I think the cost to our office is minimal, but we could certainly cost out if, as we suggest, corporations had to notify us. Certainly, we have to have some type of notification reception mechanism, and that could be an additional cost, but I'd think it would be minimal in the budget of the Privacy Commissioner.
To come back to your--I'd say appropriate--concern with the cost for small businesses, we have been working with the Canadian Federation of Independent Business. We are rolling out special modules for small businesses. We are testing these modules with members of small business because we are very conscious of not trying to impose additional regulatory burdens on small organizations.
In our experience too, the challenge in applying this law is not with small businesses, because they are anchored in the community. As we become more privacy conscious, if your local business messes up with your personal information, I think there will be community pressure. They'll do it once and they'll learn spontaneously. Each community business doesn't have the amount of personal information that huge multinationals do.
My concern as Privacy Commissioner is not the possible danger from small businesses that are doing their best--and we're trying to help them and we're in constant contact with their associations--but the huge amount of data that is pooled in large organizations where one spill can affect possibly millions.