Public Health Agency of Canada (Re), 2023 OIC 06

Date: 2023-03-10
OIC file number: 5820-04413 and 5822-04414
Institution file number: PHAC-A-2020-000017 and PHAC-A-2020-000018


The complainant alleged that the Public Health Agency of Canada (PHAC) did not conduct a reasonable search in response to two access requests made under the Access to Information Act. The complaints fall within paragraph 30(1)(a) of the Act.

Each request sought electronic records sent or received by a warehouse manager within specified timeframes related to masks.

PHAC did not identify any records responsive to either access request. The investigation revealed that the employee deleted the contents of their e-mail box and therefore could not retrieve responsive records. During the investigation, PHAC conducted additional searches and identified responsive records.

The complaints are well founded.


[1]      The complainant alleged that the Public Health Agency of Canada (PHAC) did not conduct a reasonable search in response to two access requests made under the Access to Information Act.

[2]      The first request (5820-04413) was for electronic records related to masks, sent or received by a named employee who was a warehouse manager for the National Emergency Strategic Stockpile program, in December 2019.

[3]      The second request (5820-04414) was for electronic records related to masks, sent or received by the same named employee, from April 1 to 15, 2020.

[4]      Both complaints fall within paragraph 30(1)(a) of the Act.


Reasonable search

[5]      PHAC was required to conduct a reasonable search for records that fall within the scope of the access request—that is, one or more experienced employees, knowledgeable in the subject matter of the request, must have made reasonable efforts to identify and locate all records reasonably related to the request.

[6]      A reasonable search involves a level of effort that would be expected of any fair, sensible person tasked with searching for responsive records where they are likely to be stored.

[7]      This search does not have to be perfect. An institution is therefore not required to prove with absolute certainty that further records do not exist. Institutions must, however, be able to show that they took reasonable steps to identify and locate responsive records.

Did the institution conduct a reasonable search for records?

[8]      In January 2021, PHAC Access to Information and Privacy (ATIP) officials became aware that the named employee did not have records that were responsive to the two access requests. After some inquiries, PHAC ATIP found out that the employee in question had deleted their entire mailbox as it had exceeded its size limit and the employee had considered all of the records in their mailbox to be transitory.

[9]      In its representation to the OIC, PHAC explained that at the advent of the COVID-19 pandemic, PHAC was undergoing organizational changes and substantial temporary growth in human resources to deliver the necessary programs and advice that Canada was relying on. Employees and management were working exceptionally long hours under tremendous pressure, and were constantly reprioritizing and risk-managing activities.

[10]    PHAC also explained that the branch that received the two access requests that are the subject of these complaints had begun to receive an influx of ATI requests at a time when turnover was constant. PHAC confirmed that while the search for assessment for these requests was completed relatively quickly, the named employee was not notified of the requests and thus was not aware of the obligation to retain records, including transitory records that may have been relevant. Furthermore, PHAC indicated that by the time the named employee received the two requests, they had deleted all emails from the periods covered and had no records to provide. PHAC also admitted that by the time it was determined that the emails had been deleted, it was past the period within which email accounts could be restored.

[11]    Following questions by the OIC on the nature of the records and on the fact that the named employee would have likely sent or received records of business value falling within the scope of the request, PHAC explained that the role of the named employee is not one that has them generate many records of business value.  PHAC further stated that the named employee’s role is operational in nature as the named employee deals primarily with shipments distributed from and received by PHAC. PHAC added that the named employee does not produce reports or compile data, nor does the named employee make decisions related to the procurement or distribution of supplies. PHAC also explained that it would be very unusual for the named employee to have records of business value in their email that they would be responsible for preserving. While records may have passed through the named employee, such as waybills or strike off (disposal of goods) for review, there is very limited, if any, need for the named employee to retain these themself because others have that corporate record-keeper role.

[12]    Facing a dearth of records from the named employee, it would have been reasonable for PHAC next to consider other individuals who might have responsive records (e.g. emails they sent to the employee or received from them) and other locations these records might be stored. In my view, this would have constituted reasonable efforts to search for records. However, PHAC did not consider other sources of records before it responded to the access request at the end of March 2021.

[13]    PHAC also did not task employees who communicated with the named employee by email during the timeframe noted in the access request to search for responsive records, including emails sent or received and on which they were copied. Nor did PHAC task non-operational employees who would have been responsible for saving records to corporate repositories. Likewise, PHAC also does not appear to have searched the shared repository for records the employee had either sent or received (including records on which they were copied). All of these would have been reasonable actions given the circumstances.

[14]    During the investigation, however, PHAC used information technology forensics to search all active email accounts and identified records responsive to the two requests.

[15]    On December 19, 2022 and on February 13, 2023, PHAC issued supplementary releases totaling 15 and 92 pages. Based on the information on file, on representations received from PHAC on the nature of the documents and the role of the employee, I am satisfied that as an operational employee, the named employee would not have had any reasons to consider the 107 pages in question their responsibility to safeguard, meaning that while the records, which included, shipping information, strike off requests, and instructions to employees, may have provided information about the supply and movement of masks during a pandemic, the information did not have business value for that employee in particular.

[16]    That being said, without having access to the named employee’s email account, which was completely erased, I cannot ascertain whether any of the other emails erased would or should have been kept by them as having business value. While I understand that there are good reasons to have mailbox limits capacity, one of which is proper information management, the decision to delete an entire account does raise the question as to what other records may have been responsive to the two requests and are no longer available. It is rather surprising and hopefully very unusual that a public servant would decide to erase all of their emails, received and sent, at any particular time in their career. That being said, a careful review of the investigation file provided no evidence related to the commission of an offence under the Act.

[17]    However, this situation raised serious questions of trust and more importantly, issues of proper information management. Accordingly, PHAC has provided the OIC with an action plan to improve performance through:

  1. Strengthening accountability;
  2. Demand management; and
  3. Enhancing infrastructure and tools.

[18]    As part of this plan, PHAC confirmed that it is now mandatory for employees to complete ATIP training. Furthermore, PHAC stated that information about ATIP responsibilities has been integrated into Onboarding information sessions that are provided to all employees new to PHAC. In light of the above, I have decided that an order requiring PHAC to conduct an additional search for each request is no longer necessary.

[19]    Nonetheless, it has become clear throughout my investigation that PHAC, at a minimum, mishandled the processing of these two access requests in many regards at the beginning of the pandemic. Going forward, with the action plan developed during my investigation, including direct messages from the President to the EX cadre about the importance of their role in supporting branch heads in fulfilling ATIP responsibilities and more generally the right of access, I can only trust that the new President will build on the efforts of her predecessor and achieve its objectives of enshrining the importance of proper information management and the right of access to information within the organization.

[20]    One can understand that, in these extraordinary times, PHAC’s focus was on existential matters of public health and security. However, the right of access is a quasi-constitutional right. This right cannot exist without records, which is why it is essential that all necessary measures be taken to create and preserve records that document decisions and actions, even under extraordinary circumstances. It is only in this manner that we can ensure that institutional accountability, one of the main objectives of the Act, is upheld, thereby preserving the public’s trust.


[21]    The complaints are well founded.

When a complaint falls within the scope of paragraph 30(1)(a), (b), (c), (d), (d.1) or (e) of the Act, the complainant has the right to apply to the Federal Court for a review. The complainant must apply for this review within 35 business days after the date of this report and must serve a copy of the application for review to the relevant parties, as per section 43.

Date modified:
Submit a complaint