Certainly you find in countries around the world that many of the standards of privacy legislation are derived from the same basic principles, many of them from the early 1980s with the OECD. The notion of the destruction of documents, that you're going to flush certain personal information at some point in time, is part of those standards.
The broader question you've asked is how you develop the kind of privacy culture within the federal government that provides at least a greater level of assurance that people's privacy is adequately protected. I note that I think our private sector companies face precisely some of the same kinds of challenges, with larger companies having data housed in subsidiaries and in different parts of the company. There is the front person, who is speaking to you on the phone. Are they going to respect the privacy appropriately, and are other people who have access to different pieces of information?
It starts in a number of ways. One is to prioritize, and make clear that privacy culture is something that matters, and that there is an expectation that no matter where you come from within that broader bureaucracy, whether you're the person providing call centre assistance or someone who is making larger decisions, those privacy obligations will be respected.
But how do you begin to even imbue that? It starts with the legislation. If the legislation itself is seen as somehow substandard, and it doesn't even come up to the same level that, as I mentioned, our private sector companies are facing, I would argue that sends a message in itself. It sends a message that somehow we're comfortable with decades-old out-of-date legislation, and perhaps those privacy interests simply aren't that important.