The Privacy Commissioner has 10 recommendations, which she calls quick fixes. Her organization would like to see a full review. It would probably take six or seven months to go through and make changes, updating the Privacy Act. She might be right—it hasn't been updated in 25 years or so.
The Privacy Commissioner mentioned that she'd like to enshrine in law that deputy heads do privacy impact assessments. I know you're not at that level, but as an organization, do you do them now? What do you do with them, and where do they go once you perform them? I need to know whether this actually happens now. Is it a Treasury Board recommendation? What actually happens?