In November 2025, questions measuring the Labour Market Indicators were added to the Labour Force Survey as a supplement.

Questionnaire flow within the collection application is controlled dynamically based on responses provided throughout the survey. Therefore, some respondents will not receive all questions, and there is a small chance that some households will not receive any questions at all. This is based on their answers to certain LFS questions.

Labour Market Indicators

ENTRY_Q01 / EQ 1 - From the following list, please select the household member that will be completing this questionnaire on behalf of the entire household.

SEC_R01 - The following questions are about your job security and employability in relation to your main job.

SEC_Q01 / EQ2 - To what extent do you agree or disagree with the following statements?

SEC_Q01_1 - You might lose your job in the next 6 months.

• Strongly agree 
• Agree 
• Neither agree nor disagree
• Disagree 
• Strongly disagree

SEC_Q01_2 - If you were to lose or quit your current job, it would be easy for you to find a job with a similar salary. 

• Strongly agree 
• Agree 
• Neither agree nor disagree
• Disagree 
• Strongly disagree

EMP_Q01 / EQ3 - In your job search, how helpful would your overall work experience and job skills be to get hired? 

Is it:

1. Very helpful 
2. Fairly helpful 
3. Not so helpful 
4. Not helpful at all

From October-December 2025, the following questions measuring the Labour Market and Socio-economic Indicators were added to the Labour Force Survey as a supplement.

The purpose of this survey is to identify changing dynamics within the Canadian labour market, and measure important socio-economic indicators by gathering data on topics such as type of employment, quality of employment, support payments and unmet health care needs.

Questionnaire flow within the collection application is controlled dynamically based on responses provided throughout the survey. Therefore, some respondents will not receive all questions, and there is a small chance that some households will not receive any questions at all. This is based on their answers to certain LFS questions.

Labour Market and Socio-economic Indicators

ENTRY_Q01 / EQ 1 - From the following list, please select the household member that will be completing this questionnaire on behalf of the entire household.
Employee block

The following questions test a new way of measuring temporary employment. Some questions address topics that were previously covered by the Labour Force Survey, but in a slightly different way.

LMI_Q01 / EQ 2 - What type of contract or agreement do you have in your main job?
Is it:

1. Permanent or until retirement
2. Ongoing with no specified end date
   Exclude temporary or seasonal contracts that are regularly renewed.
3. For a specific duration
   e.g., seasonal, term
   Include temporary or seasonal contracts that are regularly renewed.
4. Until a task or project is completed

LMI_Q02 / EQ 3 - Which of the following currently applies to your main job?

1. It is a seasonal job
   e.g., you only work during a specific season
2. You worked as an apprentice, trainee or intern in that job
   e.g., electrician apprentice, nursing trainee, police cadet, marketing intern, etc.
   OR
3. None of the above

LMI_Q03 / EQ 4 – In your main job, are you paid by a private employment or placement agency that is different from the company or organization you work for?

1. Yes, paid by a private placement agency
2. No

LMI_Q04 / EQ 5 - What is the total duration of your contract or agreement in your main job?
Is it:

1. Less than 3 months
2. From 3 months to less than 6 months
3. From 6 months to less than 12 months
4. 12 months or longer
   OR
5. Casual job with no specific end date

LMI_Q05 / EQ 6 - In your main job, do you have a specific number of hours you are supposed to work?

1. Yes
2. No

HRS_Q01 / EQ 7 – Are you at least guaranteed that you will get some work or hours in your main job?

Would you say:

1. Yes
2. No minimum number of hours guaranteed, contacted when needed

LMI_Q06 / EQ 8 - What would you say best describes your current situation in your main job?
You:

1. Work based on a series of successive contracts with the same employer
   e.g., your employer renews your contract
   Include situations with short breaks between contracts
2. Have a casual job with an employer that lets you choose when you work
   e.g., can decide which days or shifts you work.
3. Only work when called-in or assigned a shift by your employer
4. Work based on a series of successive contracts with different employers
   Include situations with short breaks between contracts
5. Work as a day labourer
   e.g., hired and paid by the day or for a single shift
6. Have received a permanent job offer
7. Will return to school or do something else at the end of your contract
8. re uncertain about your future contract situation
9. None of these

REAT_Q01 / EQ 9 – Do you want a permanent job at this time?

1. Yes
2. No

REAT_Q02 / EQ 10 - What is the main reason why you do not want a permanent job?
Would you say:

1. To combine employment with education
2. To combine employment with a pension
3. To combine employment with caring for children
4. To combine employment with other family or care responsibilities
5. Other reason

Self-employed block
You mentioned earlier that you are self-employed in your main job. The following section of the survey will refer to this as your main business.

LMI_Q07 / EQ 11 - What is the main reason why you are self-employed in your main job?
Is it:

1. To have autonomy and control over work hours, wage rate or location
2. Unable to find work as an employee
3. To earn more money than you would as an employee/ To earn extra money
4. To engage in work that you are passionate about
5. Lost job as an employee
6. To practice or master a new skill
7. To work in your field of expertise
8. To join or take over a family business
9. To achieve a better work-life balance
10. To experience less stress or for health reasons
11. Other

LMI_Q08 / EQ 12 – Do you have any partners or co-owners in your main business?

1. Yes
2. No

LMI_Q09 / EQ 13 – Do you own or lease a building or space dedicated to your main business?

1. Yes
2. No

LMI_Q10 / EQ 14 - In your main business, are you required to belong to a professional association or regulatory college to do your job?

1. Yes
2. No

LMI_Q11 / EQ 15 - Does your main business operate…?

1. All year round
2. During most of the year
3. During a specific season
4. Intermittently

EMP_Q01 / EQ 16 - How many employees in total work at your business?

1. 5 or less
2. 6 to 20
3. 20 to 99
4. 100 to 500
5. Over 500

LMI_Q12 / EQ 17 - What is the current mix of clients in your main business?
Is your main business:

1. Mostly based on getting new clients
2. Based on an equal mix of new and returning clients
3. Mostly based on returning clients
4. Based on a single client
5. OR
6. Your main business has not had any clients yet

LMI_Q13 / EQ 18 - Would you be able to continue operating your main business for the next five years based on returning or existing clients alone?

1. Yes
2. No

LMI_Q14 / EQ 19 - To what extent do you agree or disagree with the following statement?
In normal times, it is easy for you to find new clients in your main business.

1. Strongly agree
2. Agree
3. Neither agree nor disagree
4. Disagree
5. Strongly disagree

CLI_Q01 / EQ 20 – Do you currently have contracts with any of the following types of clients in your main business?

	Yes	No
Private businesses
Non-profit organizations or charities
Government agencies or departments
Private individuals

LMI_Q16 / EQ 21 – Thinking of your largest contract, what is the total duration of that contract?

Is it:

1. Less than 3 months
2. From 3 months to less than 6 months
3. From 6 months to less than 12 months
4. 12 months or longer

LMI_Q17 / EQ 22 - During the last 12 months, did you have any full days with no clients or work in your main business even though you wanted to work?

1. Yes
2. No

LMI_Q18 / EQ 23 - What would you say is your plan with your main business over the next 12 months?

Do you plan to:

1. Expand and hire more employees
2. Expand without hiring more employees
3. Keep things about the same
4. Scale-down the business
5. Stop working or close the business

LMI_Q19 / EQ 24 - What is the main reason why you expect to stop working or close your main business?

1. Low sales
2. Clients pay late or do not pay
3. Excess debt
4. Issues with suppliers
5. Lack of access to financing
6. Other business reasons
7. To accept a job with more income
8. To accept a job with more benefits
9. Attending school
10. Family responsibilities
11. Retirement
12. Health
13. Other personal reasons
14. Other

LFI_CHECK1 / EQ 25 - Last week, did you work at a job or business?

1. Yes
2. No

LFI_CHECK2 / EQ 26 - Last week, did you have a job or business from which you were absent?

1. Yes
2. No

LFI_CHECK3 / EQ 27 - Did you have more than one job or business last week?

1. Yes
2. No

LFI_CHECK4 / EQ 28 - Was this because you changed employers?

1. Yes
2. No

LFI_CHECK5 / EQ 29 - Have you ever worked at a job or business?

1. Yes
2. No

LFI_CHECK6 / EQ 30 - When did you last work?

• Year:
• Month:

LMI_Q20 / EQ 31 - Excluding your main job or business, have you earned any money by freelancing, doing a paid gig, or completing a short-term job or task during the last 12 months?

1. Yes
2. No

LMI_Q21 / EQ 32 - Was this freelancing, paid gig, or short-term task or job one of the jobs you had last week, or something else entirely?

1. Yes, one of the jobs or businesses you had last week
2. No, it was something else

EMP_Q02 / EQ 33 - Were you paid as an employee when you freelanced, did a paid gig, or got paid to do a short-term task or job in the last 12 months?

1. Yes, only as an employee
2. Yes, both as an employee and as a self-employed worker
3. No, only as a self-employed worker

LMI_Q24 / EQ 34 - When was the last time you freelanced, did a paid gig, or got paid to do a short-term task or job?

1. Last week or after
2. In the last 3 months, but before last week
3. In the last 3 to 6 months
4. In the last 6 to 12 months

SCC1_Q05 / EQ 35 - In the last 12 months, did you receive support payments from a former spouse or partner?

1. Yes
2. No

SCC1_Q10 / EQ 36 - What is your best estimate of the amount of support payments you received in the last 12 months?

SCC2_Q05 / EQ 37 - In the last 12 months, did you make support payments to a former spouse or partner?

1. Yes
2. No

SCC2_Q10 / EQ 38 - What is your best estimate of the total amount you paid in support payments in the last 12 months?

SCC3_Q05 / EQ 39 - In the last 12 months, did you pay for child care, so that you could work at a paid job?

1. Yes
2. No

SCC3_Q10 / EQ 40 - What is your best estimate, of the total amount you paid for child care in the last 12 months?

DSQ_Q01 / EQ 41 – Do you have any difficulty seeing?

1. No
2. Sometimes
3. Often
4. Always
5. Don't know

DSQ_Q02 / EQ 42 – Do you wear glasses or contact lenses to improve your vision?

1. Yes
2. No
3. Don't know

DSQ_Q03 / EQ 43 - With your glasses or contact lenses, which of the following best describes your ability to see?

1. No difficulty seeing
2. Some difficulty seeing
3. A lot of difficulty seeing
4. you are legally blind
5. you are blind
6. Don't know

DSQ_Q04 / EQ 44 - How often does this difficulty seeing/seeing condition limit your daily activities?

1. Never
2. Rarely
3. Sometimes
4. Often
5. Always
6. Don't know

DSQ_Q05 / EQ 45 – Do you have any difficulty hearing?

1. No
2. Sometimes
3. Often
4. Always
5. Don't know

DSQ_Q06 / EQ 46 – Do you use a hearing aid or cochlear implant?

1. Yes
2. No
3. Don't know

DSQ_Q07 / EQ 47 - With your hearing aid or cochlear implant, which of the following best describes your ability to hear?

1. No difficulty hearing
2. Some difficulty hearing
3. A lot of difficulty hearing
4. You cannot hear at all
5. You are Deaf
6. Don't know

DSQ_Q08 / EQ 48 - How often does this difficulty hearing/hearing condition limit your daily activities?

1. Never
2. Rarely
3. Sometimes
4. Often
5. Always
6. Don't know

DSQ_Q09 / EQ 49 – Do you have any difficulty walking, using stairs, using your hands or fingers or doing other physical activities?

1. No
2. Sometimes
3. Often
4. Always
5. Don't know

DSQ_Q10 / EQ 50 - How much difficulty do you have walking on a flat surface for 15 minutes without resting?

1. No difficulty
2. Some difficulty
3. A lot of difficulty
4. You cannot do at all
5. Don't know

DSQ_Q11 / EQ 51 - How much difficulty do you have walking up or down a flight of stairs, about 12 steps without resting?

1. No difficulty
2. Some difficulty
3. A lot of difficulty
4. You cannot do at all
5. Don't know

DSQ_Q12 / EQ 52 - How often does this difficulty walking limit your daily activities?

1. Never
2. Rarely
3. Sometimes
4. Often
5. Always
6. Don't know

DSQ_Q13 / EQ 53 - How much difficulty do you have bending down and picking up an object from the floor?

1. No difficulty
2. Some difficulty
3. A lot of difficulty
4. You cannot do at all
5. Don't know

DSQ_Q14 / EQ 54 - How much difficulty do you have reaching in any direction, for example, above your head?

1. No difficulty
2. Some difficulty
3. A lot of difficulty
4. You cannot do at all
5. Don't know

DSQ_Q15 / EQ 55 - How often does this difficulty bending down and picking up an object limit your daily activities?

1. Never
2. Rarely
3. Sometimes
4. Often
5. Always
6. Don't know

DSQ_Q16 / EQ 56 - How much difficulty do you have using your fingers to grasp small objects like a pencil or scissors?

1. No difficulty
2. Some difficulty
3. A lot of difficulty
4. You cannot do at all
5. Don't know

DSQ_Q17 / EQ 57 - How often does this difficulty using your fingers limit your daily activities?

1. Never
2. Rarely
3. Sometimes
4. Often
5. Always
6. Don't know

DSQ_Q18 / EQ 58 - Do you have pain that is always present?

1. Yes
2. No
3. Don't know

DSQ_Q19 / EQ 59 – Do you also have periods of pain that reoccur from time to time?

1. Yes
2. No
3. Don't know

DSQ_Q20 / EQ 60 - How often does this pain limit your daily activities?

1. Never
2. Rarely
3. Sometimes
4. Often
5. Always
6. Don't know

DSQ_Q21 / EQ 61 - When you are experiencing this pain, how much difficulty do you have with your daily activities?

1. No difficulty
2. Some difficulty
3. A lot of difficulty
4. You cannot do at all
5. Don't know

DSQ_Q22 / EQ 62 – Do you have any difficulty learning, remembering or concentrating?

1. Never
2. Rarely
3. Sometimes
4. Often
5. Always
6. Don't know

DSQ_Q23 / EQ 63 - Do you think you have a condition that makes it difficult in general for you to learn? This may include learning disabilities such as dyslexia, hyperactivity, attention problems, etc.

1. Yes
2. No
3. Don't know

DSQ_Q24 / EQ 64 - Has a teacher, doctor or other health care professional ever said that you had a learning disability?

1. Yes
2. No
3. Don't know

DSQ_Q25 / EQ 65 - How often are your daily activities limited by this condition?

1. Never
2. Rarely
3. Sometimes
4. Often
5. Always
6. Don't know

DSQ_Q26 / EQ 66 - How much difficulty do you have with your daily activities because of this condition?

1. No difficulty
2. Some difficulty
3. A lot of difficulty
4. You cannot do most activities
5. Don't know

DSQ_Q27 / EQ 67 - Has a doctor, psychologist or other health care professional ever said that you had a developmental disability or disorder? This may include Down syndrome, autism, Asperger syndrome, mental impairment due to lack of oxygen at birth, etc.

1. Yes
2. No
3. Don't know

DSQ_Q28 / EQ 68 - How often are your daily activities limited by this condition?

1. Never
2. Rarely
3. Sometimes
4. Often
5. Always
6. Don't know

DSQ_Q29 / EQ 69 - How much difficulty do you have with your daily activities because of this condition?

1. No difficulty
2. Some difficulty
3. A lot of difficulty
4. You cannot do most activities
5. Don't know

DSQ_Q30 / EQ 70 – Do you have any ongoing memory problems or periods of confusion?

1. Yes
2. No
3. Don't know

DSQ_Q31 / EQ 71 - How often are your daily activities limited by this problem?

1. Never
2. Rarely
3. Sometimes
4. Often
5. Always
6. Don't know

DSQ_Q32 / EQ 72 - How much difficulty do you have with your daily activities because of this problem?

1. No difficulty
2. Some difficulty
3. A lot of difficulty
4. You cannot do most activities
5. Don't know

DSQ_Q33 / EQ 73 – Do you have any emotional, psychological or mental health conditions?

1. No
2. Sometimes
3. Often
4. Always
5. Don't know

DSQ_Q34 / EQ 74 - How often are your daily activities limited by this condition?

1. Never
2. Rarely
3. Sometimes
4. Often
5. Always
6. Don't know

DSQ_Q35 / EQ 75 - When you are experiencing this condition, how much difficulty do you have with your daily activities?

1. No difficulty
2. Some difficulty
3. A lot of difficulty
4. You cannot do most activities
5. Don't know

DSQ_Q36 / EQ 76 – Do you have any other health problem or long-term condition that has lasted or is expected to last for six months or more?

1. Yes
2. No
3. Don't know

DSQ_Q37 / EQ 77 - How often does this health problem or long-term condition limit your daily activities?

1. Never
2. Rarely
3. Sometimes
4. Often
5. Always
6. Don't know

DSQ_Q38 / EQ 78 – Do you have pain that is always present?

1. Yes
2. No
3. Don't know

DSQ_Q39 / EQ 79 - Do you also have periods of pain that reoccur from time to time?

1. Yes
2. No
3. Don't know

DSQ_Q40 / EQ 80 - How often does this pain limit your daily activities?

1. Never
2. Rarely
3. Sometimes
4. Often
5. Always
6. Don't know

DSQ_Q41 / EQ 81 - When you are experiencing this pain, how much difficulty do you have with your daily activities?

1. No difficulty
2. Some difficulty
3. A lot of difficulty
4. You cannot do most activities
5. Don't know

UCN_Q005 / EQ 82 - During the past 12 months, was there ever a time when you felt that you needed health care, other than homecare services, but you did not receive it?

1. Yes
2. No

UCN_Q010 / EQ 83 - Thinking of the most recent time you felt this way, why didn't you get care?

1. Care not available in the area
2. Care not available at time required (e.g. doctor busy, away from office or no longer at that practice, inconvenient hours)
3. Do not have a regular health care provider
4. Waiting time too long
5. Appointment was cancelled
6. Felt would receive inadequate care
7. Cost
8. Decided not to seek care
9. Doctor didn't think it was necessary
10. Transportation issue
11. Other

UCN_Q015 / EQ 84 - Again, thinking of the most recent time, what was the type of care that was needed?

1. Treatment of a chronic physical health condition diagnosed by a health professional
2. Treatment of a chronic mental health condition diagnosed by a health professional
3. Treatment of an acute infectious disease (e.g. cold, flu and stomach flu)
4. Treatment of an acute physical condition (non-infectious)
5. Treatment of an acute mental health condition (e.g. acute stress reaction)
6. A regular check-up (including pre-natal care)
7. Care of an injury
8. Dental care
9. Medication / Prescription refill
10. Other

UCN_Q020 / EQ 85 - Did you actively try to obtain the health care that was needed?

1. Yes
2. No

UCN_Q025 / EQ 86 - Where did you try to get the service you were seeking?

1. A doctor's office
2. A hospital outpatient clinic
3. A community health centre
4. A walk-in clinic
5. An emergency department or emergency room
6. Other

What we Asked, What we Learned and What we Did

October 2025

Introduction

In September 2021 the NOC 2021 Version 1.0 was released. The NOC for 2026 will be released in December of 2026.The NOC is jointly developed by Employment and Social Development Canada (ESDC) and Statistics Canada (StatCan) and has been maintained in partnership since the first edition published in 1991/1992. Revision proposals are analyzed by internal working groups within StatCan and ESDC as part of our interdepartmental revision working group process.

The purpose of the NOC is primarily to provide a standardized framework to support consistent statistical information on Canadian occupations. It is accessorily used for employment-related program administration and for compiling, analyzing, and communicating occupational information, such as labour market data.

The NOC organizes the world of work—performed for pay or profit—into a manageable, understandable, and coherent system.

Revising the NOC 2021 Version 1.0

In line with good statistical practice, the NOC is reviewed and revised periodically to reflect changes in the labour market, ensuring continued relevance and accuracy. For the NOC, major revisions – which cover both "real changes" and "virtual changes" – are planned on a 10-year cycle. While "real changes" affect the scope of classification items and/or categories, and therefore impact the data collected and disseminated, "virtual changes" are meant only to capture job titles and clarifying existing descriptions. The release of NOC 2021 Version 1.0 marked a significant revision aligned with this 10-year cycle.

In addition to the 10-year cycle, a 5-year "virtual change" cycle is in place to support improved coding and understanding of occupational classifications. In exceptional cases, when there is consensus between StatCan and ESDC, both real and virtual changes may occur outside the regular revision cycles.

For the upcoming release of NOC 2026, a consensus was reached between Statistics Canada and ESDC to introduce real changes outside the standard 10-year cycle – this marks a first attempt to enhance responsiveness to labour market shifts between revision cycles. The NOC 2026 will include real changes aimed at improving data collectability and reportability. Following its release, both organizations will assess the feasibility of incorporating real changes into the regular 5-year revision cycle moving forward.

In January 2024, Statistics Canada's Social Standards Steering Committee (SSSC) approved a permanent consultation process for the NOC. Proposals for changes can now be submitted and reviewed on an ongoing basis. A cut-off date for considering proposed changes for inclusion in a new version of the NOC will be posted well in advance.

The NOC consultation webpage was launched in April 2024. For NOC 2026 Version 1.0, the cut-off date for submissions was set as November 15, 2024.

What we asked

The consultation aimed to gather input from NOC users on potential revisions. Proposed changes could encompass any element of the classification, including the structure of the classification, definitions, and details such as the main duties, employment requirements, examples and exclusions attached to unit groups.

In addition to internal feedback from StatCan's and ESDC's NOC working groups, organisations and individuals were invited to submit proposals. Some participated in workshops to provide additional input focused on the following occupational categories:

• Health care Services
• Childcare and community services
• Applied Sciences
• Law, education, social, community and government services
• Food and Beveridge services
• Transportation officers and controllers
• Agriculture
• Forestry and forest firefighting services

Community input was also sought to update Indigenous occupation titles and duty descriptions.

Engagement and Outreach activities included:

• Posting the NOC 2026 Version 1.0 consultation notice on:
  • Government of Canada's Consulting with Canadians
  • Statistics Canada's Consulting Canadians and Standards websites
• Public consultation period at StatCan: April to November 2024.
• ESDC maintained an invitation-based submission process since the release of the NOC 2021.
• StatCan focal points such as provincial/territorial statistical departments as well as occupation and labour market related organizations and associations were also invited to provide feedback.
• Feedback was gathered through:
  • Public submissions
  • Meetings with organizations, associations and unions
  • Ad hoc submissions via ESDC and StatCan inboxes
  • Internal StatCan working group with subject matter experts and methodologists using the NOC.

What we learned

The interdepartmental NOC working group received over 150 change requests from:

• All levels of government
• Businesses
• Sector councils
• Industry and professional bodies/associations
• Unions
• Academics
• Individuals

Overview of proposed changes

Feedback included both virtual (content only) and real (data impacted) changes. These proposed revisions reflect the evolution of existing occupations and the emergence of new ones.

Proposed virtual changes included:

• Improving occupation descriptions
• Adding job titles
• Revising main duties
• Clarifying and updating employment requirements

Proposed real changes included:

• Creating new unit groups
• Transferring items between unit groups

Some proposals fell outside the scope of statistical classification principles, such as:

• Adding occupational groups to create career paths between TEER (Training, Education, Experience and Responsibilities) levels

Proposed changes grouped by Broad Occupational Categories (BOC)

The NOC includes ten Broad Occupational Categories (BOCs), representing the highest level of the classification system and numbered from 0 to 9. Each BOC is defined by a combination of the type of work performed, the field of study, and the industry of employment.

Broad Occupational Categories	Percentage of proposed changes
BOC 0 - Legislative and senior management occupations This broad category comprises legislators and senior management occupations.	4%
BOC 1 - Business, finance and administration occupations This broad category comprises specialized middle management managers and occupations in administrative services, financial and business services and communication (except broadcasting).	12%
BOC 2 - Natural and applied sciences and related occupations This broad category comprises occupations in natural sciences (including basic and applied sciences and experimental development), engineering, architecture and information technology.	15%
BOC 3 - Health occupations This broad category comprises specialized middle management managers and occupations in health care, health care services and support to health services.	11%
BOC 4 - Occupations in education, law and social, community and government services This broad category comprises managers in public administration and occupations concerned with law, social and community services, public protection services and teaching.	22%
BOC 5 - Occupations in art, culture, recreation and sport This broad category comprises specialized middle management managers, professional, technical and support occupations in art, culture, recreation and sport.	8%
BOC 6 - Sales and service occupations This broad category comprises middle management managers and sales and service occupations in wholesale and retail trade, and customer services.	8%
BOC 7 - Trades, transport and equipment operators and related occupations This broad category comprises middle management managers and occupations in trades, transportation and equipment.	5%
BOC 8 - Natural resources, agriculture and related production occupations This broad category comprises middle management managers and occupations in natural resources, agriculture and related production.	5%
BOC 9 - Occupations in manufacturing and utilities This broad category comprises middle management managers and occupations in manufacturing and utilities.	8%

What we did

Following good practices, all changes implemented in our classifications are guided by statistical classification principles and concepts^{Footnote 1}, including the documentation of types of changes aligned with the General Statistical Information Model (GSIM). These principles form the foundation for developing, implementing, and revising statistical classifications.

Stakeholders and public recommendations are assessed using the same rigorous standards. To support a thorough evaluation, the NOC team and working group require detailed information demonstrating alignment with the key classification principles. While changes are typically drafted to minimize disruption to existing data structures, disruptive changes are implemented when justified to maintain the integrity and relevance of the classification.

This approach applies to:

• Revising existing groupings or groups
• Creation of new groups
• Movement or placement of groups within the classification structure
• General content updates.

We reviewed stakeholder submissions and conducted follow-up meetings when additional information was required or requested. Revisions to the NOC for 2026 reflect the collaborative efforts and insights of stakeholders and working group members, ensuring the classification remains relevant, responsive to user needs and accurately represents the evolving Canadian labour market.

What changes

A total of 165 unit groups were impacted by real and virtual changes.

• 18 unit groups underwent real (structural) changes, in addition to virtual changes

Real changes included:

• Creation of new unit groups affecting BOC 4 and BOC 6
• Splits-offs (existing item split-off to emerging group) affecting BOC 1, BOC 4 and BOC 6
• Take-overs (item expires and moved to existing group(s) affecting BOC 6
• Transfers (item moved between unit groups) affecting BOC 1, BOC 2, BOC 3, BOC 4, BOC 5, BOC 6, and BOC 8

Certain aspects of the classification were revised to better align with available data and reporting practices. However, the extent of changes was limited by data granularity, as further disaggregation would have resulted in non-reportable or suppressed data due to confidentiality or quality concerns.

For example,

• Modifications were made to improve coherence with observed data trends, though some potential refinements were not feasible due to limitations in data availability at more detailed levels.
• The classification was adjusted where possible, balancing analytical needs with the constraints of data reporting.
• Updates reflect a compromise between ideal classification structure and practical reporting limitations, particularly where finer breakdowns would compromise data reliability or confidentiality.

Although most changes occur at the 5^th level (unit groups) of the NOC – the most detailed level of the classification – updates at this level also affect higher levels of the classification. A full overview of changes across all levels will be available in the NOC 2021v1.0 to NOC 2026V1.0 correspondence table, to be released in December 2026.

The remaining 147 unit groups were subject to virtual (content-only) changes aimed at improving clarity and maintaining occupational relevancy. These updates included:

• Revised titles and/or definitions
• New, revised or suppressed example job titles
• Updates to definitions, lead statements, main duties, employment requirements and exclusions.

Virtual changes affecting all BOCs:

• Improved occupation descriptions and titles
  • Example: The unit group title and lead statement for 21211 – Data Scientists were updated to clarify the appropriate coding for data analysts.
• Addition of job titles
  • Example: A specific surveying technologist title was added to 22213 - Land survey technologists and technicians to better guide coding within this unit group.
• Revision of main duties
  • Example: The main duties, and employment requirements for 11100 – Financial Auditors and Accountants were revised to more accurately reflect the regulated title and responsibilities of Chartered Professional Accountants.
• Clarification and update of employment requirements
  • Example: The employment requirements for 31202 – Physiotherapists were revised to clarify the necessary degree and credential requirements.

Appendix: Governing principles and underlying concepts and criteria

Statistical Classification Principles

Principle 1: Follow internationally accepted definitions and guidelines on how to classify occupations and jobs as a statistical unit (also see National Occupational Classification - Introduction). Because the purpose of the NOC is primarily to provide a framework to support consistent statistical information on Canadian occupations, it is important to specify the scope of each category in the classification. By following standard definitions and coding practices, Principle 1 support consistent and sound statistics to be produced and disseminated. The NOC team and working group uses this information to evaluate whether proposed changes are properly placed in the classification structure.

Principle 2: Respect of the internationally recognized statistical classification principles, being:

• well defined universe: categories at each level of the classification structure must reflect a well-defined universe or scope;
• classification is exhaustive: it covers all possible elements in the universe even if all examples of such universe are not provided in the publication;
• categories are mutually exclusive: no overlapping in the scope of each classification item or category (to avoid double counting);
• classification structure is hierarchical: lower categories are dependent of their higher categories;
• classification structure is rectangular: the classification has a code represented at every level across its whole structure, regardless of the scope of each category;
• classification is comparable to other classifications (of the same domain);
• classification categories are empirically significant;
• classification is organized around one or few concepts (e.g., job; occupation);
• classification contains groupings meaningful to users;
• classification is widely adopted.

Principle 3: the classification is related to data that is collectible and publishable (collectability and reportability): whether data can be collected and reported on the occupational grouping. For a detailed occupation to be included in the NOC and expecting statistics to come out of it, Statistics Canada must be able to collect and report data, otherwise, categories will not provide opportunities to produce relevant statistics. Statistics Canada is responsible for producing data across the entire range of occupations in Canada and conducts comprehensive surveys that collect occupation and labour market data.

Collectability and reportability are partly a function of the size of the occupational grouping and other measure of empirical significance (meaning the occupation must be large enough to be detected in sample of surveys). In evaluating collectability and reportability, however, the NOC team and working group will not use a specific occupation size cut-off. This is because occupations that are concentrated in certain industries or geographic areas may be collectable and reportable, while occupations of similar or larger size that are spread throughout the economy may not be collectable and reportable. Therefore, size is not the only consideration in collectability and reportability. Collectability and reportability are also related to the type of data collection used by surveys or statistical programs.

Principle 4: the classification supports the maintenance of time series continuity to the extent possible; that is, the ability to maintain data series over time without interruption due to classification changes. To the extent possible, new occupational categories proposed for the current version of the NOC and beyond should be easily linked by appropriate correspondence to previous version the NOC (e.g., NOC 2021 to NOC 2016 and NOC 2016 to NOC 2011).

Guidelines developed by Statistics Canada provided for the launch of the permanent consultation process for the NOC will assist users and the NOC team and working groups in consistently making changes to the NOC.

Principle 5: the classification continues to be relevant, that is, it must be of analytical interest, result in data useful to users, and be based on appropriate statistical research, subject-matter expertise and administrative relevance aligned with statistical classification principles and needs.

Principle 6: the prevalence of classification principles and statistical needs: the NOC is designed primarily for statistical purposes. Although there can be various uses of the NOC for non-statistical purposes (e.g., for administrative, regulatory, or policy functions), the requirements of government agencies or private users that choose to use the NOC for non-statistical purposes are responsible for such use of the classification. As a result, the NOC team reviews comments and develops its recommendations based on established statistical classification principles and guidelines. Information provided unrelated to the accurate gathering of information for statistical purposes, such as perceived importance or visibility of an occupation, does not determine the NOC team recommendations. Similarly, the volume of comments does not determine what the recommendations will be, and just submitting a request for a change does not automatically result into a change in the NOC.

Underlying Concepts and Classification Criteria of the NOC

The statistical unit

The basic principle of the NOC is the kind of work performed. The statistical unit or object being classified using the NOC is the concept of a "job". A job encompasses all the tasks carried out by a particular person to complete their duties. A job title represents the name given to a job or a position. The term job is used in reference to employment or in self-employment.

An occupation is defined as a collection of jobs, sufficiently similar or identical in work or tasks performed to be grouped under a common label for classification purposes.

The scope of the classification

The scope of the NOC is all occupations and jobs in the Canadian labour market undertaken for pay or profit, including people who are self-employed.

The NOC is not designed to include work or tasks not undertaken for pay or profit, for example, voluntary work. However, a person may complete work not for pay or profit where the tasks completed may be described within some occupational groups.

The Criteria

The structure of the NOC is based on two key criteria:

1. Broad Occupational Category (BOC): Defined by the type of work performed, the field of study, or the industry of employment—often a combination of these factors.
2. TEER (Training, Education, Experience, and Responsibilities): Reflects the training (formal and on-the-job), qualifications and responsibilities required to competently perform the tasks associated with an occupation.

These criteria determine the placement of occupations within the classification and guide decisions to merge, split, or create new groups^{Footnote 2}.

Within unit groups, distinctions between occupations are based on differences in tasks performed. In most cases, all occupations within a unit group share the same TEER level. A split is justified only when the resulting occupations differ significantly in TEER levels and/or have distinct duties, ensuring the principle of mutual exclusiveness is upheld. A merger is justified when labour market changes result in limited ability to collect and report data on an occupation, making it more practical to combine it with another group to maintain statistical integrity and usability.

Resources

• Calgary-based Strathcona Resources Ltd. announced on October 10th that it was terminating its take-over bid for MEG Energy Corporation.
• Calgary-based Cenovus Energy announced it had acquired 8.5% of MEG Energy's common shares. Later, Cenovus announced it had acquired additional MEG shares, brining its total to 9.8% of MEG shares issued and outstanding.
• Calgary-based Kiwetinohk Energy Corp. and Cygnet Energy Ltd. announced they had entered into an arrangement agreement under which Cygnet would acquire all of the issued and outstanding common shares of Kiwetinohk for an enterprise value of $1.4 billion. The companies said closing would occur after December 16th, subject to satisfaction or waiver of all conditions, including required shareholder approvals, court approval and customary closing conditions.
• Burnaby, British Columbia-based Interfor Corporation announced it would further temporarily reduce lumber production in the fourth quarter of 2025 across its operations in British Columbia, Ontario, the U.S. Pacific Northwest, and the U.S. South. Interfor said that these curtailments were expected to reduce lumber production by approximately 250 million board feet, or 26%, as compared to the second quarter of 2025.
• Pennsylvania-based Westinghouse Electric Company, Cameco Corporation of Saskatoon, and Brookfield Asset Management of New York announced that the United States Government had entered into a strategic partnership to accelerate the deployment of nuclear power and that at the center of the new strategic partnership, at least USD $80 billion of new reactors would be constructed across the United States using Westinghouse nuclear reactor technology.

Minimum wage

• Manitoba's minimum wage increased from $15.80 to $16.00 per hour on October 1st.
• Nova Scotia's minimum wage increased from $15.70 to $16.50 per hour on October 1st.
• Ontario's minimum wage increased from $17.20 to $17.60 per hour on October 1st.
• Prince Edward Island's minimum wage increased from $16.00 to $16.50 per hour on October 1st.
• Saskatchewan's minimum wage increased from $15.00 to $15.35 per hour on October 1st.

Wildfires

• The Government of Nova Scotia announced on October 1st that wildfire season was extended provincewide to October 31st due to continued fire activity in the province. The Government said the full burn ban would remain in effect in Annapolis County and daily burn restrictions would continue to apply in all other counties to the end of the month.
• The Government of Quebec announced on October 21st it had completely lifted the ban on open fires in or near the forest due to the significant amounts of rain that had fallen. The Government said the measure had been in force since September 30th.

Other news

• The Government of Canada announced relief to support Canadian businesses affected by the countermeasures Canada had announced in response to the tariffs imposed by the United States and that:
  • the exemption for U.S. goods used in manufacturing, processing, or food and beverage packaging had been extended for an additional two months, and now included goods used in agricultural production;
  • the temporary exemption from tariffs on imports of U.S. goods that are used to support public health, health care, public safety, and national security objectives had also been extended for an additional two months; and
  • further relief from Canada's tariffs on imports from the U.S. and China had now been implemented for companies that met strict conditions such as demonstrating short supply or existing contractual obligations.
• The Government of Canada announced reductions to the import quotas of General Motors (GM) and Stellantis following the automakers' decisions to scale back their manufacturing presence in Canada. The Government said it was reducing GM's annual remission quota by 24.2%, and Stellantis' annual remission quota by 50%.
• The Government of Ontario announced it was investing $1 billion in small modular reactors (SMRs) at Darlington Nuclear Station. The Government said construction on the first SMR began in May 2025, with the SMR expected to come online in 2030. The Government also said that the Federal Government was investing $2 billion.
• The Bank of Canada lowered its target for the overnight rate by 25 basis points to 2.25%. The last change in the target for the overnight rate was a 25 basis points cut in September 2025.
• TD Canada Trust, RBC Royal Bank of Canada (RBC), BMO Bank of Montreal, Canadian Imperial Bank of Commerce (CIBC), Scotiabank, and Laurentian Bank of Canada announced they were decreasing their Canadian dollar prime lending rates by 25 basis points from 4.70% to 4.45%, effective October 30th.
• The Canadian Union of Postal Workers (CUPW) announced that starting October 11th it would move from a nation-wide strike action to rotating strikes. Canada Post said plans were now under way to ensure a safe and orderly restart of its national operations, which were shut down on September 25th.
• The Alberta Teacher's Association (ATA) announced on October 6th that 51,000 teachers had gone on strike. The Government of Alberta announced on October 3rd that ahead of the teacher strike, it was introducing more supports for families and students, including increasing October funding rates for eligible children in grades 1 to 6 who were attending out-of-school care full time. On October 27th, the Government of Alberta announced it had proposed Bill 2, the Back to School Act, that, if passed, would end the province-wide teachers' strike and legislate a new collective agreement. On October 28th, the ATA announced that given the imminent passage and coming into force of Bill 2, the Association would instruct teachers to return to their classrooms.
• Oshawa-based General Motors of Canada announced the end of production of the BrightDrop electric delivery van built at CAMI Assembly in Ingersoll, Ontario. GM said BrightDrop production would not be moved to another site and had been suspended since May 2025.

United States and other international news

• The U.S. Federal Open Market Committee (FOMC) lowered the target range for the federal funds rate by 25 basis points to 3.75% to 4.00%. The last change in the target range was a 25 basis points cut in September 2025. The Committee also said that it had decided to conclude the reduction of its aggregate securities holdings on December 1st.
• The Reserve Bank of New Zealand (RBNZ) lowered the Official Cash Rate (OCR), its main policy rate, by 50 basis points to 2.50%. The last change in the OCR was a 25 basis points cut in August 2025.
• The Bank of Japan (BoJ) announced it will encourage the uncollateralized overnight call rate to remain at around 0.50%. The last change in the uncollateralized overnight call rate was a 25 basis points increase in January 2025.
• The European Central Bank (ECB) left its three key interest rates unchanged at 2.00% (deposit facility), 2.15% (main refinancing operations), and 2.40% (marginal lending facility). The last change in these rates was a 25 basis points reduction in June 2025.
• The eight OPEC+ countries - Saudi Arabia, Russia, Iraq, UAE, Kuwait, Kazakhstan, Algeria, and Oman - announced they would implement a production adjustment of 137 thousand barrels per day from the 1.65 million barrels per day additional voluntary adjustments announced in April 2023. OPEC+ said this adjustment would be implemented in November 2025.
• Nebraska-based Berkshire Hathaway and Occidental Petroleum Corporation of Texas announced a definitive agreement for Berkshire Hathaway to acquire Occidental's chemical business, OxyChem, in an all-cash transaction for USD $9.7 billion. The companies said the transaction is expected to close in the fourth quarter of 2025, subject to regulatory approvals and other customary closing conditions.
• California-based AMD and OpenAI announced a 6 gigawatt agreement to power OpenAI's next-generation AI infrastructure across multiple generations of AMD Instinct GPUs. The companies said that under the agreement, OpenAI would work with AMD as a core strategic compute partner to drive large-scale deployments of AMD technology and that the first 1 gigawatt deployment of AMD GPUs is set to begin in the second half of 2026.
• The Artificial Intelligence Infrastructure Partnership (AIP), MGX of the United Arab Emirates, and Blackrock's Global Infrastructure Partnership of New York announced they will acquire 100% of the equity in Texas-based Aligned Data Centers for an implied enterprise value of approximately USD $40 billion. AIP said the transaction is expected to close in the first half of 2026, subject to regulatory approvals and customary closing conditions.
• Ohio-based Fifth Third Bancorp and Comerica Incorporated of Texas announced they had entered into a definitive merger agreement under which Fifth Third will acquire Comerica in an all-stock transaction valued at USD $10.9 billion. The banks said the transaction is anticipated to close at the end of the first quarter of 2026, subject to shareholder and customary regulatory approvals and closing conditions.
• California-based Meta announced that it and funds managed by Blue Owl Capital of New York had entered into a joint venture agreement which will develop and own the Hyperion data center campus in Louisiana. Meta said the parties had committed to fund their respective pro rata of the approximately USD $27 billion in total development costs for the buildings and long-lived power, cooling, and connectivity infrastructure at the campus.
• Netherlands-based Stellantis announced plans to invest USD $13 billion over the next four years to grow its business in the United States market and to increase its domestic manufacturing footprint. Stellantis said the investment will support the addition of more than 5,000 jobs at plants in Illinois, Ohio, Michigan, and Indiana.
• Switzerland-based Nestlé S.A. announced it planned to reduce its global headcount by around 16,000 over the next two years. Nestlé said the reduction includes around 12,000 white-collar professionals across functions and geographies and a further 4,000 as part of ongoing productivity initiatives in manufacturing and supply chain.
• Switzerland-based Novartis AG announced that it had entered into an agreement to acquire Avidity Biosciences, Inc., a California-based biopharmaceutical company, for total consideration of approximately USD $12 billion. Novartis said it expects the merger to close in the first half of 2026, subject to customary closing conditions.

Financial market news

• West Texas Intermediate crude oil closed at USD $60.98 per barrel on October 31st, down from a closing value of USD $62.37 at the end of September. Western Canadian Select crude oil traded in the USD $44.00 to $51.00 per barrel range throughout October. The Canadian dollar closed at 71.34 cents U.S. on October 31st, down from 71.83 cents U.S. at the end of September. The S&P/TSX composite index closed at 30,260.74 on October 31st, up from 30,022.81 at the end of September.

In October 2024, Statistics Canada's consultative engagement team held consultations to gather feedback on the themes covered by the Labour Force Survey (LFS) supplements program. Participants included analysts from federal and provincial governments, as well as academic researchers. Feedback was collected verbally and in writing and is summarized below by theme.

What we heard from stakeholders on the various themes

Skills and Training

Stakeholders, particularly representatives from the provinces, emphasized the importance of data on skills development, skill use, and skills matches. This included the integration of immigrants in the labour market and work experience gained by students. Participants requested more frequent data collection on training participation as well as more specific information on the distinction between "compliance training" and upskilling. There was also interest in measuring the types of tasks done within different occupations and the development of skills relating to the use of artificial intelligence.

Immigrant Labour Market Integration

Strong interest was expressed in data on immigrant labour market integration and productivity. Some participants requested more frequent collection, ideally quarterly, with breakdowns by immigrant class and non-permanent residents (NPRs). Concerns were raised about the quality of existing information, especially on intended occupations of immigrants and credential recognition.

Retirement Patterns

Participants, particularly those from the territories, sought better insight into retirement decisions, transitions, and the ambiguity surrounding retirement status. Requests included more detailed data by jurisdiction.

Gig Work and New Employment Forms

Stakeholders noted the need for more frequent data on gig work, self-employment stability, and digital platform employment. They were also interested in transitions between jobs, job mobility, and the diversity of self-employment and business ownership.

Work Location and Commuting

Federal stakeholders highlighted hybrid work and flexible work arrangements as priority areas. Commuting was viewed as less central to labour supply and productivity. Suggestions included merging work location and commuting themes and examining links between telework and commuting.

Demographics and Equity

Participants called for more detailed demographic data, including sexual orientation, neurodiversity, disability types, and intersectional measures. They also requested more regional detail, particularly distinctions between rural and urban areas.

Job Satisfaction and Financial Security

Stakeholders emphasized the value of data on job satisfaction, financial hardship, and debt repayment capacity. A dedicated supplement on financial security, wealth, and spending was suggested.

Multiple Jobholding

There was strong interest in exploring the reasons for multiple jobholding, with calls for more frequent collection and detailed information on secondary jobs. Participants also wanted to examine links between improved household financial capability and transitions out of multiple jobholding.

Training and Employer Investment

Participants noted a lack of information on barriers to accessing training and wanted clearer distinctions between formal and informal training. This was related to concerns about low employer investment in training and potential misallocation of resources.

Technology and AI

Stakeholders requested broader and more frequent data on emerging technologies, including AI. They wanted to understand how AI is used, its impact on job quality, and how it compares with traditional automation.

Other Themes

Additional areas of interest included:

• Career transitions and green jobs
• Interprovincial migration and mobility
• Workplace injuries, including separate measures for physical and mental health
• Work–family spillover and flexible work arrangements
• Student work experience and school-to-work transitions
• Reservation wages and job acceptance factors

Results

Statistics Canada expresses its gratitude to all participants for their valuable contributions to this consultative engagement. Their insights and experiences will play a key role in shaping timely and relevant data products and strategies that effectively meet the needs of data users.

By: Divita Narang; Financial Consumer Agency of Canada

Introduction

Continuous Integration and Continuous Development (CI/CD) are essential practices in modern software and data engineering that streamline development and delivery through automation. These methodologies play a key role in achieving technical maturity and scaling projects from Proof of Concepts (POC) to production environments.

When applied to the Azure ecosystem with Azure Data Factory (ADF) and Azure DevOps (or a preferred toolkit/cloud provider), CI/CD allows teams to automate the deployment of data pipelines, datasets, data variables, and related resources. This ensures faster updates, version control, and consistent environments across the development lifecycle.

Azure Data Factory (ADF) is a managed cloud service designed for complex extract-transform-load (ETL), extract-load-transform (ELT), and data integration processes. It helps orchestrate data movement at scale using a vast array of built-in connectors and features while ensuring security with Microsoft Entra Groups integration. ADF is adept at serving enterprise needs, such as moving data from point A to point B while incorporating transformations such as: enforcing data types, formats and more. For example, it can ingest data from a front-end customer-facing application and integrate the data into a database. That database endpoint can then be utilized for various downstream use cases such as: reporting, analytics, machine learning, artificial intelligence etc.

Azure DevOps is Microsoft's comprehensive suite of tools for version control, automation, and project management. It can store Git repositories in Azure Repos and enable CI/CD using Azure Pipelines, which is used for deploying code projects. Azure Pipelines combines continuous integration, continuous testing, and continuous delivery to build, test, and deliver code to multiple destination environments.

At the Financial Consumer Agency of Canada (FCAC), we widely utilize Azure Data Factory and Azure Pipelines for managing the integration and deployment of data resources to and from endpoints such as Microsoft Dataverse, Microsoft Graph API, SQL Server databases, etc. As a growing data team, we are consistently exploring innovative approaches to tackle data engineering processes.
Recently, we addressed the challenge of automating deployment pipelines for Azure Data Factory (ADF). The manual processes involved in deployments were typically time-consuming, taking anywhere between 2-4 hours for a medium size code repository. Code could only be uploaded to the new environment manually or with PowerShell scripts, with each file taking up to a few minutes to upload. Additionally, the code had to be cleaned and prepared manually for the new environments. We anticipated that as the codebase grew within projects, the time required to perform these tasks would further increase. Please note that deployment times can vary significantly with codebase size and various factors suggested here.

Despite the automation efforts, it is worth noting that the manual processes can still be utilized as backup when team members are not available or when automated processes fail, and recovery is not possible in a short timeframe.

Though CI/CD has a broad scope, for the remainder this article we will focus on Continuous Integration and Deployment in the context of moving Data Factory resources from lower-level environments such as development to higher-level environments like Staging, Production, etc. Pipelines can be run manually, based on a schedule, or triggered by a change to the repository, such as a commit or merge to a specific branch.

Solution Overview

In this article, we will focus on a solution as highlighted in architecture below

Note:  Azure Data Factory code is based on Azure Resource Manager (ARM) templates, which is essentially Infrastructure as Code (IaC) in the JavaScript Object Notation (JSON) format. These files define the infrastructure and configuration for Azure resources. Just like application code, infrastructure code can be stored and versioned in a source repository.

Solution Pre-requisites

1. Source control with Git, based on Azure DevOps.
2. Pipeline agent parallelism enabled on Azure DevOps project. (Parallelism Request Form)
3. Service Connections on Azure DevOps with access to relevant resource groups where Data Factory resides.
4. Azure Data Factory Linked Services and other relevant authentication details stored as secrets on Azure Key Vault.
5. Blob Storage account with read/write access to store ARM Templates.

Continuous Integration:

Code changes are published using the publish button on the ADF user interface once development has been completed on collaboration branch and pull request is completed on the main branch.

Upon publish, ADF takes care of the process of generating and validating ARM Templates. The generated templates contain all factory resources such Pipelines, Datasets, Linked Services, Integration Runtimes, Triggers and more. All these resources will likely have unique parameters in different environments which need to be carefully validated or else they can cause deployment errors or worse: a successful deployment with incorrect references to parameters like incorrect authentication details for a SQL Server Linked Service. A significant portion of the development effort was dedicated to addressing these challenges, as will be detailed in subsequent sections.

Build Pipeline Setup:

For the build setup, multiple tasks available in Azure Pipelines are used in decoupled steps as follows.

1. Get resources in the Pipeline from your Azure DevOps repo and (this is very important) select the default branch as ‘adf_publish’.
2. Use ‘Publish Artifact’ task to ‘drop’ the artifacts for use by the pipeline.
3. Use ‘PowerShell Script’ task to run a script to replace all parameters to match with the target environment. For example, if the development database name is ‘Dev-DB’ in the source code and the target environment is staging with the database name such as ‘Stg-DB’, the PowerShell script can perform string replacement in all files for all variable references to reflect the correct target database. Please refer to this code sample for further guidance.
   Pro-tip: A lot of parameters exist in the first few Arm Templates, but it is best to run the script on each Arm Template file. There is also a way to modify parameters using ‘Override Parameters’ in the release part of the pipeline which we will get into later in this article.
4. Use ‘Azure File Copy’ task to copy all templates from the ‘linkedTemplates’ folder of your repo into a storage account. Storing ARM templates in blob storage creates the welcome redundancy for storing modified code from Step 3. It is also a required practice for large codebases.
   Pro-tip: Clean storage container before copying. And create separate containers for different environments such as Staging, UAT, Production, etc. This helps with keeping things organised and reduces chances of erroneous deployments.

After the setup the pipeline will roughly look like this:

Release Pipeline Setup:

1. Create an ‘Empty job’ in the ‘Releases’ section of Azure DevOps.
2. Add repository artifacts processed by the Build Pipeline created earlier.
3. Search for and create a ‘PowerShell Task’. Provide the path to pre/post deployment script. This script is used to stop triggers before deployment and restart them afterwards. It is provided by Microsoft : Continuous integration and delivery pre- and post-deployment scripts - Azure Data Factory | Microsoft Learn. For ease of use, the script can be uploaded to the project repo.
4. Search for and create an ‘Arm Template Deployment’ Task and fill in details according to the previous pipeline and project setup.
   1. In the ‘Override template parameters’ section of the task, you will notice that some parameters are already loaded based on the ‘ArmTemplateParameters_master.json’ which is part of artifacts from the project. These can be further customised based on the ‘arm-template-parameters-definition.json’ configuration on Azure data factory : Custom parameters in a Resource Manager template - Azure Data Factory | Microsoft Learn.
      If this option is chosen, there is no need to perform Step 3 in build pipeline setup. Here is an example of using custom parameters for Azure Blob Storage, Azure SQL Database and Dataverse (Common Data Services for Apps)

This approach may not be suitable if there are more than 256 parameters, as that is the maximum number allowed. If refactoring the code is a possibility for your project, consider these alternatives:

• Reducing the number of parameters by utilizing global parameters wherever possible.
• Taking note of parameters that are implicitly inherited and removing those when redundant. For example, dataset parameters are inherited from linked services and may not need to be added to datasets if they are already present in linked services.
• If maintenance and new resource creation is not an issue, split the solution into multiple data factories for large solutions.
• Use power shell scripts to clean and prepare code for different environments as utilised in this solution.

After the setup, the release pipeline will roughly look like the following:

Note that the Pre-Deployment and Post-Deployment task uses the same script but with different script arguments.

Troubleshooting, Testing and a few more Pro-Tips:

1. To begin testing the new solution it might be worth creating a test Azure Data Factory and deploy there to ensure all the parameters are copying properly and Linked Services/Datasets connections are successful.
2. During and after deployments: monitor logging at the resource group level’s ‘Deployments’ tab of Azure Data Factory in Azure Portal to check for progress and more descriptive error logs.
3. If the time fields on Tumbling window triggers are not aligned with the target environment, the deployment will fail. An easy fix is to align the time fields to match with triggers in target deployment environments.
4. Integration Runtimes can also be incompatible in different environments. A quick fix is to remove/update references to Integration Runtimes using the PowerShell script in Step 2 of the build pipeline.
5. Using hotfix approach if the deployed data factory has a bug that needs to be fixed as soon as possible.
6. If Global Parameters are specific in each environment, the ‘Include global parameters’ checkbox can be left unchecked on Arm Template Configuration section in ADF. In that way there will be a few less parameters to customize while deploying.
7. Continuous Integration triggers can be enabled in both the Pipeline and the Release level based on schedules, pull requests or artifacts.
8. Pre-deployments approvals can also be setup at the Release level for critical deployments such as in production environments.
9. Pre-determine whether to choose ‘Incremental’ or ‘Complete’ deployment mode especially if environments differ in resource storage.
10. During the testing phase, ARM templates can be manually exported to local storage and PowerShell scripts created for parameter management can be run locally for quicker testing and troubleshooting.

Evaluation

This is one way amongst many to approach automated deployments in Azure Data Factory for different environments. We chose to build this solution using Azure services as that is the agency’s choice of cloud services provider. This process has helped us explore CI/CD automation in the context of data solutions and demonstrate the possibility of significant time savings for deployments. However, as the learning curve goes with any new process, we also encountered errors and spent significant time troubleshooting. This led us to discover unique quirks in the process, which we have highlighted as pro-tips above. These tips can be highly beneficial, saving you time and effort by helping you avoid common pitfalls and streamline your Azure based deployment processes.

Conclusion

We are committed to enhancing our operations environment for iterative deployments by continuously refining our CI/CD processes. We are also actively gathering feedback from our team to identify areas for improvement in our releases.

With rapid innovation and an increasing availability of built-in features in Microsoft's data products, we also recommend that readers refer to the following resources: Automated Publishing for CI/CD , Deploying linked ARM Templates with VSTS and Deployments in Microsoft Fabric.
Stay tuned for more insights and updates on these topics in our upcoming articles!

If you have any questions about my article or would like to discuss this further, I invite you to Meet the Data Scientist, an event where authors meet the readers, present their topic, and discuss their findings.

Register for the Meet the Data Scientist event. We hope to see you there!

Purpose
The purpose of the 2025 Canadian Survey of Cyber Security and Cybercrime is to measure the impact of cybercrime on Canadian businesses and organizations.

The survey gathers information about

• The measures businesses and organizations have implemented for cyber security, including employee training;
• The types of cyber security incidents that impact businesses and organizations; and
• The costs associated with preventing and recovering from cyber security incidents.

Additional information

Your information may also be used by Statistics Canada for other statistical and research purposes.

Your participation in this survey is required under the authority of the Statistics Act.

Authority

Data are collected under the authority of the Statistics Act, Revised Statutes of Canada, 1985, Chapter S-19.

Confidentiality

By law, Statistics Canada is prohibited from releasing any information it collects that could identify any person, business, or organization, unless consent has been given by the respondent, or as permitted by the Statistics Act. Statistics Canada will use the information from this survey for statistical purposes only.

Data-sharing agreements

To reduce respondent burden, Statistics Canada has entered into data-sharing agreements with provincial and territorial statistical agencies and other government organizations, which have agreed to keep the data confidential and use them only for statistical purposes. Statistics Canada will only share data from this survey with those organizations that have demonstrated a requirement to use the data.

Section 11 of the Statistics Act provides for the sharing of information with provincial and territorial statistical agencies that meet certain conditions. These agencies must have the legislative authority to collect the same information, on a mandatory basis, and the legislation must provide substantially the same provisions for confidentiality and penalties for disclosure of confidential information as the Statistics Act. Because these agencies have the legal authority to compel businesses to provide the same information, consent is not requested and businesses may not object to the sharing of the data.

For this survey, there are Section 11 agreements with the provincial and territorial statistical agencies of Newfoundland and Labrador, Nova Scotia, New Brunswick, Quebec, Ontario, Manitoba, Saskatchewan, Alberta, British Columbia and the Yukon.

The shared data will be limited to information pertaining to business establishments located within the jurisdiction of the respective province or territory.

Section 12 of the Statistics Act provides for the sharing of information with federal, provincial or territorial government organizations. Under Section 12, you may refuse to share your information with any of these organizations by writing a letter of objection to the Chief Statistician, specifying the organizations with which you do not want Statistics Canada to share your data and mailing it to the following address

Chief Statistician of Canada
Statistics Canada
Attention of Director, Centre for Innovation, Technology and Enterprise Statistics
150 Tunney's Pasture Driveway
Ottawa, ON
K1A 0T6

You may also contact us by email at statcan.digitaleconomysociety-economiesocietenumerique.statcan@statcan.gc.ca.

For this survey, there are Section 12 agreements with the statistical agencies of Prince Edward Island, Northwest Territories and Nunavut, as well as with Public Safety Canada; Royal Canadian Mounted Police; Natural Resources Canada; Communications Security Establishment; Innovation, Science and Economic Development Canada; and Public Services and Procurement Canada.

For agreements with provincial and territorial government organizations, the shared data will be limited to information pertaining to business establishments located within the jurisdiction of the respective province or territory.

Record linkage

To enhance the data from this survey and to reduce respondent burden, Statistics Canada may combine it with information from other surveys or from administrative sources.

Reporting instructions

For this questionnaire

Please complete this questionnaire for Canadian operations of this business or organization.

Reporting instructions

• Report dollar amounts in Canadian dollars.
• Report dollar amounts rounded to the nearest dollar.
• If precise figures are not available, provide your best estimate.
• Enter "0" if there is no value to report.

Business or organization characteristics

Business or organization characteristics - Question identifier1

Which of the following does your business or organization currently use? Select all that apply.

• Website for your business or organization
• Social media accounts for your business or organization
• E-commerce platforms and solutions
• Web-based applications
• Open source software
• Cloud computing or storage
• Internet-connected smart devices or Internet of Things (IoT)
• Intranet
• Blockchain technologies
• Voice Over Internet Protocol (VoIP) services
• Remote Access Technology
• Software or hardware using artificial intelligence (AI)
• OR
• Business or organization does not use any of the above

Business or organization characteristics - Question identifier2

What type of data does your business or organization store on servers which are connected to the Internet.

Include

• data stored on cloud computing or storage services
• data stored on servers that can be accessed remotely (e.g., through virtual desktop connections)
• data that are backed-up.
• cloud-based artificial intelligence (AI) systems trained on data the business or organization holds

Select all that apply.

• Personal employee information
• Personal information about customers, suppliers, or partners
• Confidential business or organization information
• Commercially sensitive information
• Non-sensitive or public information
• OR
• Business or organization does not store data on servers which are connected to the Internet

Business or organization characteristics - Question identifier3

Does anyone in your business or organization use personally-owned devices such as smartphones, tablets, laptops, or desktop computers to carry out regular business-related activities?

Include personally-owned devices with enterprise software installed, and devices that are subsidized by the business or organization.

• Yes
• No
• Do not know

Cyber security environment

Cyber security environment - Question identifier4

Which cyber security measures does your business or organization currently have in place?

Include on-site and external security measures, including those provided by an external party. Select all that apply.

• Mobile security
  Does your business or organization allow access to any of the following applications when mobile security is disabled?
  Include applications on all devices with mobile security installed by your business or organization.
  Select all that apply.
  • Enterprise applications
  • Other online applications
  • Other offline applications
  • OR
  • All applications require mobile security to be enabled
• Anti-malware software to protect against viruses, spyware, ransomware, etc.
• Web security
• Email security
• Network security
• Data protection and control
• Point-Of-Sale (POS) security
• Software and application security
• Hardware and asset management
• Identity and access management
• Physical access controls
• Multi-Factor Authentication
• AI-based cyber security tools
• OR
• Business or organization does not have any cyber security measures in place
• OR
• Do not know

Cyber security environment - Question identifier5

Did any of the following external parties or cyber security standards or cyber security certification programs require your business or organization to implement certain cyber security measures?

Select all that apply.

• Supplier of physical goods
• Supplier of digitally delivered goods or services
• Supplier of other services that are not digitally delivered
• Customer
• Partner
• Canadian departments, agencies, centres or regulators
  Which Canadian departments, agencies, centres or regulators required your business or organization to implement certain cyber security measures?
  Select all that apply.
  • Office of the Privacy Commissioner
  • Canadian Radio-television and Telecommunications Commission
  • Competition Bureau
  • Innovation, Science and Economic Development Canada
  • Canadian Centre for Cyber Security (Cyber Centre)
  • Canadian Spam Reporting Centre
  • Canada Revenue Agency (CRA)
  • Other
• Foreign departments, agencies, centres or regulators
• Cyber security standard or cyber security certification program
• Cyber risk insurance provider
• OR
• None of the above

Cyber security environment - Question identifier6

How many employees does your business or organization have that complete tasks related to cyber security as part of their primary responsibilities?

Include part-time and full-time employees. Examples of tasks these employees may complete include

• managing, evaluating or improving the security of business networks, web presence, email systems or devices;
• patching or updating the software or operating systems used for security reasons;
• completing tasks related to recovery from previous cyber security incidents.

Exclude

• Members of senior management with responsibility for decision making regarding cyber security risks, threats and incidents
• External IT consultants or contractors.

If precise figures are not available, please provide your best estimate.

• One employee
• Two to five employees
• 6 to 15 employees
• Over 15 employees
• None
• Do not know

Cyber security environment - Question identifier7

What are the main reasons your business or organization does not have any employees that complete tasks related to cyber security as part of their regular responsibilities? Select all that apply.

• Business or organization uses private sector consultants or contractors to monitor cyber security
• Business or organization uses public sector consultants or contractors to monitor cyber security
• Business or organization has cyber risk insurance
• Business or organization is in the process of recruiting a cyber security employee
• Business or organization is unable to find an adequate cyber security employee
• Business or organization lacks the money or resources to employ a cyber security employee
• Cyber security is not a high enough risk to the business or organization
• Business or organization's parent organization manages cyber security

Cyber security environment - Question identifier8

What percentage of the employees that complete tasks related to the cyber security of your business or organization as part of their primary responsibilities identify as the following genders?

Gender refers to current gender, which may be different from sex assigned at birth and may be different from what is indicated on legal documents.

Exclude individuals employed by external IT consultants or contractors.

If precise figures are not available, please provide your best estimate.

• Female
• Male
• Another gender

Cyber security environment - Question identifier9

Which of the following population groups do your business or organization's cyber security employees belong to?

Select all that apply.

• White
• Indigenous
• Visible minority
• OR
• Do not know

Cyber security environment - Question identifier10

Which qualifications would your business or organization consider essential when hiring new cyber security employees?

Select all that apply.

• Academic certificates, diplomas or degrees
  What is the highest academic certificate, diploma or degree that would be considered essential?
  • High school diploma or a high school equivalency certificate
  • Trades certificate or diploma
  • College, CEGEP or other non-university certificate or diploma (other than trades certificates or diplomas)
  • University certificate or diploma below the bachelor's level
  • Bachelor's degree
  • University certificate, diploma or degree above the bachelor's level
• Other cyber security certifications
  Which cyber security certifications are considered essential?
  • Certified Ethical Hacker
  • Certified Information Security Manager
  • Certified Information Systems Professional
  • GIAC Security Expert
  • Security+
  • Other certifications
• Experience working in cyber security
• Other cyber security training
• Other qualifications
  • Specify other qualifications
• OR
• Business or organization has never attempted to hire a cyber security employee
• OR
• Do not know

Cyber security environment - Question identifier11

What are the top 3 technical cyber skills you are looking for in potential new cyber security employees?

Select up to three.

• Script writing
• Software development, deployment or debugging
• IT system development, implementation or maintenance
• Data management or analysis
• Knowledge of Intrusion Detection Systems (IDS) or Intrusion Prevention Systems (IPS)
• Experience with IT or network security
• Experience with application security
• Experience with cyber security incident response
• Experience with ethical hacking
• Experience with AI systems
• Other - Specify other technical skills

Cyber security environment - Question identifier12

In 2025, did your business or organization encounter any challenges finding qualified cyber security employees or retaining existing cyber security employees?

Select all that apply.

• Challenges finding qualified cyber security employees
• Challenges retaining cyber security employees
• OR
• This business or organization did not encounter any challenges finding or retaining qualified cyber security employees in 2025
• OR
• Do not know

Cyber security environment - Question identifier13

What challenges did your business or organization encounter when hiring cyber security employees in 2025?

Select all that apply.

• Applicants lacking skills
• Applicants lacking experience
• Salary requests too high
• Not enough time or resources for effective recruitment
• Lack of candidate interest in the position
• Other challenges
  • Specify other challenges
• OR
• Do not know

Cyber security environment - Question identifier14

For which reasons did cyber security employees leave your business or organization in 2025?

Select all that apply.

• Recruited by other business or organization operating in Canada
• Recruited by other business or organization operating outside of Canada
• Limited internal promotion or development opportunities
• High stress levels at work
• Lack of flexibility (work-life balance)
• Visa or work permit issues
• Layoffs or dismissals
• Retirement
• Family commitments
• Other reasons - Specify other reasons
• OR
• No cyber security employees left the business or organization in 2025
• OR
• Do not know

Cyber security environment - Question identifier15

Did your business or organization share best practices or general information on cyber security risks with your employees in 2025?

Include the sharing of information through email, bulletin boards, general information sessions on subjects related to

• recognizing and avoiding email scams
• importance of password complexity and basic security techniques
• securing your web browser and safe web browsing practices
• avoiding phishing attacks
• recognizing and avoiding spyware.
  • a. Information shared with internal cyber security employees
  • b. Information shared with other employees
    • Yes
    • No
    • Not applicable
    • Do not know

Cyber security environment - Question identifier16

Did your business or organization provide formal training to develop or upgrade cyber security related skills of your employees or stakeholders in 2025?

Include training provided by external sources.

Exclude ad hoc information sharing between employees.

1. Provided training to internal cyber security employees
2. Provided training to other employees
3. Provided training to stakeholders such as suppliers, customers or partners
   • Yes
   • No
   • Not applicable
   • Do not know

Cyber security environment - Question identifier17

Why did your business or organization not provide formal training to develop or upgrade the cyber security related skills of some or all of its employees?

• Unable to find appropriate training
• Cost of training
• Not enough time or resources to send employees on training
• Lack of interest from employees
• Employees did not require formal training
• Other

Cyber security environment - Question identifier18

What are the three main reasons your business or organization spends time on or allocates budget to cyber security measures or related skills training?

Select up to three.

• Allow employees to work remotely securely
• Protect the reputation of the business or organization
• Protect personal information of employees, suppliers, customers or partners
• Protect trade secrets and intellectual property
• Compliance with Canadian laws and regulations
• Compliance with foreign laws and regulations
• Compliance with contracts
• Business or organization has suffered a cyber security incident previously
• Prevent downtime and outages
• Prevent fraud and theft
• Secure continuity of business or organization operations
• Required by cyber risk insurance provider
• OR
• Business or organization does not spend time or money on cyber security measures or related skills training

Cyber security readiness

Cyber security readiness - Question identifier19

Which risk management arrangements does your business or organization currently have in place?

Select all that apply.

• Cyber risk insurance
  What type of cyber risk insurance does your business or organization have?
  • Indirect coverage through an existing insurance policy
  • A cyber-specific add-on to an existing insurance policy
    What type of cyber-specific add-on does your business or organization have?
    • A cyber-specific add-on to an existing insurance policy with under 100k in coverage
    • A cyber-specific add-on to an existing insurance policy with over 100k in coverage
    • Do not know
  • Standalone cyber risk insurance
  • Other
• A procedure for notifying employees of cyber security incidents or threats
• A Business Continuity Plan (BCP) with processes to manage cyber security threats, vulnerabilities, and risks
• Employees with responsibility for overseeing cyber security risks and threats
• Members of senior management with responsibility for decision making regarding cyber security risks, threats and incidents
• A consultant or contractor to manage cyber security risks and threats
• Monthly or more frequent patching or updating of operating systems for security reasons
• Monthly or more frequent patching or updating of software for security reasons
• Recurring mandatory cyber security training for employees
• Backups of digital information
  Where are these backups stored?
  • In the same location as the main storage
  • At a different business or organization location from the main storage
  • At a third-party location
• Investment in threat intelligence
• Participation in a cyber security information sharing community
• OR
• Business or organization does not have any risk management arrangements for cyber security

Cyber security readiness - Question identifier20

What types of written policies related to cyber security does your business or organization currently have in place?

Select all that apply.

• A written policy in place to manage internal cyber security risks
• A written policy in place to manage cyber security risks associated with supply chain partners
  Does your business or organization's written policy associated with supply chain partners cover any of the following?
  • Cyber security risks related to immediate suppliers or partners
  • Cyber security risks related to your business or organization's wider supply chain
• A written policy in place to report cyber security incidents
• A written policy in place to report a cyber security vulnerability
• Other type of written policy related to cyber security
• OR
• The business or organization does not have any written policies related to cyber security

Cyber security readiness - Question identifier21

Why does your business or organization not have a written policy in place to manage cyber security risks associated with supply chain partners?

Select all that apply.

• Lack of time or money to invest in developing or upholding a policy
• Lack of knowledge for how to develop a policy
• Lack of available information regarding supply chain partners
• Creating such a policy is not a priority
• Such a policy is not applicable to this business or organization
• Business or organization has not considered establishing a policy
• Such a policy is not mandated by the Government of Canada
• Other

Cyber security readiness - Question identifier22

Have any of your written cyber security policies been reviewed by third parties, such as cyber security consultants, or external auditors, within the past 2 years?

• Yes
• No
• Do not know

Cyber security readiness - Question identifier23

How would you describe the level of preparedness of your business or organization to defend itself against cyber threats?

• Extremely prepared
• Very prepared
• Somewhat prepared
• Unprepared
• Very unprepared

Cyber security readiness - Question identifier24

Which of the following are covered under your cyber risk insurance policy? Select all that apply.

• Direct losses from an attack or intrusion
• Incident response
• Restoration expenses for software, hardware, and electronic data
• Interruptions (loss of productive time)
• Reputation losses
• Third-party liability
• Cyber extortion or ransom payments
• Financial losses
• Security breach remediation and notification expenses
• Credit monitoring expenses
• Claims made by employees
• Other - Please specify
• OR
• Do not know

Cyber security readiness - Question identifier25

When your business or organization's cyber risk insurance was last up for renewal, did your provider change any of the following?

Select all that apply.

• Higher premiums
• Higher deductibles
• Lower coverage limits
• Additional exclusions
• Co-insurance
• Sub-limits
• Baseline cyber security threshold or cyber security standards checklist required to obtain coverage increased
• Reduced ransomware coverage
• More detailed submissions, including but not limited to, supplemental ransomware questionnaires
• Providing pre-breach services
• Enlisting third-party cyber security firm to conduct additional assessments
• Carrying out external scans of web-facing assets
• Other
  • Please specify
• OR
• No changes were made to the business or organization's cyber risk insurance
• OR
• Do not know

Cyber security readiness - Question identifier26

Why does your business or organization not have cyber risk insurance?

Select all that apply.

• The business or organization's existing insurance policies cover cyber security risks
• The cost of cyber risk insurance is too high
• The business or organization's existing cyber security measures provide enough protection that cyber risk insurance is unnecessary
• The business or organization had no cyber security risks
• The business or organization has not considered obtaining cyber risk insurance
• Not applicable to this business or organization
• Other reasons for not having cyber risk insurance
• OR
• Do not know

Cyber security readiness - Question identifier27

Prior to responding to this survey, were you aware of any cyber security standards or cyber security certification programs that businesses and organizations can apply for?

Include

• Canadian, foreign and international standards and programs;
• standards and programs that you were aware of but your business or organization was not eligible for or did not apply for.

Select all that apply.

• Cyber security standards
  Does your business or organization follow any cyber security standards?
  • Yes
  • No
  • Do not know
• Cyber security certification programs
  Does your business or organization hold any cyber security certifications?
  • Yes
  • No
  • Do not know
• OR
• Not aware of any cyber security standards or certification programs

Cyber security readiness - Question identifier28

Which activities does your business or organization undertake to identify cyber security risks?

Select all that apply.

• Monitoring insider threat risk behaviours
• Monitoring other employee behaviour
• Monitoring network and business or organization systems
• A formal risk assessment of cyber security practices, undertaken by an employee
• A formal risk assessment of cyber security practices, undertaken by an external party
• Penetration testing, undertaken by an employee
• Penetration testing, undertaken by an external party
• Assessment of the security of Internet-connected smart devices or Internet of Things (IoT) devices
• Complete audit of IT systems, undertaken by an external party
• Business or organization conducts other activities to identify cyber security risks
• OR
• Business or organization does not conduct any activity to identify cyber security risks

Cyber security readiness - Question identifier29

How often does your business or organization conduct activities to identify cyber security risks? Select all that apply.

• On a scheduled basis
  On what schedule does your business or organization conduct activities to identify cyber security risks?
  • Daily
  • Weekly
  • Monthly
  • Quarterly
  • Annually
  • Other
• After a cyber security incident occurs
• When a potential vulnerability is discovered
• When a new IT initiative or project is launched
• On an irregular basis

Cyber security readiness - Question identifier30

How often is senior management in your business or organization given an update on actions taken regarding cyber security? Select all that apply.

• On a scheduled basis
  On what schedule does senior management get updates on actions taken regarding cyber security?
  • Daily
  • Weekly
  • Monthly
  • Quarterly
  • Annually
  • Other
• After a cyber security incident occurs
• When a potential vulnerability is discovered
• When a new IT initiative or project is launched
• Senior management have tools to track cyber security issues
• Senior management is given an update on an irregular basis
• OR
• Senior management is not updated on cyber security issues

Cyber security readiness - Question identifier31

Which of the following cyber security resources provided by the federal government has your business or organization used?

Select all that apply.

• Get Cyber Safe campaign
• CyberSecure Canada certification program
• Baseline Cyber Security Controls for Small and Medium Businesses
• Canadian Cyber Security Tool (CCST)
• Ransomware Playbook
• Developing an Operational Technology and Information Technology Incident Response Plan
• Canadian Centre for Cyber Security Top 10 IT Security Actions
• Sector specific guidance or tools
• Other reports, advice or guidance
• OR
• The business or organization has not used any cyber security resources provided by the federal government
• OR
• Do not know

Cyber security incidents

Cyber security incidents - Question identifier32

To the best of your knowledge, which cyber security incidents impacted your business or organization in 2025?

Select all that apply.

• Incidents to disrupt or deface the business or organization or web presence
• Incidents to steal personal or financial information
• Incidents to steal money or demand ransom payment
• Incidents to steal or manipulate intellectual property or business or organization data
• Incidents to access unauthorised or privileged areas
• Incidents to monitor and track business or organization activity
• Incidents with an unknown motive
• OR
• Business or organization was not impacted by any cyber security incidents in 2025

Cyber security incidents - Question identifier33

In 2025, was your business or organization contacted by any of the following external parties regarding their cyber security incidents because they may have involved your business or organization?

Select all that apply.

• Suppliers, customers or partners
• IT consultant or contractor
• Cyber risk insurance provider
• Canadian department, agency, centre or regulator
  Which Canadian departments, agencies, centres or regulators contacted your business or organization?
  • Office of the Privacy Commissioner
  • Canadian Radio-television and Telecommunications Commission
  • Competition Bureau
  • Innovation, Science and Economic Development Canada
  • Canadian Centre for Cyber Security (Cyber Centre)
  • Canadian Spam Reporting Centre
  • Canada Revenue Agency (CRA)
  • Other
• Foreign department, agency, centre or regulator
• Industry association
• Bank or other financial institution
• Software or service vendor
• Other parties not mentioned above
• OR
• External parties did not report their cyber security incidents to the business or organization in 2025

Cyber security incidents - Question identifier34

You previously indicated that external parties contacted your business or organization about their cyber security incidents because they may have involved your business or organization in 2025. How did your business or organization react to those cyber security incidents?

Select all that apply.

• Incidents were resolved internally
• Incidents were resolved with the external party
• Incidents were resolved through cyber risk insurance
• Incidents were resolved through an IT consultant or contractor
• Incidents were reported to a police service
• Incidents were reported to other external parties
• Business or organization is currently working with the external party to resolve the incidents
• OR
• No action was necessary or not action was taken by the business or organization

Cyber security incidents - Question identifier: 35

In a previous question, you were asked about cyber security incidents that impacted your business or organization. Thinking now about all attempted cyber security attacks or intrusions, regardless of their impact, which of the following did your business experience in 2025?

Select all that apply.

• Attempts to disrupt or deface the business or organization or web presence
• Attempts to steal personal or financial information
• Attempts to steal money or demand ransom payment
• Attempts to steal or manipulate intellectual property or business or organization data
• Attempts to access unauthorised or privileged areas
• Attempts to monitor and track business or organization activity
• Attempted cyber security attacks or intrusions with an unknown motive
• OR
• Business or organization did not experience any attempted cyber security attacks or intrusions in 2025

Cost of cyber security incidents

Cost of cyber security incidents - Question identifier36

In 2025, what was the total amount your business or organization spent to prevent or detect cyber security incidents?

Exclude costs that were incurred specifically due to previous cyber security incidents (e.g., recovery costs from previous cyber security incidents).

If precise figures are not available, provide your best estimate in Canadian dollars.

Enter "0" if there is no value to report.

1. Employee salary related to prevention or detection
2. Cost of training employees, suppliers, customers, or partners
3. Cost of hiring IT consultants or contractors
4. Cost of legal services or public relations (PR) services
5. Cost of cyber security software
6. Cost of hardware related to cyber security
7. Annual cost of cyber risk insurance or equivalent
8. Cost of bug bounty programs and compensation to vulnerability researchers
9. Other related costs

Cost of cyber security incidents - Question identifier37

In 2025, what was the total cost to your business or organization to recover from the cyber security incidents?

Exclude costs related to prevention and detection of cyber security incidents as these were asked in the previous question.

If precise figures are not available, provide your best estimate in Canadian dollars.

Enter "0" if there is no value to report.

1. Employee salary related to recovery
2. Cost of training employees, suppliers, customers, or partners
3. Cost of hiring IT consultants or contractors
4. Cost of legal services or public relations (PR) services
5. Cost of hiring other external parties
6. Cost of new or upgraded cyber security software
7. Cost of new or upgraded hardware related to cyber security
8. Increased cost of cyber risk insurance or equivalent
9. Reimbursing suppliers, customers, or partners
10. Financial penalties from Canadian regulators or authorities
11. Financial penalties from foreign regulators or authorities
12. Ransom payments
13. Additional credit monitoring fees
14. Costs related to notification of a breach
15. Other related costs

Impact of cyber security incidents

Impact of cyber security incidents - Question identifier38

To the best of your knowledge, who perpetrated the cyber security incidents in 2025?

Select all that apply.

• Incidents to disrupt or deface the business or organization or web presence
• Incidents to steal personal or financial information
• Incidents to steal money or demand ransom payment
• Incidents to steal or manipulate intellectual property or business or organization data
• Incidents to access unauthorised or privileged areas
• Incidents to monitor and track business or organization activity
• Incidents with an unknown motive
  • An external party
  • An internal employee
  • Supplier, customer or partner
  • OR
  • Do not know

Impact of cyber security incidents - Question identifier39

What were the methods used by the perpetrator for the cyber security incidents?

Select all that apply.

• Incidents to disrupt or deface the business or organization or web presence
• Incidents to steal personal or financial information
• Incidents to steal money or demand ransom payment
• Incidents to steal or manipulate intellectual property or business or organization data
• Incidents to access unauthorised or privileged areas
• Incidents to monitor and track business or organization activity
• Incidents with an unknown motive
  • Exploiting software, hardware, or network vulnerabilities
  • Password cracking
  • Identity theft
  • Scams and fraud
  • Ransomware
  • Other malicious software
  • Denial of Service (DoS) or Distributed Denial of Service (DDoS)
  • Disruption or defacing of web presence
  • Abuse of access privileges by a current or former internal party
  • Other
  • OR
  • Do not know

Impact of cyber security incidents - Question identifier40

You previously indicated that your business or organization has cyber risk insurance. Did your business or organization attempt to make a claim on that policy after the cyber security incidents in 2025?

Select all that apply.

• Yes, we successfully made a claim against the business or organization's cyber risk insurance
• Yes, we attempted to make a claim against the business or organization's cyber risk insurance but were unsuccessful
• Yes, we attempted to make a claim against the business or organization's cyber risk insurance and it is still in progress
• OR
• No, we have not attempted to make a claim for any of the cyber security incidents

Impact of cyber security incidents - Question identifier41

How was your business or organization impacted by the cyber security incidents in 2025?

Select all that apply.

• Loss of revenue
• Loss of suppliers, customers, or partners
• Additional repair or recovery costs
• Prevented the use of resources or services
• Prevented employees from carrying out their day-to-day work
  What percentage of employees were prevented from carrying out their day-to-day work at some point in 2025?
  • Percentage
• Additional time required by employees to complete their day-to-day work
• Damage to the reputation of the business or organization or erosion of public trust
• Financial penalties or fines from Canadian regulators or authorities
• Financial penalties or fines from foreign regulators or authorities
• Discouraged business or organization from carrying out a future activity that was planned
• Minor incidents, impact was minimal to the business or organization
• Manipulation or theft of data or intellectual property
• Compromise of software or hardware
• Required to notify external parties of a breach
• Other
• OR
• Do not know

Impact of cyber security incidents - Question identifier42

As a result of cyber security incidents, approximately how many hours of downtime did your business or organization experience in 2025?

Include

• total downtime for mobile devices, desktops, and network;
• time periods during which there was either reduced activity or inactivity of employees or the business.

If precise figures are not available, provide your best estimate, rounded to the nearest hour.

• Hours
• OR
• Business or organization did not experience any downtime in 2025
• OR
• Do not know

Cyber security incidents reporting

Cyber security incidents reporting - Question identifier43

Did your business or organization report any cyber security incidents to a police service in 2025?

Include all levels of police service including federal(i.e.,Royal Canadian Mounted Police (RCMP)), provincial, territorial, municipal and Indigenous.

• Yes
  Which level of police service did your business or organization report to?
  Select all that apply.
  • Federal
  • Provincial
  • Territorial
  • Municipal
  • Indigenous
• No
• Do not know

Cyber security incidents reporting - Question identifier44

Which cyber security incidents did your business or organization report to a police service in 2025?

Select all that apply.

• Incidents to disrupt or deface the business or organization or web presence
• Incidents to steal personal or financial information
• Incidents to steal money or demand ransom payment
• Incidents to steal or manipulate intellectual property or business or organization data
• Incidents to access unauthorised or privileged areas
• Incidents to monitor and track business or organization activity
• Incidents with an unknown motive

Cyber security incidents reporting - Question identifier45

What were the reasons for reporting incidents to a police service in 2025?

Select all that apply.

• To reduce the damage caused by the incidents
• To lower the probability of other businesses or organizations being impacted by the same incidents
• To help catch the perpetrators
• To fulfill the requirements of customers, suppliers, partners, regulators, cyber security standards or cyber certification programs
• Other
  • Specify other reasons

Cyber security incidents reporting - Question identifier46

What were the reasons for not reporting some or all of the cyber security incidents to a police service in 2025?

Select all that apply.

• Incidents were resolved internally
• Incidents were resolved through an IT consultant or contractor
• To keep knowledge of the incidents internal
• To protect the reputation of the business or organization or stakeholders
• Did not want to spend more time or money on the issue
• Police service would not consider incidents important enough
• Police service was unsatisfactory in the past
• Unsure of where or how to report
• Reporting process is too complicated or unclear
• Did not think the perpetrator would be convicted or adequately punished
• Minor incidents, no value in reporting
• Lack of evidence
• Did not think of contacting a police service
• Incidents were reported to another government department, agency, centre, or regulator
• No requirement to report
• OR
• Business or organization reported all cyber security incidents to a police service in 2025

Cyber security incidents reporting - Question identifier47

Excluding police services, which other external party did your business or organization report the cyber security incidents to in 2025?

Select all that apply.

• Suppliers, customers, or partners
• IT consultant or contractor
• Cyber risk insurance provider
• Canadian department, agency, centre or regulator
  Which Canadian departments, agencies, centres or regulators did you report to?
  Select all that apply.
  • Office of the Privacy Commissioner
  • Canadian Radio-television and Telecommunications Commission
  • Competition Bureau
  • Innovation, Science and Economic Development Canada
  • Canadian Centre for Cyber Security (Cyber Centre)
  • Canadian Spam Reporting Centre
  • Canadian Anti-Fraud Centre (CAFC)
  • Canada Revenue Agency (CRA)
  • Canadian Security Intelligence Service (CSIS)
  • Other
• Foreign department, agency, centre or regulator
• Industry association
• Bank or other financial institution
• Software or service vendor
• Cyber security employees at other businesses or organizations
• OR
• Business or organization did not report any cyber security incidents to external parties in 2025

Cyber security incidents reporting - Question identifier48

What were the reasons for not reporting some or all the of the cyber security incidents to an external party in 2025?

Select all that apply.

• Incidents were reported to a police service only
• Incidents were resolved internally
• To keep knowledge of the incidents internal
• To protect the reputation of the business or organization or stakeholders
• Lack of evidence
• No obligation or benefit to reporting
• Minor incidents, no value in reporting
• Did not think of reporting the incidents to an external party
• Did not know where to report cyber security incidents
• OR
• Business or organization reported all cyber security incidents to external parties in 2025

Cyber security incidents reporting - Question identifier49

In responding to the cyber security incidents in 2025, which external parties did your business or organization contact for information or advice?

Select all that apply.

• Suppliers, customers, or partners
• IT consultant or contractor
• Cyber risk insurance provider
• Legal services
• Police services
  Which level of police service did your business or organization contact?
  Select all that apply.
  • Federal
  • Provincial
  • Territorial
  • Municipal
  • Indigenous
• Canadian department, agency, centre or regulator
  Which Canadian departments, agencies, centres or regulators did you contact?
  • Office of the Privacy Commissioner
  • Canadian Radio-television and Telecommunications Commission
  • Competition Bureau
  • Innovation, Science and Economic Development Canada
  • Canadian Centre for Cyber Security (Cyber Centre)
  • Canadian Spam Reporting Centre
  • Canadian Anti-Fraud Centre (CAFC)
  • Canada Revenue Agency (CRA)
  • Canadian Security Intelligence Service (CSIS)
  • Other
• Foreign department, agency, centre or regulator
• Industry association
• Bank or other financial institution
• Software or service vendor
• A cyber security information sharing community
• Other Internet community
• Friends, family, or acquaintances
• Computer repair shop
• Cyber security employees at other businesses or organizations
• OR
• Business or organization did not contact any external parties in 2025

Cyber security incidents reporting - Question identifier50
Did your business or organization report any attempted but unsuccessful cyber security attacks or intrusions to police services or other external parties in 2025?

Include all levels of police service including federal, provincial, territorial, municipal and Indigenous.

• Yes
  Which external parties did your business or organization report the attempted cyber security attacks or intrusions to?
  Select all that apply.
  • Police services
    Which level of police service did your business or organization report to?
    Select all that apply.
    • Federal
    • Provincial
    • Territorial
    • Municipal
    • Indigenous
  • Suppliers, customer or partners
  • IT consultant or contractor
  • Cyber risk insurance provider
  • Canadian department, agency, centre or regulator
    Which Canadian departments, agencies, centres or regulators did you report to?
    Select all that apply.
    • Office of the Privacy Commissioner
    • Canadian Radio-television and Telecommunications Commission
    • Competition Bureau
    • Innovation, Science and Economic Development Canada
    • Canadian Centre for Cyber Security (Cyber Centre)
    • Canadian Spam Reporting Centre
    • Canadian Anti-Fraud Centre (CAFC)
    • Canada Revenue Agency (CRA)
    • Canadian Security Intelligence Service (CSIS)
    • Other
  • Foreign department, agency, centre or regulator
  • Industry association
  • Banks or other financial institution
  • Software or service vendor
  • Cyber security employees at other businesses or organizations
  • Other
• No
• Do not know

Current cyber security trends

Current cyber security trends - Question identifier51

In 2025, what was the total value of ransom payments made by your business or organization?

• More than $0, but less than or equal to $10,000
• More than $10,000, but less than or equal to $50,000
• More than $50,000, but less than or equal to $100,000
• More than $100,000, but less than or equal to $250,000
• More than $250,000, but less than or equal to $500,000
• More than $500,000
• The business or organization did not make ransom payments in 2025
• Do not know

Current cyber security trends - Question identifier52

In 2025, what form of transaction did your business or organization use to make ransom payments?

Select all that apply.

• Cryptocurrency
• Gift card
• E-transfer
• Via a third party
• Cheque
• Credit or debit card
• Other
  • Please specify

Current cyber security trends - Question identifier53

In 2025, which external parties did your business or organization work with to address ransomware incidents?

Include all external parties your business or organization reported the ransomware incidents to.

Select all that apply.

• IT consultant or contractor
• Cyber risk insurance provider
• Police services
  Which level of police service did your business or organization work with?
  Select all that apply.
  • Federal
  • Provincial
  • Territorial
  • Municipal
  • Indigenous
• Canadian department, agency, centre or regulator
  Which Canadian department, agencies, centres or regulators did you work with?
  Select all that apply.
  • Office of the Privacy Commissioner
  • Canadian Radio-television and Telecommunications Commission
  • Competition Bureau
  • Innovation, Science and Economic Development Canada
  • Canadian Centre for Cyber Security (Cyber Centre)
  • Canadian Spam Reproting Centre
  • Canadian Anti-Fraud Centre (CAFC)
  • Canada Revenue Agency (CRA)
  • Canadian Security Intelligence Service (CSIS)
  • Other
• Foreign department, agency, centre or regulator
• Industry association
• Bank or other financial institution
• Software or service vendor
• Other external parties
• OR
• The business or organization did not work with external parties to resolve ransomware incidents in 2025
• OR
• Do not know

Current cyber security trends - Question identifier54

In the case of ransomware attacks, does your business or organization have a rule or policy to not pay the ransom?

• The business or organization has a rule or policy to not pay the ransom
• The business or organization does not have a rule or policy to not pay the ransom
• Do not know

Notification of intent to extract web data

Notification of intent to extract web data - Question identifier55

What is this business or organization's website address?

We may also visit this business or organization's website to search for additional publicly available information using automated methods, being careful not to impede the functionality of the website.

• Website address