On recommendation 3, it's to enshrine in law the PIAs, the privacy impact assessments. I'm assuming your department uses this tool already. You indicated in your opening statement that there's a difference between policy and legislation. I'm asking for clarification. Is this the kind of area you're talking about? Do you think policy can work to make these things happen and it does not require legislation to make these things a mandatory management tool, or was it another area that you were referring to? I only want clarification.
On May 27th, 2008. See this statement in context.