The privacy impact assessment is Treasury Board policy, so we respect the policy. If it's a large project, if it involves privacy-protected information, or if there are potential privacy risks, there's basically a two-step process. The first is to create a PPIA, a preliminary privacy impact assessment. It's a tool that allows us to figure out whether we really need to do a privacy impact assessment.
If we determine that one is required, the policy sets out a process. We look at it and map out all the changes—what the potential impacts are going to be. We work with legal services, and we go to senior management. We have to present a reasonable case that we are properly mitigating privacy risks.
Once we've done our homework, we take it to the Privacy Commissioner. This is where I think the relationship is good. Her staff, her office, will make recommendations and engage us. In the past, that meant some changes to what was proposed for the advance passenger information or PNR records.