Actually, that is another of those curious circumstances. There is a Treasury Board directive on security and the protection of personal information. But in my experience and that of my predecessors, a Treasury Board directive does not seem to get the attention it requires from the department, certainly much less so than if were in an act. I do not wish to imply that there are no security safeguards. The government is presently developing a cyber security policy, and that is very important. I am very pleased that they are moving forward, but we are talking about day-to-day administrators of the act. I think that Parliament sends a much stronger message if it puts some minimum requirements into legislation, if it enshrines in legislation the basics of what needs to be done. We feel that these 12 recommendations make up those basics.
Subsequent interpretation and details can then be put into Treasury Board policies. However, since there has been no reform for a very long time, the basics are now to be found in the directives. A directive is just a directive, and the consequences are much less weighty than those in an act.