When you're doing the privacy risk management strategy, the first thing you have to have is a law.
When they first introduced the freedom of information law in Ontario, my comment to the media around 1983 or 1984 was that I thought any law was better than no law until I saw this law. It was pathetic, so it was never introduced. Ian Scott, as Attorney General, actually took the initiative and went into his own law office, when he became Attorney General, and drafted the bloody thing. It's the model we use now in Alberta and British Columbia. It just shows what leadership can do. So if you don't have a good law, you have a problem.
Schedule 1 to PIPEDA, which is the Canadian Standards Association model privacy code, is where you find the ten privacy commandments. They were a product of the public sector and the private sector in the mid-1990s. Smart characters like me said, “This is a wonderful code. Why don't we give it the force of law?” They give it the force of law in PIPEDA. It was like putting the ten commandments into law in one way or another.
If you don't have a good law, you have a problem, but then you need a privacy policy. Then you need chief privacy officers, a privacy team, meaningful confidentiality agreements, frequently asked questions on websites for the general public, and privacy impact assessments to make the system work.
I'm not sure I've totally answered you. I started a filibuster already, and it's only the first question.