With all due respect, I'm not sure that's indeed the case, and I say that from the basis of my consulting work. In my paper, which I'll be sharing with the committee shortly, once it's translated, I use Health Canada, as I explained earlier, as a pretty good model, and I think I had something to do with stimulating them to put privacy risk management strategies in place.
I don't really know enough. Certainly one of the recommendations of the Privacy Commissioner in her audit of the Canada Border Services Agency two or three years ago was that they should do the same sort of thing, because they're into the same privacy risk management strategy as I am, but it's still a work in progress.
So I appreciate that you think the glass is half full when I think the glass if half empty, and there's obviously a bit of a difference of opinion, but I don't have a comfort zone, nor have I done the empirical work to really give you as many illustrations as you might like, to be comforted that in fact the rules and regulations in the Privacy Act are being complied with the way they should be to meet the challenges of the 21st century.