Well, “obliged” means departments should do it, but one of the things we've been concerned about is that there's no clear sanction if they don't do it. There are a number of policies. Senior officials will say there are so many policies in the government that it's hard to comply with them all, but we are increasingly concerned about policies that are honoured in the breach. We can talk about the privacy impact assessment policy, PIA. We continuously find that programs that have significant consequences for personal information protection go ahead without a privacy impact assessment. That was the case of the recent do-not-call list put on by the CRTC. That's an obvious one to do a privacy impact assessment on, but it's being done now, after the program has been in force for about a year.
One of the audits that my office did was to see how departments comply with the policy of having to do an annual privacy report. The answer is that they do a kind of so-so job, because it's not seen as something that is essential enough. So I think the distinction between policy and law is an important one, and certainly laws get the attention of a large and busy bureaucracy better than policies.