I was working with a client in British Columbia last year, a crown corporation with a lot of sensitive personal information. It did an assessment of the risks involved in its public sector and private sector relationships. It was a very sophisticated management review of what the privacy risks were, and it even involved a rating scheme of one to ten. I was really skeptical about this, but it was quite well managed, and they ended up with the top ten privacy risks to this crown corporation. They were able to do it based on a whole bunch of people inside the organization pulling together.
I don't think that's being done in the federal government, but I don't really know. It should be. And the reason I talk about privacy risk management is that senior executives are having to deal with risk management all the time. I want the financial risk management, labour relations risk management, and even resources risk management to put on their risk management hats when they think about privacy. And there the risks are that data goes missing, that data is used for unintended purposes that it's not supposed to be used for, that it's used to harm individuals, or it's stolen, or it's used to invade their privacy by people who are browsing databases, or it's sold to criminal elements.