You understand that, in the 1982 act,
there is no security standard at all. What we put in the other pieces of legislation in the public sector across Canada is a reasonableness standard: as PIPEDA asks, what would a reasonable person expect to have happen?
Well, no wonder security breaches are happening and then the requirements for breach notification, which should be in the law as well. People don't take it seriously enough, and they're sloppy. It's very difficult to do good security because it's routine work. As much as possible, we have to have machines doing it, and we build in the kinds of sophisticated security regimes that we have here.
I actually think that the federal government, being the federal government, probably has quite sophisticated security practices, and the RCMP has threat risk assessments and all this stuff. That's an integral part of privacy protection. That part is probably not as big and bad as some of the other areas, the lack of consent and things like that.