2025-2026 Annual Report

This annual report detailing the work carried out by my office between April 2025 and March 2026 is being tabled at a pivotal moment for government transparency and the right of access to information. 

The Government of Canada is required to conduct a review of the Access to Information Act every five years. I recently provided my submission to the latest legislative review, launched in June 2025, setting out clear recommendations for strengthening the Act and ensuring the right of access can be exercised in a meaningful way. I trust the government will consider my input carefully; it is the product of the deep knowledge and experience my office has gained over many years and thousands of complaint investigations.

While early signs have not been promising, it is nevertheless my hope that the legislative review will be a meaningful step in the modernization of both the Act and the system that underpins it. Before this modernization can be achieved, however, decision-makers must take heed of lessons taught to us by the mistakes of the recent past.  

To take just one example, the special report included within this annual report outlines my investigation into matters related to requesting and obtaining access to information about the ArriveCAN application. At the conclusion of that investigation, I made recommendations to the Canada Border Services Agency highlighting underlying issues that will, if left unaddressed, inevitably continue to impact the right of access. 

This investigation demonstrates that, as digital tools continue to be introduced to the workplace, there are very real consequences that come with failing to ensure that governance, oversight and information management policies and practices evolve sufficiently rapidly.  

As I begin my 9th year as Information Commissioner, I repeat my familiar message: now, more than ever, ensuring timely access to reliable and credible information is essential.  

An access to information system that reflects the realities of the 21st century and upholds Canadians’ right to know is within reach. However, it is only through sustained leadership, thoughtful legislative reform and a genuine commitment to openness across government that this goal can be achieved. 

I remain steadfast in my commitment to protecting Canadians’ right of access and to working with institutions, Parliament and the public to strengthen the federal access to information regime for the years ahead.

In 2025–26, the Commissioner issued 63 orders against PCO, the most ever for this institution. These orders stem from the well-founded outcome of 28% of all PCO complaints concluded during the year, up from 16% in 2024–25 and 15% in 2023–24. The proportion for 2025–26 is significantly higher than the all-institution average of 8.6%. Orders against PCO related to refusal complaints accounted for 19% of all refusal orders issued in 2025–26. 

In addition, in 10 investigations concluded with orders, PCO did not provide the required notice to the Commissioner indicating whether it intended to implement her orders, as required under the Act. 

One case involved PCO’s refusal to disclose handwritten signatures and initials of senior officials on internal documents on the basis that they constituted personal information. Despite being informed of the OIC’s preliminary view—and the Privacy Commissioner’s concurrence with it—that such information does not constitute personal information when it is created in the course of official duties, PCO maintained its position. The Commissioner ultimately ordered disclosure. While PCO continued to be of the view that it was personal information, it disclosed the information after obtaining the individuals’ consent to do so. 

Concerns also remain regarding PCO’s internal processes and delegation structure. In one investigation, the Commissioner recommended that the Clerk review PCO’s internal consultation and approval processes to improve efficiency and ensure compliance with statutory timelines. The Clerk did not indicate whether he would implement this recommendation, and no improvement has been observed in subsequent investigations.

The authority the Prime Minister has delegated to PCO for access to information provides broad powers to the Clerk, senior management, Assistant Secretaries, Assistant Deputy Ministers and other senior managers, while the ATIP Coordinator has limited delegated authority, including none to make representations to the OIC during complaint investigations. This level of control increases the time and complexity of investigations, since ATIP officials must consult business units even for basic information. Approval processes are often cumbersome, and the OIC frequently receives requests from PCO to extend the deadline to respond to simple queries due to delegated officials not being available. 

In addition, a large proportion of refusal complaints under investigation involve historical records from the 1940s to the early 1990s. In investigating these complaints, it became apparent that PCO relies heavily on consultations with other institution when determining whether records can be released in response to access to information requests.

Improvements in compliance at Library and Archives Canada and the Department of National Defence 

While PCO has faced some challenges, Library and Archives Canada (LAC) and the Department of National Defence (DND) are demonstrating improvements.  

In response to the Commissioner’s recommendations arising from her 2022 systemic investigation, LAC continues to publish semi-annual updates to its ATIP Action Plan.  

These updates feature details of LAC initiatives to reduce its complaints inventory, to introduce a new ATIP delegation instrument to streamline request processing and to enhance training.

As a result of this work on LAC’s part, there has been a steady decline in the OIC’s inventory of complaints against LAC—from a high of 266 in 2021–22 to 101 in March 2026—as well as a significant decrease in the number of orders issued, from 109 in 2023–24 to 16 in 2025–26.

Following a significant increase in complaints in 2024–25, there was a steady decline in the inventory of complaints against DND during 2025–26.

While the number of orders the Commissioner issued against DND has remained stable over the past two years, this figure is expected to decrease in the coming year in line with the declining inventory of complaints. 

Court applications primarily dispute ordered response dates

Applications to the Federal Court for reviews related to delay and extension of time complaints arose from the Commissioner’s ordering the institution to respond to the access request by a set date. In every application, the institution disputed the ordered response date. 

Of the applications for review filed with the Court in 2024–25 related to delay and extension of time complaints, 16 were carried over into 2025–26. The Minister of National Defence was the applicant in 13 of these cases, and the Minister of Canadian Heritage in the remaining 3. 

Of the 16 applications carried forward, 15 were discontinued because the institution provided a response to the access request prior to the conclusion of the litigation process, with 47% discontinued within six months of the application being filed with the Court. Only one application proceeded to a hearing, and the Court’s decision is pending (T-418-25). 

In 2025–26, 18 new applications were filed with the Court relating to delay and extension of time complaints, 16 of which were brought by the Minister of Canadian Heritage. During the same period, 16 applications were discontinued by institutions after they provided a response to the access request. Of these, 94% were discontinued within six months of the institution’s filing their application for review. 

In most applications for review associated with delay and extension of time complaints, the delay in responding to the access request was largely due to offices of primary interest not meeting tasking deadlines or to lengthy consultations with other government institutions. 

On the litigation front

Four applications for review in refusal complaints were submitted to the Federal Court in 2025–26. Here are two examples:

Canadian Broadcasting Corporation (T-3985-25)

The access request sought the number of paid subscribers to Gem, a CBC media streaming service. The Commissioner concluded that the complaint was well founded, finding that the CBC had improperly withheld the information under paragraph 18(b) (competitive position of government institutions or negotiations by government institutions). She also determined that the information did not relate to the CBC’s journalistic, creative or programming activities, other than information relating to its general administration, and, therefore, was not excluded from the Act under section 68.1. The Commissioner ordered the CBC to disclose the number of paid Gem subscribers.

In its application for review, the CBC submits that the information ordered to be disclosed should be withheld under paragraph 18(b) and is excluded from the application of the Act pursuant to section 68.1.

Minister of Crown-Indigenous Relations and Northern Affairs Canada (T-3653-25 and T-1350-26)

The Minister of Crown-Indigenous Relations and Northern Affairs Canada submitted two applications for review arising from separate access requests for the same document: a settlement agreement between Canada and the Squamish Nation signed in 2000.

In one complaint, it was alleged that the Minister had improperly withheld information under paragraphs 20(1)(b) (confidential third-party financial, commercial, scientific or technical information), 20(1)(c) (financial impact on a third party) and 20(1)(d) (negotiations by a third party), and section 23 (solicitor-client and litigation privilege). In the other complaint, it was alleged that the Minister improperly withheld information under paragraphs 18(b) (competitive position of government institutions or negotiations by government institutions), 20(1)(b) (confidential third-party financial, commercial, scientific or technical information), 20(1)(c) (financial impact on a third party) and 20(1)(d) (negotiations by a third party), and section 23 (solicitor-client and litigation privilege) and the common law settlement privilege.

The Commissioner concluded that both complaints were well founded and ordered the disclosure of the entire settlement agreement. In its applications for review, the Minister submits that the information ordered to be disclosed should be withheld. The first application (T-3653-25) is held in abeyance pending the court decision in Minister of Indigenous Services Canada v. Information Commissioner of Canada, (T-1556-24). In the second application (T-1350-26), the complainant has recently filed a notice of appearance to be added as a party to these proceedings.

Other ongoing litigation

Attorney General of Canada v. National Security and Intelligence Review Agency Secretariat (T-3153-25)

The Commissioner sought leave to intervene in the application for judicial review brought by the Attorney General of Canada under section 18.1 of the Federal Courts Act seeking to quash the National Security and Intelligence Review Agency Secretariat’s (NSIRA) decision to disclose and publish information subject to an access request. The Attorney General alleges that NSIRA failed to apply exemptions under the Act as suggested by the Department of National Defence during intergovernmental consultations.

Federal Court decision about the admissibility of a complaint

Moreau v. Canada (Attorney General), 2025 FC 1036

The Federal Court dismissed an application for judicial review after finding that the Commissioner had reasonably determined that the complaint was inadmissible. The Court agreed with the Commissioner’s finding that the applicant had not followed the mandatory instructions when making an access request and that the institution had never received the applicant’s request.

Mandamus 

Minister of Health (T-4586-25) 

In November 2025, the Commissioner applied for a writ of mandamus against the Minister of Health because Health Canada had neither implemented her order requiring the Minister to provide a response to an access request by a specific date nor sought a review before the Federal Court. The matter was discontinued on March 9, 2026, after the Minister fully implemented the Commissioner’s order. For more information on court cases relating to the Access to Information Act where the Information Commissioner was involved in the proceedings as a party or an intervener, please visit the OIC Court cases webpage.

Introduction 

In March 2020, the Prime Minister announced a series of emergency measures in response to the COVID-19 pandemic, including travel restrictions and enhanced screening at Canada’s borders. To support these measures, the Public Health Agency of Canada relied on the Canada Border Services Agency (CBSA) to collect travellers’ contact and health information pursuant to emergency public health orders. Existing paper‑based processes were inadequate to meet these requirements, prompting the rapid development of the ArriveCAN application beginning in April 2020. 

The ArriveCAN application was developed and deployed under conditions of sustained urgency, dynamic public health directives and compressed timelines. The application evolved quickly in response to operational needs and policy decisions. 

Concerns regarding access to information later emerged with allegations that records related to ArriveCAN had been destroyed while subject to requests for information made under the Access to Information Act. In response, the Information Commissioner initiated an investigation in February 2024 into matters related to requesting and obtaining access to information concerning ArriveCAN. 

Investigation 

The Office of the Information Commissioner’s (OIC) investigation was extensive and complex. It involved a review of numerous reports and source materials, an analysis of ArriveCAN-related access requests and associated complaints, and multiple representations. The OIC also interviewed former and current CBSA staff at various levels. 

The CBSA—its Access to Information and Privacy (ATIP) unit, in particular—fully cooperated with the OIC’s investigation and responded to all questions, and requests for documentation, representations and clarification. 

The final report on the ArriveCAN investigation, which focuses on two core obligations under the Act—the completeness and timeliness of the CBSA’s responses to ArriveCAN-related access requests—along with the President of the CBSA’s response to the Commissioner’s recommendations, is published on the OIC website. 

The following outlines two key issues arising from the investigation. The first pertains to the alleged destruction of records. The second relates to the adoption of Slack by the ArriveCAN project team as an internal communication and collaboration tool at the outset of the COVID‑19 pandemic without sufficient regard for access to information obligations. 

This report also sets out a summary of the recommendations stemming from the investigation and examines the broader implications of them for the Government of Canada as a whole. 

Alleged destruction of records 

The Globe and Mail reported on allegations that the CBSA’s Vice-President and Chief Information Officer had handled email records in a way that resulted in “the permanent destruction of e-mails and other documents that may have been relevant to an access to information request about the agency’s interactions with GC Strategies.” 

These allegations were widely discussed in the media and in parliamentary committee meetings. The investigation determined the following: 

• The access request underlying these allegations did not seek records related to ArriveCAN; however, some of the records affected by the data loss may have pertained to ArriveCAN.
• Records were lost when the Vice-President’s Microsoft Outlook Personal Storage Table (PST file) became corrupted during data transfer to a new laptop.
• Reasonable efforts were made by the Vice-President to attempt recovery of the corrupted files, prior to and after the relevant access request had been received.
• Recovery efforts resulted in the retrieval of some of the Outlook files but the original PST file was never recovered in its entirety.
• The records retrieved were reviewed and no additional records responsive to the access request were identified.
• While some records held in the PST file may have been permanently lost, the PST file was intended as a convenience copy of the Outlook files, and the evidence reviewed suggests that the information would have existed in other locations. 

Further, after reviewing evidence provided by the CBSA and conducting interviews with witnesses, the Commissioner found no evidence of the commission of an offence as described in subsection 67.1(1) of the Act, and, therefore, she did not disclose any information relating to the commission of an offence to the Attorney General of Canada.

Impact of the CBSA’s use of Slack on the completeness of responses 

The investigation revealed that the CBSA used Slack to facilitate collaboration between individuals working on the development of the ArriveCAN application. With one exception, Slack was not searched for records responsive to access requests to ensure a reasonable search for records was done. At the end of the project, Slack was deleted without confirming whether records on Slack might have been relevant to active access requests. 

Slack is a business-focused messaging and collaboration platform. It features real-time chat, file sharing, and audio and video calling capability, and can be integrated with other tools. The CBSA’s Information, Science and Technology Branch introduced Slack in 2019 to a limited number of staff prior to the pandemic, while exploring new ways of communicating and collaborating. At the time, CBSA employees did not have access to Microsoft Teams, which only became available within the organization in 2020. 

According to the CBSA, Slack was primarily used by individuals such as directors and managers responsible for projects, as well as software developers, quality assurance analysts, user experience analysts, and contracted developers and consultants. The CBSA indicated that approximately 180 registered users, including individuals who were not involved in the ArriveCAN initiative, were on Slack over the three years it was in use at the CBSA. Some external individuals also used the CBSA Slack workspace, such as technical representatives from companies specializing in software and mobile applications, to communicate with CBSA employees. 

The investigation revealed that no formal policy or directive was issued concerning which email account employees were to use to access Slack for login purposes. A review of user credentials for the workspace indicated that some CBSA employees used non-government email addresses to access the platform. 

Following concerns raised by the CBSA’s Cyber Security Directorate and the end of ArriveCAN funding, the CBSA ceased its use of Slack, and the workspace was deleted in May 2023. 

Given that Slack was deleted nine months before the Commissioner launched her investigation, the OIC was unable to review the contents of the Slack workspace nor determine the nature and value of the information that was created, shared and stored within it. 

The CBSA did not have any backups or archival copies of the workspace. The OIC instead reviewed evidence and interview statements gathered by the CBSA’s Professional Integrity Division, interviewed Slack users and sought representations from the CBSA to better understand the nature of the records held on Slack and their possible relevance to access requests related to ArriveCAN. 

The Commissioner concluded that the information exchanged between CBSA staff, vendors and contractors on Slack between April 2020 and May 2023 related to the development, testing and maintenance of ArriveCAN and that this information could have fallen within the scope of access requests the CBSA received related to the application. 

During the investigation, the CBSA indicated that the records held on Slack would have been transitory and/or duplicates of records stored in official CBSA repositories. 

The investigation revealed that the CBSA only searched Slack in response to one access request related to ArriveCAN. The CBSA conceded that Slack was not searched for a few additional requests and that it may have held communications relevant to the subject matter of those requests. The investigation also established that the ATIP unit was unaware that Slack existed and, therefore, could not challenge the completeness of the records it received from program areas in response to ArriveCAN-related access requests or ensure its deletion was postponed until all responsive records to pending access requests received had been identified and retrieved. 

Recommendations 

At the conclusion of the investigation, the Commissioner made six recommendations to the Minister of Public Safety and Emergency Preparedness, who is responsible for the CBSA. These aim to strengthen governance, oversight and information management at the CBSA in order to ensure that access rights are respected in an evolving technological environment. 

The President of the CBSA agreed with each of the Commissioner’s recommendations and indicated that the CBSA is already taking steps to strengthen its information management practices. The final report of the ArriveCAN investigation, as published on the OIC website, includes the full set of recommendations, as well as the President’s response to the Commissioner’s recommendations.

Institutions are accountable for records under their control

Information under the control of an institution is subject to the Act, regardless of how it was created or where it is stored

The Act provides Canadians and those in Canada with a right of access to records under the control of government institutions. An institution’s obligation to give access to records is not restricted to those in its physical possession. Records relating to institutional matters may be responsive to an access request even when they reside outside government-approved systems, such as external platforms and devices, and institutions must take reasonable steps to identify and retrieve such records.

A “record” is broadly defined in the Act as “any documentary material.” This means that emails, chat messages, documents and other recorded information, regardless of medium or form, are considered records for the purposes of responding to access requests.

The use of personal email accounts, third-party collaboration tools and non-government devices to conduct government business does not remove the records created in this way from an institution’s control or the application of the Act.

As explained in the Commissioner’s guidance on the control of records, when institutions do not have physical possession of records, they must determine whether they are nonetheless under their control. This involves considering whether the records relate to a departmental matter and, if so, whether a senior institutional official should reasonably expect to be able to obtain a copy of the records upon request. Institutions must consider all relevant factors when determining whether a record is under their control.

In this context, institutions must treat any platform they use to carry out government business as a potential source of responsive records when they receive an access request. Institutions must, therefore, ensure that they have the means to identify, retrieve and produce records across all environments in which government business is conducted.

Institutions must ensure that all repositories of records relevant to an access request, whether official or not, have been identified and searched

All responsive records must be retrieved if they exist at the time of an access request

Institutions are required to conduct a reasonable search for records that fall within the scope of the access request—that is, one or more experienced employees knowledgeable in the subject matter of the request must make reasonable efforts to identify and locate all records reasonably related to the request.

A reasonable search involves a level of effort that would be expected of any fair, sensible person tasked with searching for responsive records where they are likely to be stored. This search does not have to be perfect. An institution is, therefore, not required to prove with absolute certainty that other records do not exist. Institutions must, however, be able to show that they took reasonable steps to identify and locate responsive records.

Most digital collaboration platforms (e.g. chat platforms such as Microsoft Teams, Slack and Signal) support rapid and informal exchanges that are not systematically captured in official repositories. Some platforms permit auto‑deletion of messages or temporary messaging. Therefore, it is of paramount importance that public servants promptly document business activities and decisions in official repositories to ensure proper information management.

In addition, public servants must resist the temptation to assume that records exchanged through collaboration platforms are necessarily transitory and, therefore, need not be retrieved when responding to access requests. This distinction is irrelevant to the retrieval of records in response to access requests. When tasked with a request made under the Act, all responsive records, including transitory records, must be retrieved and provided to the ATIP unit. Further, the use of multiple communication and storage environments—such as departmental email, non‑government email accounts, collaboration platforms and corporate repositories—increases the likelihood that information will become fragmented. Without clear policies, consistent practices and effective oversight, institutions may not be able to take reasonable steps to identify all relevant repositories where records may be found or demonstrate that a reasonable search for records has been conducted.

Governance frameworks, including the Access to Information Act, must keep pace with modern digital work 

Digital practices are evolving faster than the laws and policies governing them 

In 1983, when the Act came into force, no one could have predicted how profoundly technology would transform the delivery of services to Canadians and how citizens would interact with government. Today’s reality—individuals expecting integrated, digital-first public services and information being instantly available from virtually anywhere—reflects decades of rapid technological change. 

In contrast, federal governance instruments, including those that support access to information, largely reflect slower, linear and paper-based ways of working. 

Keeping pace requires governance to adapt in order to operate at the same speed as digital work and reflect how business is carried out across teams and departments while empowering public servants to deliver better outcomes for Canadians. 

Public servants have and will continue to improve their ways of working to meet the expectations of Canadians and those seeking services from government institutions. Embracing innovative ways of working is essential. 

This is why parliamentarians and the Treasury Board of Canada Secretariat must modernize governance and oversight frameworks to align with contemporary business practices. This includes ensuring that policies, legislation and oversight mechanisms evolve in step with digital services. This will enhance transparency and accountability through access to information while empowering the public service to innovate and respond more effectively to Canadians’ needs. 

The Access to Information Act should be modernized to reflect digital-era government. This means requiring institutions to design digital systems with openness by default, enabling real-time or routine disclosure of information, and ensuring technology enables not hinders access rights.

About the Office of the Information Commissioner

The purpose of Canada’s  Access to Information Act, which came into force in 1983, is to provide a right of access to records under the control of government institutions, while ensuring that the use of exemptions and exclusions is limited and specific.

The Act entrusts the Information Commissioner of Canada with the independent review of any matters relating to requesting or obtaining access to records under Part 1 of the Act. The OIC was established to support the Information Commissioner in her capacity as an independent Agent of Parliament.

The OIC seeks to enforce the Act, using the full range of tools and powers at the Commissioner’s disposal. These include negotiating with complainants and institutions, and making orders and recommendations to resolve matters at the conclusion of investigations.

The OIC supports the Commissioner in her advisory role to Parliament and parliamentary committees on all matters pertaining to access to information. The OIC also champions greater freedom of information in Canada through various initiatives, such as Right to Know.

According to the Access to Information Act, the Office of the Information Commissioner (OIC) is subject to the very legislation it oversees. This means that individuals have the right to request information from the OIC and where they remain dissatisfied with the processing of their requests filed with the OIC, they may complain to the Ad Hoc Information Commissioner.

For those investigations, I review the steps undertaken by the OIC in its handling of the access to information request, together with its duty to assist obligation, timeliness and completeness of the response. A thorough analysis of the facts, complaint allegations, representations provided by both parties and the OIC’s use of statutory exemptions to bar access to requested information makeup the substantial components of the work.

Complaint investigations are concluded with written findings, highlighting the rules governing rights of access to information held by the OIC, and emphasizing those where the OIC refused rightly or wrongly to grant access to certain types of information. These findings are also intended to promote a better understanding of access rights for requested information contained in OIC records.

In the course of my work, I also receive complaints from individuals who seek answers regarding the status or outcomes of OIC’s complaint investigations involving other federal government institutions. Individuals who have difficulty finding the correct authority with which to file their complaint, be it at a provincial or federal level, also reach out to me. While I cannot accept those complaints, I nonetheless take the time to reply, explain my role, and redirect individuals to the appropriate institution, including by providing relevant website links. Doing so provides a helpful public service in my view, and many individuals show their appreciation for the gesture.

The 2025–26 fiscal period saw a similar number of cases as the previous year, with 102 new matters received; however, most could not be accepted and were redirected accordingly. Some of these communications also included instances where I was copied on correspondence to several federal government officials that did not require further action on my part.

From April 1, 2025, to March 31, 2026, the breakdown of all the files received shows as follows:

• Prior year complaints investigated and concluded: 1
• New complaints received: 7
• Complaints investigated and concluded: 3
• Complaints withdrawn: 1
• Complaints commenced/carried over: 3
• Non-receivable complaints redirected: 60
• No action required type complaints: 35 

I continue to value the important public service of this role which I have enjoyed fulfilling during these past years.

Respectfully submitted, 
Anne E. Bertrand, KC/cr 
Ad Hoc Information Commissioner