Yes. I think training is an overlooked key to improving personal information protection. Because a lot of this comes out of the use of technology, I think we tend to use and look for new technology to solve the problem, and of course there's always someone who comes and tells us that if we just buy this technology, it will solve the problem.
But if we look at, for example, the self-reported breaches that come to my office from private sector organizations, some 40% of them have to do with just human error. This happens often in institutions where there's a big turnover of employees, and they don't have enough training, so they just forget. They're doing too many things at once.
To come back to your question, yes, if you trained civil servants better, I think you would reduce the risk to personal information.