Mr. Chairman, the decision as to whether the breach is material is made by pooling the information and resources from all those groups, not only from the Privacy Commissioner and the company, but also from forensic accountants, if it's appropriate, and our financial regulator, whom we would inform at the same time as we would the Privacy Commissioner.
One of the concerns in this area is that if something very specific is put in the legislation that ties your hands in all circumstances to having to follow the same procedure, you may end up doing what is right now in the circumstances, but have to follow that specific set of rules.
I think those rules are followed; that due diligence, if you like, is done in determining whether a notification is made. But it's in conjunction, by everybody pooling their efforts.