If you're looking seriously at this, I would recommend that you perhaps think about calling some witnesses or hearing from some people from California, which put in place its data breach notification law at least three years ago. They've had experience with it. I've heard some people say there is a problem with notification fatigue.
I think we need, and I personally want to see, some good unbiased studies. Unfortunately, there are very biased studies. Javelin Research, for example, has been hired to do polling and reports by industry who oppose security breach notification, and they're clearly biased reports.
To get a really neutral, unbiased report on the results, how successful that particular approach to data breach notification has been, very much depends on the thresholds you set for notification. Obviously, the higher the threshold, the fewer notifications will be required. There are different ways of doing it, as you have suggested in your report, and as John is saying now, which could involve a public registry, the Privacy Commissioner as a kind of filter, and check on whether or not notification is required in that particular circumstance.