I think there may be a little bit of confusion, because we have PIPEDA, the private sector legislation, which has been in force and was just subject to its five-year review. When it was passed, PIPEDA didn't have a breach notification requirement explicitly stated in it, but among the recommendations put towards this committee was that a balanced regime of breach notification be implemented and be amended into PIPEDA.
There is currently an Industry Canada consultation going on to determine the exact parameters of that and exactly how a balanced approach would be implemented in PIPEDA.
The Privacy Act passed in 1982 does not have any sort of breach notification. The Treasury Board, obviously to their credit, has implemented policies, procedures, and guidelines to deal with security of information, including breaches related to that information.
The Canadian Bar Association is advocating on both sides—within PIPEDA, the private sector legislation, and in the Privacy Act, the public sector legislation—that there be breach notification guidelines. We have not taken a specific position on the specifics of them in terms of what information would have to be disclosed in order for the individual to be notified, because it is a matter of balance. You don't want people to be bombarded by notifications about trivial breaches, but you do want to make sure that individuals whose information is compromised in a way that could actually have a significant impact on them are notified. So we're advocating in both pieces of legislation that there should be balanced notification.