and allegations of misconduct by CBSA employees.

On February 23, 2024, I notified the CBSA of my intention to initiate this investigation.

Investigation

In conducting this investigation, the OIC reviewed a significant number of reports and a large amount of source material to gather relevant information. The OIC also posed numerous questions to CBSA officials and conducted interviews. Additionally, the OIC analyzed the list of access requests made to the CBSA related to ArriveCAN and reviewed complaints filed with the OIC regarding some of these requests.

The CBSA, and in particular its Access to Information and Privacy (ATIP) unit, fully cooperated with the OIC’s investigation and responded to all questions, requests for documentation and requests for clarification.

A recurring theme throughout the investigation was the significant pressure placed on the CBSA to deliver the ArriveCAN application rapidly. The initial request from PHAC to develop the application was characterized as a quick, simple and lowcost shift from a paper form to a digital one. Representations provided throughout the investigation noted that much of the early development occurred informally, with limited documentation of decisions or processes. As the project and its requirements grew more complex, the team transitioned to more structured procedures.

Other oversight bodies raised concerns about project recordkeeping. Reviews and audits related to ArriveCAN identified incomplete documentation regarding procurement activities and project costs. The Office of the Procurement Ombud reported missing records tied to contracting, while the Office of the Auditor General found that financial documentation had not been well maintained and that key aspects of the application’s development and contracting lacked adequate supporting records.

There is no question that the urgency of the pandemic, and the pressure to deliver quickly, significantly contributed to the project team’s reliance on informal tools and processes. One interviewee stated that, in their view, the directive from senior leadership prioritized rapid delivery above all else.

Based on the above, the OIC focused its investigation on two core areas most relevant to access to information: the completeness of the records provided in response to access requests and the timeliness of the CBSA’s responses.

Completeness of responses to ArriveCAN-related access requests

1. Were emails and other documents permanently destroyed, as alleged?
2. Did the CBSA conduct reasonable searches for records in response to access requests related to ArriveCAN?
3. Did other factors affect the CBSA’s ability to provide complete responses to requests for ArriveCAN records?

Timeliness of the CBSA’s responses to access requests related to ArriveCAN

4. Did the CBSA respond to access requests related to ArriveCAN in a similar timeframe to that for other access requests?

Completeness of responses to ArriveCAN-related access requests

Several key rules guide record creation and retention within the Government of Canada and information management practices at the CBSA and in relation to ArriveCAN.

Information management legal and policy framework

The creation and retention of records within the Government of Canada are governed by the Library and Archives Canada Act, and the Treasury Board of Canada Secretariat (TBS) Policy on Service and Digital, not the Access to Information Act.

Subsection 12(1) of the Library and Archives of Canada Act requires government institutions to obtain the written consent of the Librarian and Archivist of Canada prior to disposing of or destroying any government records:

No government or ministerial record, whether or not it is surplus property of a government institution, shall be disposed of, including by being destroyed, without the written consent of the Librarian and Archivist or of a person to whom the Librarian and Archivist has, in writing, delegated the power to give such consents.

The Librarian and Archivist of Canada provides government institutions with authorities to use when disposing of government records, including transitory records. This means that institutions may destroy records they deem to be transitory without further reference to Library and Archives Canada. The disposition authority specifies the following:

Transitory records are not of business value. They may include records that serve solely as convenience copies of records held in a government institution repository, but do not include any records that are required to control, support or document the delivery of programs, to carry out operations, to make decisions or to provide evidence to account for the activities of government at any time. [Emphasis in original.]

The Access to Information Act provides a right of access to records under the control of a government institution at the time an access request is made (see subsections 2(2) and 4(1)). This right applies to both records of business value and transitory records that have not yet been disposed of.

TBS’s Guidance for Employees of the Government of Canada: Information Management Basics instructs staff to document business activities and decisions and cautions staff with respect to disposing of transitory information if it is subject to an access request.

Caution!

Transitory records, like all other information under the care and control of the department, are subject to the Access to Information Act and the Privacy Act.

This means that when employees are tasked with an access to information (ATI) or personal information request, they must provide all records that are responsive to the request, whether the records are transitory in nature or considered information of business value [Emphasis added].

Finally, the TBS ATIP Manual provides that “…institutions cannot destroy any records, whether or not they are transitory records or they qualify for destruction under a disposal schedule, if they are aware that a request for access relating to the records has been received or is expected.” [Emphasis added.]

Information management practices at the CBSA and related to ArriveCAN

Information provided by the CBSA shows that it has extensive information management policies, procedures and tools in place, and relies on those issued by the TBS as well as internal policies for email management. The CBSA provided a variety of tools that are readily available to employees and support their understanding of and adherence to information management policies. In addition, the CBSA explained that all new employees are required to complete the Canada School of Public Service course Mandatory Information Management (COR501). In August 2024, it mandated an agency-wide refresh of the course, with a completion rate of 88 percent between August and November 2024.

The CBSA also indicated that it uses the Government of Canada’s official electronic document and records management system (GCDocs), which it refers to as Apollo, as its central corporate repository. In interviews conducted for the investigation, CBSA officials explained that this electronic infrastructure was in place at the beginning of the COVID-19 pandemic and assisted with the transition to telework for many CBSA employees. The CBSA stated that regular information management reminders were provided to employees in the CBSA Daily Bulletin, which was sent to all staff during the period of telework. Further, the CBSA reported that from April 2020 to March 2023, it produced 173 articles for staff on topics relating to saving and managing information and posted information management content on the CBSA intranet.

With respect to the management of ArriveCAN-related information, CBSA interviewees asserted that the CBSA put a file structure system in place in Apollo to store and manage records related to ArriveCAN, with separate folders for various aspects of the project, such as testing, business requirements and security. Employees involved in the project were expected to save records of business value to Apollo in the appropriate folder. This process was overseen by a project manager who was contracted for the ArriveCAN initiative.

1. Were emails and other documents permanently destroyed, as alleged?

Allegations reported by the Globe and Mail suggested that Minh Doan, the CBSA’s Vice-President and Chief Information Officer when the ArriveCAN application was launched, handled email records in a way that resulted in “the permanent destruction of e-mails and other documents that may have been relevant to an access to information request about the agency’s interactions with GC Strategies.” These allegations were widely discussed in the media and in parliamentary committee meetings. In this context, the allegations were publicly framed as the destruction or deletion of email records that covered four years, 2018 to 2022, and pertained to topics including the COVID-19 pandemic, ArriveCAN, GC Strategies and allegations of misconduct raised by another company the CBSA had contracts with, Botler AI.

The OIC investigation shed light on what transpired with respect to the alleged destruction and deletion of emails. The OIC learned that the allegations described by the Globe and Mail were first raised by a CBSA IT employee to the CBSA’s internal Professional Integrity Division (PID). The allegations pertained to documents that were requested through access request A-2023-04588, which sought communications between the CBSA and GC Strategies concerning Botler AI, from October 1, 2019, to January 27, 2023.

Although the access request did not pertain to ArriveCAN directly, the time frame of the records allegedly destroyed included the time when the ArriveCAN application was being developed. It has also been publicly reported that GC Strategies was the largest contractor to work on the ArriveCAN application. Given Doan’s role within the CBSA, reference to GC Strategies in the access request text, and the timeframe included in the access request, the OIC reviewed the circumstances that led to the alleged destruction of records to determine whether these impeded access to information relating to ArriveCAN.

Obstructing the right of access

Subsection 67.1(1) stipulates that no person shall, with the intent to deny a right of access:

1. destroy, mutilate or alter a record;
2. falsify a record or make a false record;
3. conceal a record; or
4. direct, propose, counsel or cause any person in any manner to do anything mentioned in any of paragraph (a) to (c)

I do not have the authority to conduct criminal investigations or to determine civil or criminal liability. Although I may draw conclusions on whether records were destroyed based on the facts before me, I am not empowered to investigate whether such actions were taken with the intent to deny a right of access under the Access to Information Act.

If, during my investigation, I form the opinion that there is evidence that an offence may have been committed, I may disclose to the Attorney General of Canada information relating to the commission of an offence against a law of Canada or a province by a director, an officer or an employee of a government, as provided for in subsection 63(2).

Circumstances leading to the alleged destruction of records

Access request A-2023-04588 sought records from October 1, 2019, to January 27, 2023. The investigation determined that Doan received a new laptop on January 19, 2023, because of a problem with his previous laptop’s battery which had been identified by a colleague. When he tried to transfer data to his new laptop, Doan discovered that an Outlook PST file (a Personal Storage Table used to store Outlook data, including email messages, contacts, calendars, tasks, and notes) would not open. When interviewed by the OIC, Doan explained that he maintained a PST file for his convenience—in particular, for its utility during the pandemic—and that it was not intended to be a primary repository of records. Doan confirmed that records of business value were saved by offices of primary interest (OPIs) under his direction to CBSA corporate repositories (including Apollo) or by his Chief of Staff, who was copied on most correspondence. In addition, the records Doan received were either sent or received by other staff at the CBSA and, as a result, would also have been held by other individuals.

Documentation the OIC reviewed indicates that Doan requested IT support to access the PST file on or before February 14, 2023. Doan was tasked with the access request A-2023-04588 on February 23, 2023, and within two hours, Doan again requested assistance, since he was of the view that the PST file may have included records responsive to the request.

The CBSA’s email records demonstrate that throughout February and March 2023, Doan notified multiple IT staff about the corrupted PST file and asked for assistance in retrieving the information it contained. Multiple individuals from the CBSA and Shared Services Canada attempted to retrieve the data using tools available to them. The investigation revealed that IT staff missed some opportunities during the recovery process. For instance, the recovery efforts were limited to Doan’s replacement laptop and they did not attempt to retrieve Doan’s previous laptop, which held the PST file before it was corrupted. By the time the omission was identified, both laptops (the original with the faulty battery and the replacement), had been erased following Doan’s departure and according to standard processes. The efforts to recover the data ultimately resulted in the retrieval of some of Doan’s MS Outlook files, but the original PST file was never recovered in its entirety.

On April 20, 2023, Doan was provided an email summary of the results of the recovery efforts. The next day, Doan signed a memorandum for the ATIP unit indicating that reasonable efforts had been made to retrieve records from a corrupted PST file. The ATIP unit was satisfied that reasonable efforts had been made by Doan to locate the records and that records held in the PST file would have also been saved in, and therefore retrievable from, other repositories.

The records that had been recovered and saved to a USB (a small portable storage device) were provided to the Vice-President’s Office in May 2023. The CBSA reports that employees had reviewed the records and did not identify any that responded to the access request.

The CBSA responded to access request A-2023-04588 on August 18, 2023. While the OIC investigated a reasonable search complaint related to this request, the allegations centered on missing records from other individuals, not Doan.

The investigation determined that there is no policy, directive or guideline that prohibits the use of PST files at the CBSA. Further, I have found no reason to doubt Doan’s explanations as to why he kept a PST file and the efforts he put into recovering the information.

Conclusion

While records may have been permanently lost and opportunities missed by the staff to recover the corrupted PST file, I am satisfied that Doan himself made reasonable efforts to recover the corrupted records.

Nothing I learned during the investigation into the alleged destruction of records leads me to believe that there was the possible commission of an offence as described in subsection 67.1(1) of the Access to Information Act, nor did I disclose any information of such to the Attorney General of Canada.

In addition, I conclude that the records responsive to access request A-2023-04588 were ultimately found and that the right of access was not impeded.

This investigation has brought to light the fact that, while the use of PST files may be convenient, it undermines governance, compliance and discoverability. Because PST files are often stored locally on individual machines, or on shared drives with restricted access, the information is held outside centralized information management systems. This means that a search for records in response to an access request may miss important information because only one or very few individuals know the records even exist. Further, organizations usually do not have an inventory of PST files, making it difficult to enforce retention and disposition policies.

2. Did the CBSA conduct reasonable searches for records in response to access requests related to ArriveCAN?

Reasonable search

The CBSA was required to conduct a reasonable search for records that fall within the scope of access requests it received—that is, one or more experienced employees, knowledgeable in the subject matter of the requests, must have made reasonable efforts to identify and locate all records reasonably related to these requests.

A reasonable search involves a level of effort that would be expected of any fair, sensible person tasked with searching for responsive records where they are likely to be stored.

This search does not have to be perfect. An institution is therefore not required to prove with absolute certainty that further records do not exist. Institutions must however be able to show that they took reasonable steps to identify and locate responsive records.

Access requests related to ArriveCAN

Based on the OIC’s review of information provided by the CBSA, the CBSA has received 189 access requests for records related to ArriveCAN since April 2021. CBSA reported that two of the requests remain active as of March 18, 2026.

Access requests seeking information related to ArriveCAN were responded to in accordance with existing procedures, consistent with any other request received for the same time period.

The CBSA stated that some measures were put in place when OPIs received a number of access requests related to ArriveCAN. For example, the ATIP unit created a report to track all requests related to ArriveCAN to ensure relevant OPIs were aware of the status of requests. In addition, the ATIP unit required that all files related to ArriveCAN be submitted to the Director General and Chief Privacy Officer for approval. The CBSA stated this process was intended to ensure consistency between responses and minimize the number of exemptions applied to the records.

Complaints to the OIC related to responses to ArriveCAN requests

The OIC received 21 complaints related to responses the CBSA provided to the 189 ArriveCAN-related access requests. Of these complaints, 14 included allegations related to the reasonableness of the search and/or missing records.

The CBSA retrieved records not included in its original responses as a result of the OIC’s investigations on 5 of the 14 complaints. However, the circumstances leading to the identification of additional records were specific to each complaint. In one case, no OPI was tasked. In another, the attachments to an email were not included with the initial OPI response, which was deemed to be an individual’s failure to provide all responsive records when tasked. In two complaints, records were located after additional information and keywords were used in the subsequent OIC-prompted searches.

During the investigation into the missing records allegations related to access request A-2023-04588 (the request at issue in the allegations of destruction of records against Doan), additional records were retrieved from the email account of an individual who was no longer employed by the CBSA at the time of the request. These records were provided to the complainant, who subsequently confirmed that they were satisfied with this disclosure, and the complaint was closed with no further action.

One of the 14 reasonable search complaints remained open at the conclusion of present investigation.

In the remaining eight reasonable search files, the investigations were either discontinued by the complainant or ceased by the OIC following the resolution of the matters at issue, or the complaints were deemed to be not well founded.

Conclusion

The OIC received 14 complaints relating to whether the CBSA conducted reasonable searches for records in response to 189 access requests seeking information on ArriveCAN. Of these, five investigations resulted in additional records being retrieved. In each case, the actions taken by the CBSA corrected the deficiencies, prior to the OIC’s concluding its investigations.

My above-referenced investigations did not identify any systemic issues related to how the CBSA conducted searches for records related to ArriveCAN that would have affected the responses to the access requests.

3. Did other factors affect the CBSA’s ability to provide complete responses to requests for ArriveCAN records?

Use of Slack by the ArriveCAN team

The investigation revealed that the ArriveCAN team used Slack to help team members work together by centralizing conversations, apps and data into dedicated channels for organized communication. Slack is a business-focused messaging and collaboration platform owned by Salesforce Inc,. It features real-time chat, file sharing, and audio and video calls, and is integrated with other tools. The CBSA’s Information, Science and Technology Branch (ISTB) introduced Slack in early 2019, prior to the pandemic, while exploring new ways of communicating and collaborating. At that time, CBSA employees did not have access to MS Teams, which only became available in 2020.

A new Slack channel was created for the team working on ArriveCAN in April 2020, when many employees were switching to remote work. According to CBSA, Slack provided the ArriveCAN technical team with a means to stay connected, coordinate work, and share information and updates.

Statements from CBSA employees and email records indicate that the use of Slack for the development of ArriveCAN was approved by a Director and Director General within ISTB and that other CBSA executives were also aware of its use. Managers, security practitioners and technical users directly involved in the development, testing and release coordination of ArriveCAN were aware of and used Slack. According to the CBSA, Slack was primarily used internally by individuals such as the Director, managers, software developers, quality assurance analysts, user experience analysts and contracted developers and consultants. Some external individuals also used Slack, such as technical representatives from companies specializing in software and mobile applications. While the CBSA stated that it does not have the information or records required to determine the usage frequency or the number of active users at any given time, it indicated that it had a cumulative total of approximately 180 registered users, including users who were not involved in ArriveCAN.

In June 2022, the CBSA’s Cyber Security Directorate raised concerns about the ArriveCAN project team’s use of non-standard collaboration tools, including Slack, during a security assessment conducted for an ArriveCAN release. At the same time, a draft of its Security Management Action Plan indicated that the project team would be “shifting away from Slack as their collaboration tool and using MS Teams instead” in response to recommendations resulting from the assessment.

Email communications reviewed by the OIC indicate that Slack was still being used by the CBSA throughout 2022 and in early 2023. An email from February 2023 stated that CBSA anticipated needing to add a new Slack user in the next one to two months.

In its representations to the OIC, the CBSA stated that the Security Management Action Plan was approved in March 2023 and that discontinuing the use of Slack was formally adopted as “part of broader efforts to align with approved and secure communication platforms.”

In April 2023, an Acting Director of ISTB instructed a team leader to delete the Slack workspace by May 12, 2023. On April 21, 2023, an email was sent to some CBSA Slack users advising them that Slack would be discontinued. On May 12, 2023, the same team leader sent an email to the Acting Director indicating that Slack had been deleted.

The CBSA stated that the decision to delete Slack was based on several considerations, including that the Cyber Security Directorate had raised concerns over its use; the CBSA committed to moving away from it as a result. In addition, the CBSA considered it would no longer be financially viable to maintain the platform, which incurred ongoing costs, at the conclusion of ArriveCAN funding in May 2023. The CBSA also explained that, with the use of Microsoft Teams, the duplication of collaboration tools and the associated costs were unnecessary. Further, the CBSA explained that it considered the nature of the data stored on Slack when making its decision to delete it, stating that the workspace only contained transitory records and that all records of business value, such as records of decisions, would have been stored in corporate repositories outside of Slack.

Information on Slack and its relevance to the public’s right of access

Given that Slack was deleted before I launched this investigation, the OIC was unable to review the contents of the Slack workspace or confirm the nature and value of the information that was created, shared and stored within it, nor could the CBSA provide any backups or archival copies of the workspace. The OIC, therefore, reviewed evidence and interview statements gathered by the PID, conducted its own interviews of Slack users, and sought representations from the CBSA, to better understand the nature of the records held on Slack and their possible relevance to access requests related to ArriveCAN.

According to the CBSA, Slack was used for messaging, limited file sharing of task-related information, coordination with external partners, task tracking and automated feeds (e.g. information from the Apple and Google Play stores). During interviews with the PID and the OIC, users described the information on Slack as technical in nature and stated they were not aware of protected or otherwise sensitive information held on the platform. They explained Slack was used for communications between CBSA developers and with external partners, largely to discuss and assign tasks. The OIC was provided with one example of a Slack message, which had been copied as part of an email discussion about the testing of push notifications. The Slack message included updates on testing and troubleshooting being conducted for the application.

A review of the list of channels created for the workspace reveals that Slack was used for the communication and coordination of many aspects of ArriveCAN development and maintenance. The workspace included a channel for communications to the entire team, as well as a channel specific to developers. It also included channels for specific teams or activities (bugs and testing, testing for release, regression testing, requirements, support, translation, accessibility, Appstore comments [automatic feed], web development) and a channel for an external partner.

I conclude that Slack was used between April 2020 and May 2023 to exchange information between CBSA staff, vendors and contractors related to the development, testing and requirements of ArriveCAN and that this information was relevant to the public’s right of access.

Instructions on the use of Slack and information management

The representations provided by the CBSA emphasized that the information created on Slack was transitory in nature and that Slack was not considered an official repository. According to the CBSA, employees were instructed to store all information of business value, including business decisions and documents, outside of Slack. Representations from the CBSA, as well as statements during interviews with members of the ArriveCAN project team, outlined numerous corporate repositories where the information shared or created on Slack would have been stored, including Apollo and other tools used to record defect management and task management. The OIC also reviewed email correspondence between CBSA employees from April 2020 to May 2021, in which an ArriveCAN Project Manager specified that information of business value should not be transmitted on Slack.

The CBSA provided guiding principles for the use of Slack, created in February 2021, including on how Slack should be used, for example, for short questions and answers, updates and reminders. The guidance also directed users to conduct communications in the appropriate channel. However, the CBSA did not provide any documented evidence that it has shared the guiding principles with anyone or that any other training had been provided to employees to ensure records were saved to corporate repositories. The CBSA stated that training on Slack was provided to team members during one-on-one onboarding. Further, there is no evidence of any guidance being provided to ArriveCAN team members between the adoption of Slack for the ArriveCAN project in April 2020 and the creation of the guiding principles in February 2021.

With respect to the retention of information prior to the deletion of the Slack workspace, the CBSA stated that it considered whether it was necessary to retain information on Slack prior to its deletion and determined that the workspace did not contain information of business value. More specifically, the CBSA stated that the individuals who facilitated the deletion of the Slack workspace reviewed the information on Slack prior to its deletion to ensure that any information of business value was retained.

Email records reveal that the Acting Director, who ordered the deletion of the Slack workspace, asked a team leader to work with the ArriveCAN Project Manager to make sure that any files that might be needed were offloaded. This email, in addition to interview statements, confirm that some consideration was given to the retention of information on Slack. However, all the individuals involved acknowledged in statements to the OIC that no review of the information in Slack was conducted and no actions were taken to save any specific records from the workspace prior to its deletion. They maintained that it was not necessary to review or retain information on Slack since, in their view, the information on the workspace was transitory or duplicates of documents saved in other repositories and that records of business value were also saved in those official repositories.

The OIC reviewed the email sent to Slack users within the CBSA advising that the workspace would be discontinued. The email did not provide any instructions or guidance to users regarding the review or retention of records held on Slack prior to its deletion.

Records responsive to access requests submitted prior to Slack’s deletion

The OIC examined whether the use of and subsequent deletion of Slack may have affected the completeness of the CBSA’s responses to access requests. The CBSA initially stated there was no information in Slack relevant to requests at the time of its deletion; however, it did not provide any information on how the workspace was searched for information relevant to requests or by whom. The then-Acting Director stated that prior to Slack’s deletion they considered the relevance of the Slack records to requests but were of the view that there were no active requests at that time. However, they also stated they did not consult the CBSA’s ATIP unit on this point.

The OIC reviewed the access requests related to ArriveCAN to assess whether information on Slack may have been relevant to any of them, searching request texts for references to communications such as instant messages in general, and Slack in particular. The OIC also searched for topics and keywords related to the development and design of the application and the content believed to be on Slack, based on the list of Slack channels, the CBSA’s representations and witness statements.

The OIC’s review identified access requests referencing information that may have been created, shared or otherwise existed on the Slack workspace. Of these, 16 were submitted to CBSA prior to the deletion of Slack. The OIC sought representations from the CBSA concerning the searches conducted for these requests to determine whether Slack may have held responsive records and whether Slack was searched for them.

The CBSA asserted that all employees involved with ArriveCAN would have been tasked with retrieving records for requests related to the project and that tasking of the ISTB would have been done as part of normal ATIP operations.

In conducting a reasonable search, institutions must be able to show that they took reasonable steps to identify and locate responsive records where records could reasonably be expected to be found.

The CBSA asserted that Slack was not used for creating or storing records and indicated that any documents or records would have been saved to Apollo. The CBSA stated that the records held on Slack would be transitory and duplicates of records maintained in official systems.

While the categorization of records as being transitory or of business value is relevant to record retention and disposition policies, it is not relevant to the retrieval of records in response to access requests. When tasked with a request made under the Access to Information Act, all responsive records, including transitory records, must be retrieved and provided to the ATIP unit.

The CBSA only searched Slack in response to one access request

Despite Slack being used as a collaboration and communication tool for the development of the ArriveCAN application, the CBSA identified only one access request for which Slack was searched for records, request A-2022-16871, submitted in August 2022:

All communications including emails, texts, instant messages, Slack messages, WhatsApp messages, briefing notes, memos, media lines, etc., sent/received by department officials with responsibility for the file regarding payments or directions directed by the department for online reviews of the ArriveCAN app.

According to the CBSA, the relevant OPI searched Slack for responsive records but because it did not at any time direct or make payment to any party regarding online reviews related to ArriveCAN, no responsive records were created or would exist in Slack or any other repository. After having considered the relevant information, I am of the view that the CBSA’s “no records” response was reasonable in the circumstance.

A second access request specifically requesting Slack messages, ZA-2023-13742, was submitted after Slack was deleted. The requester abandoned the request prior to the CBSA’s issuing a response.

Other access requests for records that may have been on Slack

The text of other requests reviewed by the OIC did not specifically mention Slack. However, based on what this investigation has determined to have been stored on Slack, I conclude that the individuals who made the requests sought information that may have been discussed or shared on the platform.

The CBSA confirmed that Slack may have held records of discussions relevant to the subject matter of four access requests received before Slack was deleted. The CBSA conceded that Slack should have been searched for responsive records and indicated that it was not.

Two additional access requests focused on correspondence or other communications with external agencies, such as vendors, regarding topics related to creation of the application and the data collected through it. The CBSA asserted that Slack was not searched in these instances because it was only used for communications between employees and contractor representatives, who could be considered temporary employees. The CBSA stated that the contractors were not considered separate organizations or entities, as specified by the request texts.

Other representations and evidence provided by the CBSA indicates that Slack was used for communications with representatives from external organizations, including vendors, contractors and/or subcontractors. For example, numerous external business representatives are listed in documents as registered Slack users.

I am of the view that the CBSA appears to have taken a narrow interpretation of the access request text and the terminology the requesters used, which is insufficient rationale for not searching Slack. Slack may have held communications relevant to the subject matter of these two requests. For the searches to be considered reasonable, steps should have been taken to search Slack.

Since Slack was still in use and accessible prior to the date it was deleted (May 12, 2023), and Slack could reasonably be expected to hold records relevant to the subject matter of six access requests, the OPIs had an obligation to search Slack for responsive records. Since Slack was not searched, I conclude that CBSA did not conduct a reasonable search for records in response to those six requests. I note that no complaints were made to the OIC related to any of these requests.

Under normal circumstances, the OIC would ask the CBSA to perform additional searches and review any responsive records with a view to providing them to the requesters. Of course, this is no longer possible since Slack has been deleted.

Use of non-government email accounts

The investigation revealed that some CBSA employees on the ArriveCAN team, specifically those who updated the ArriveCAN application on the Google Play store, were instructed to create a Google account (e.g. firstname.lastnameCBSA​@​gmail​.​com) to conduct this work. The personal/CBSA addresses were created for the sole purpose of accessing app stores for tasks such as publishing and updating the application, as app stores require the use of email addresses with their services (e.g. Google Play Store requires the use of an @gmail.com email address). The CBSA maintains that the use of these accounts was limited to technical and administrative interactions with the app stores and that records in the accounts would consist of notifications from the platforms and other transitory, administrative information related to store management. The CBSA stated that any record of business value, including business communications, would have been saved to the CBSA’s corporate repositories.

A review of user credentials for the CBSA Slack workspace indicated that some CBSA employees used non-government email addresses to access that platform as well. The CBSA confirmed that no formal policy or directive was issued concerning which email account employees were to use to access to Slack so they chose whether to use their CBSA, personal/CBSA or personal email account. The CBSA explained that the email addresses were required for login purposes, and that only Slack notifications would have been sent to those addresses. This meant that, according to CBSA, no business-related records would have been exchanged using those accounts or held in them and that, on that basis, they would not have been searched when responding to access requests.

The practice of creating or using non-government email accounts to access third-party platforms and to conduct CBSA business, including work on the ArriveCAN application, raises serious concerns. The conduct of government business through personal devices, non-government email addresses or external platforms presents ongoing challenges for effective records management and compliance with access obligations. In particular, such practices may disperse records related to government matters across multiple locations and increase the risk of incomplete or inadequate responses to access requests. These risks underscore the importance of clear institutional practices and guidance respecting the creation, retention, and accessibility of records relating to government business.

I note a recent Ontario jurisprudence in which the Court declined to interfere with the Information and Privacy Commissioner (IPC) findings that entries in the call logs of the personal cellphone of a public official relating to governmental or departmental matters are under the control of the institution and that it is reasonable to expect a public official to produce information relating to government business from their personal call logs upon request. The Court confirmed that such records may fall within the scope of access-to-information legislation, subject to limited and specific exemptions. It further found that the IPC reasonably applied the control test under FIPPA and appropriately considered both the purposes of access-to-information legislation and the impact that denying access could have on a citizen’s right to fully participate in democracy.

This jurisprudence serves as a useful reminder that the scope of an institution’s access obligations is informed by the substance of the activity recorded, rather than by the choice of platform or device. Records relating to departmental matters may therefore be responsive to an access request even when they reside outside governmentapproved systems, and institutions may be required to take reasonable steps to identify and retrieve such records.

Finally, even if it is not intended, using non-government email accounts to conduct important government business creates a perception that public servants are avoiding recordkeeping rules and may be trying to avoid accountability.

Role of the ATIP unit

The TBS ATIP Manual set out that the main responsibilities of an ATIP unit include “establishing a work method for providing accurate and swift responses to access to information requests.” I expect a well-functioning ATIP unit’s work methods to include a challenge function—that is, it systematically reviews the OPI’s response to the tasking request. This review is key to ensuring that the OPI has understood the scope of the access request and that all relevant information has been retrieved.

It is impossible for an ATIP unit to have adequate work methods in place to provide accurate responses to access requests if it is not made aware of the institution’s information holdings. My investigation has revealed that the ATIP unit was never informed that the Slack workspace was used to conduct business related to ArriveCAN. In fact, the CBSA ATIP unit was not made aware of the use of Slack until more than one year after it had already been deleted. Given this, the ATIP unit was unable to play its critical challenge function when OPIs responded to ArriveCAN-related access requests.

Conclusion

I conclude that CBSA failed to conduct reasonable searches in response to six ArriveCAN-related access requests.

• The CBSA conceded that while Slack may have held records relevant to four access requests, it was not searched.
• Slack may have held records responsive to two additional requests and the CBSA did not provide sufficient justification for the decision not to search Slack.
• There is no evidence of documented guidelines or policies concerning the use of Slack and the management of information created and stored on Slack between April 2020 and the creation of the guiding principles in February 2021.
• The CBSA was unable to provide any documentation to verify how and when the guiding principles were provided to employees or how compliance with these principles and with information management practices was monitored.
• The ATIP unit was unaware that Slack existed and therefore could not challenge the completeness of the records it received.

Timeliness of the CBSA’s responses to access requests related to ArriveCAN

4. Did the CBSA respond to access requests related to ArriveCAN in a similar timeframe to that for other requests?

Section 7 requires institutions to respond to access requests within 30 days unless they have transferred a request to another institution or validly extended the 30-day period for responding by meeting the requirements of section 9. When an institution does not respond to a request within the 30-day or extended period, it is deemed to have refused access to the requested records under subsection 10(3).

OIC complaints related to timeliness

At the conclusion of the investigation, the OIC had received 20 delay and extension of time complaints following from the 189 ArriveCAN access requests made to the CBSA.

The investigations into these complaints have been concluded and all determined that the CBSA did not respond to the access requests within the time limits in the Access to Information Act. At the conclusion of the investigation into two of the complaints, I ordered the CBSA to respond to the request. The CBSA had responded to the other requests before an order was necessary.

CBSA average response times

In response to OIC questions, the CBSA provided data showing that the average response time for requests related to ArriveCAN was 224 calendar days in the 2024–25 fiscal year, compared to 101 days for requests related to CBSA corporate records (excluding immigration information).

The CBSA explained that response times can vary based on a variety of factors, such as the complexity of the file and the volume of records, and thus are not directly comparable. For example, the CBSA outlined that requests for corporate records resulted in an average of 80 pages, while requests related to ArriveCAN resulted in an average of 661 pages. To respond to ArriveCAN-related requests, the CBSA processed more than 320,000 pages and released nearly 125,000 pages. The OIC reviewed information obtained from the CBSA to identify what additional factors, if any, might have affected the CBSA’s ability to respond to access requests within the timeframes allowed under the Access to Information Act.

Impact of preparing responses for parliamentary committees

The OIC noted that the CBSA was also required to prepare disclosure packages for parliamentary committees examining the ArriveCAN initiative. The CBSA explained that the preparation of these packages affected some OPIs’ capacity to respond to access requests in a timely manner. More specifically, some subject matter experts within ISTB and the Finance and Corporate Management Branch were simultaneously responsible for providing responses to questions from Parliament and access requests relating to ArriveCAN. The responses to Parliament were the priority, which delayed the retrieval of records in response to some access requests.

The CBSA asserted that the work to prepare disclosure packages for Parliament had less impact on the ATIP unit than the OPIs, since it was managed by staff in the offices of the Director, ATIP Case Management, and the Director General and Chief Privacy Officer. As a result, the impact on resources involved in processing access requests was minimal.

Impact of server disruption

The CBSA explained that the average response times for the years 2021 to 2024 were affected by a server outage that had occurred in 2024 and affected the ATIP unit’s case management system. The OIC reviewed the available information about the outage and its impact on the CBSA’s responses to access requests.

On February 20, 2024, the CBSA informed the OIC of a disruption to 40 of its servers that had occurred during infrastructure maintenance conducted by Shared Services Canada. Some of the affected servers held information related to access requests, responsive records for pending requests and complaint investigation records.

While the inaccessible information had not been deleted and no security breach had been identified, ultimately, the CBSA was unable to access the information held on the servers in a manner that would ensure business continuity. The outage meant that the CBSA had to revert to manual processing for the two weeks it was without its case management system. It took two months for the full functionality of the case management system to be restored.

The CBSA confirmed that the server outage limited its ability to respond to access requests, including those related to ArriveCAN, received through the ATIP Online Request Service between September 2021 and November 2023, and for requests received through other means until February 2024. Overall, approximately 16,000 active access and privacy requests were stalled by the outage. Shared Services Canada and the CBSA successfully recovered 5,200 requests, with the remaining 10,800 requests rendered inaccessible.

In practical terms, this meant that the CBSA had to reconstruct, in some cases with the help of the OIC, hundreds of access requests. In addition, requesters were encouraged to resubmit access requests. The CBSA ATIP unit hired 12 temporary employees to assist with the recovery efforts, which were completed in August 2024. The CBSA stated that it recovered approximately 4,000 requests and that approximately 1,200 were resubmitted. The outage resulted in a significant increase in the ATIP unit’s workload and created delays in the CBSA’s processing of requests.

As for the impact on access requests related to ArriveCAN, the CBSA explained that it had tracked requests related to ArriveCAN in a separate Microsoft Excel worksheet, which was updated weekly prior to the server outage. This put it in a better position to identify the affected requests. Ultimately, the CBSA was unable to determine whether a response had been provided for 9 of the 189 ArriveCAN-related requests. It also could not identify the source of these requests in order to follow up with them. As a result, nine requesters would have had to refile their requests.

The CBSA advised that, as of September 29, 2025, it had returned to its pre-outage capacity of responding to between 1,000 and 1,200 access requests per week. At that time, it had an inventory of 316 open requests not specific to ArriveCAN that were beyond their statutory due date and was working on reducing the backlog.

The CBSA also informed the OIC that, although server maintenance and management is the responsibility of Shared Services Canada, both Shared Services Canada and the CBSA have since implemented measures to prevent future outages. Specifically, Shared Services Canada reviewed its backup protocols for all of its partner organizations, and the CBSA created a schedule for assessing the functioning of all backups.

Conclusion

Based on the average response times provided by the CBSA, requesters seeking records relating to ArriveCAN waited slightly longer for a response than requesters seeking access to other corporate records. I accept that the complexity of the ArriveCAN-related requests and the associated volume of records are likely factors contributing to the discrepancy in response times. In addition, the workload of OPIs tasked with ArriveCAN requests had increased due to the need to prepare information for parliamentary committees. This, in turn, affected the OPIs’ ability to conduct timely retrievals.

The server outage that occurred in February 2024 had a significant impact on the operations of the CBSA ATIP unit and a detrimental effect on the CBSA’s ability to respond promptly to all access requests, including those related to ArriveCAN. The information provided by the CBSA indicates that requests related to ArriveCAN were a small proportion of the requests affected by the outage. Further, due to the CBSA’s separate recording of these requests, the impact of the outage for them was less significant than it was for other requests.

I conclude that the CBSA took reasonable steps to respond to this incident and recover the affected information.

The investigation did not identify any unique concerns related to the timeliness of the CBSA’s responses to access requests related to the ArriveCAN initiative. While the explanations for the delays the CBSA provided are relevant to understanding why it took longer to respond to ArriveCAN-related requests, they do not amount to a valid justification for a delay under the Access to Information Act.

Outcome

There is no question that significant pressure was placed on CBSA officials to deliver ArriveCAN, and I have no reason to doubt that the health and safety of Canadians was the CBSA’s primary concern in creating this application.

The investigation established that the team responsible for ArriveCAN used Slack to communicate on the development, design and maintenance of ArriveCAN. The investigation confirmed that the CBSA received access requests from individuals seeking information related to the topics and activities that are believed to have been managed on Slack; however, no records from Slack were retrieved or provided in response to these requests before Slack was permanently deleted.

Whether I believe CBSA officials’ assertions that all information on Slack was transitory is not relevant. Staff working in institutions covered by the Access to Information Act must not delete or destroy records, including transitory records, when they have received an access request relating to these records. Poor information management practices have a deleterious effect on the right of access and on the mechanisms put in place by Parliament to ensure it is being upheld.

Since the Access to Information Act came into force in 1983, digital technologies have transformed how information is created, stored and shared, increasing both the volume and complexity of government records. I support institutions’ wanting to adopt innovative ways of improving services to Canadians, but not at the expense of the Act’s foundational principles of transparency, accountability and openness, which are essential to a well-functioning democracy.

The complaint is well founded.

• The CBSA did not search Slack for records in response to six access requests when it would have been reasonable to do so.

Recommendations

I recommend the Minister of Public Safety and Emergency Preparedness do the following:

1. Implement formal, documented policies governing the use of thirdparty collaboration tools

The CBSA was unable to provide any documented guidance on the use of Slack between April 2020 and February 2021, evidence that the guiding principles created in February 2021 were ever disseminated, any formal guidance on the retention of information created in Slack or show how compliance with these principles and with information management practices was monitored.

The CBSA should enforce comprehensive policies governing the use of thirdparty collaboration tools such as Slack. These policies should do the following:

• clearly define what types of information may be created, shared or stored on such platforms
• require that all records of business value be transferred to official repositories (e.g. Apollo)
• prohibit the deletion or decommissioning of any platform without prior verification with ATIP unit.

2. Enhance oversight of recordkeeping for major projects and require documented review and retention procedures before decommissioning any system

The deletion of Slack without a formal review, without documented retention steps and without consulting the ATIP unit, was a significant governance failure.

Before any system or workspace is deleted, the CBSA should implement mandatory procedures requiring the following:

• a documented review of the content by designated officials
• confirmation that all records of business value have been transferred to official repositories
• consultation with the ATIP unit to determine whether the system contains information relevant to existing access requests
• written approval from an appropriate authority confirming that deletion may proceed.

3. Prohibit or strictly regulate the use of nongovernment email accounts for CBSA business

The use of personal or personal/CBSA email accounts to access Slack and app store platforms created risks (e.g., business records held outside official systems are not indexed, searchable or known to ATIP offices, fragmentation creates a higher risk of producing incomplete responses to access requests and creates a perception that public servants are avoiding recordkeeping rules and may be trying to avoid accountability) for retrieving records for access and transparency.

The CBSA should prohibit the use of nongovernment email accounts for work purposes unless these are explicitly authorized under a formal policy (e.g. Directive Use of Non-Government Email Accounts for Work Purposes). When exceptions are necessary, the CBSA should do the following:

• document the justification
• ensure that all records of business value generated through these accounts are transferred to official repositories
• ensure that all records in these accounts are searched when an access request relating to these records is received
• maintain oversight to ensure compliance with stated policy.

4. Reduce reliance on personal storage practices

The use of PST files may undermine governance, compliance and discoverability, since these files are held outside corporate repositories.

The CBSA should discourage the use of PST files, local drives and informal communication platforms as primary storage locations. Clear guidance should be issued to ensure that all records of business value are promptly transferred to Apollo or other approved repositories.

5. Conduct periodic audits of information management practices

For major initiatives such as ArriveCAN, the CBSA should conduct periodic audits to ensure the following:

• records of business value are being captured and saved to appropriate corporate repositories
• deletion or decommissioning of systems should only be conducted through usual retention and disposition processes
• information management responsibilities are clearly assigned and monitored.

Such audits would help identify issues early and prevent the recurrence of the failures observed in this investigation.

6. Strengthen the ATIP unit’s challenge function

The investigation determined that the ATIP unit did not have full awareness of all communication platforms and information repositories used by the program area during the period under review. This impeded the ATIP unit’s ability to effectively exercise its challenge function and assess whether searches conducted by OPIs were complete, as evidenced by the CBSA’s failure to search Slack for 6 access requests. Strengthening this challenge function requires that the ATIP unit is well positioned to identify potential gaps and to question search efforts when warranted.

To support a more effective challenge function, the CBSA should do the following:

• ensure the ATIP unit is informed of all information repositories and communication tools used across the organization
• require OPIs to provide clear justification when certain repositories are excluded from their searches
• formalize expectations for how the ATIP unit applies its challenge function when reviewing search efforts
• provide the ATIP unit with training and tools to help identify potential gaps in search efforts

Initial report and notice from institution

On March 31, 2026, I issued my initial report to the Minister of Public Safety and Emergency Preparedness setting out my recommendations.

On April 30, 2026, the President of the CBSA gave me notice that she would implement my recommendations.

Specifically, the CBSA has already begun strengthening its information management practices following a June 2025 Internal Audit of Information Management. The President confirmed that 20% of the audit’s Management Response and Action Plan have already been implemented, with the remaining measures to be completed by the end of 2026.

The CBSA is also committed to:

• Developing formal policies for the use of third-party collaboration tools and non-government email accounts
• Embedding information management checkpoints at each step of project management gating
  • Documentation, including decisions and all project artifacts, is now required prior to all project approvals
• Establishing a formal policy on the use of non-government email accounts for work purposes
• Implementing a phased strategy to reduce the usage of personal storage practices by 2027 to ensure that CBSA information is stored in approved repositories
• Conducting ongoing information management compliance reviews through the Recourse, Standards and Program Integrity Branch established in 2025
• Enhancing the ATIP unit’s challenge function through clearer search guidance and targeted analyst training before the end of this fiscal year.

The underlying issues it revealed during this investigation are not unique to it, nor are they confined to the specific context of the COVID-19 pandemic. They reflect broader structural vulnerabilities affecting the right of access that exist wherever digital collaboration tools are used without commensurate governance, oversight or information management controls.

Ensuring that access to information remains meaningful in the digital first era requires sustained attention, clear accountability and decisive action from institutions, policymakers and Parliament. As such, I intend to publish a Special Report in my 2025-26 Annual Report to draw attention to three broader issues facing Canada’s access to information system.