I take your point. This is very sensitive stuff, and it absolutely is the case that notification has to happen. We firmly believe that.
We had two points. First of all, however you set the threshold, you have to set that threshold in a way that you are going to avoid two problems. You don't want to have every minuscule or potential breach resulting in issuing notices, because what will happen then is people will be inundated with things and they'll stop paying attention. They'll get inured to it and it will be just a regular routine kind of thing. That's the first thing you want to avoid. What you want to do is have a notice, where in consultation with the Privacy Commissioner, your own privacy experts, and with the police, people say you need to have a notice here.
The second thing you want to avoid is scaring people. There have been cases in the United States, at the state level, where there are these automatic breaches at a whiff of a problem. People get really upset. There was a veterans affairs issue there, where an automatic statutory breach notification went out and people got terribly upset. At it turned out, when people looked at it, there was really nothing going on there.
This is what you have to do when these things happen. There's an incident, but what is it? Is it a breach? How did it happen? Has personal information been accessed? These are just questions, but it's hard to determine. If accessed, is there evidence that they have been used or decoded? You have to get to the bottom of that first. Once you get to the bottom of that, everybody around this table would say oh, absolutely. Of course when you have these suspicions, you go right to the police and the Privacy Commissioner and you work with them.
The main point we're making is that we take notification really seriously. The evidence is that we in fact notify. Our point is that the current voluntary system is working well, as is the evidence, I think. It gives you flexibility. Then you can work with the commissioner on the facts of the case rather than having it hard-wired and at the whiff of something you get something kicking in. It's flexible. It works.
Let me just conclude this part of my comments by saying we agree with what you're saying. We very much agree. What we want to avoid is an inappropriate notification system. We want to signal our sense that the evidence out there suggests it is working well.