Information & Ethics committee  It really is something that needs to be looked at in the context of the privacy legislation, because that is the place where the right of access is provided, with a list of exemptions. In our brief we were pointing to the Quebec example, where they have looked at that situation a

Information & Ethics committee  Yes, and to look at the Quebec rule in determining that and to try to bring this in parallel with the rules there.

Information & Ethics committee  Actually, in the circumstances I am aware of, there has been notification. Should it be made mandatory? I think whether or not something like that should be made mandatory is a question that should be looked at down the road. I'll give you one of the reasons.

Information & Ethics committee  And the reason for that is that all sorts of rules about notifications are being developed by various parties, such as the Privacy Commissioner. We've heard from the chairman of two other instances where I believe Ontario and one of the other provinces--

Information & Ethics committee  --have come up with these guidelines. So let's see, in the coming period, what the consensus is as to what those rules should be and then let's see.

Information & Ethics committee  Mr. Chairman, the decision as to whether the breach is material is made by pooling the information and resources from all those groups, not only from the Privacy Commissioner and the company, but also from forensic accountants, if it's appropriate, and our financial regulator, wh

Information & Ethics committee  Yes.

Information & Ethics committee  There is all kinds of pressure on the company to listen to what the financial regulator says, to what the Privacy Commissioner says, and for reputational reasons, etc. But ultimately, under the current rules, it would be the decision of the company.

Information & Ethics committee  But I just want to add that in the normal course, whenever I've heard of any instances in this regard, the first step that our companies take is to talk to the Privacy Commissioner and our regulator.

Information & Ethics committee  Under the current rules, that would be my understanding of it.

Information & Ethics committee  Thank you, Mr. Chair. I might be duplicating some of what my friends with the chamber said, but we believe it has to a risk-based approach. You have to look at whether you're dealing with an incident that has some materiality attached to it. I think you have to have some reason

Information & Ethics committee  Thank you. In fact, if you look at our submission, a number of the changes we recommend are aimed at bringing PIPEDA in line with what has been put in place, if you like, in the third generation privacy legislation that is in place in B.C. and Alberta. As I indicated earlier, Q

Information & Ethics committee  Actually, I am going to turn to my colleague Dale to talk about that point.

Information & Ethics committee  Thank you, Chairman. With respect to breach notification, our position is that there should be a risk-based approach to when notification should be made. In that regard, one looks at the circumstances of the particular breach to determine whether a breach has in fact occurred an

Information & Ethics committee  Thank you, Mr. Chairman and members of the committee. I would like to thank the committee very much for giving us this opportunity to contribute to your review of the Personal Information Protection and Electronic Documents Act. My name is, as indicated, Frank Zinatelli, and