Absolutely.
Actually PIAC and CIPPIC have been calling for data breach notification for a couple of years now. About two years ago, we put out a news release on this and sent it to all MPs, hoping that some action would be taken.
The Ontario government put a data breach notification requirement into its health privacy law. This is the only one that exists in Canada right now. It's an obvious measure that needs to be in place in the context of identity theft. I absolutely agree with you that it's something that can be done quite easily.
We will be coming out with this working paper. As the honourable member suggested, there are a number of details that you need to work out. What is the threshold, the trigger for the notifications? How should the notifications be made? When? Should the Privacy Commissioner be notified? Should the police force be notified, and so on?
I would recommend having further consultation on this. I think there is pretty widespread recognition that this is needed.