The other fixes? I'll just try to find them for you, because we have quite a few other ones. I'll just go down it, because this is a distillation of what is in a long paper that we published in 2006, and it's also a distillation of what some of the many expert witnesses say to you.
It says to look at clarifying in the Privacy Act government obligations regarding outsourcing and public-private partnerships, the delivery of service and programs, something that the Privacy Act doesn't speak to, outsourcing generally. And look at security arrangements. The Privacy Act per se does not obligate departments and agencies to make appropriate security arrangements. We say this is part of confidentiality and privacy. In PIPEDA we do talk about specific security arrangements. That would be another thing.
There are the questions some of the honourable members have been raising about the national security oversight framework. So what is the transparency, the accountability oversight over some of the national security agencies—the RCMP, CSIS, CSE, and so on. These were some of the recommendations we made to the O'Connor inquiry about oversight in the use of personal information in the RCMP, which have not been taken up for the moment.
I'm just going down the list to give you a flavour.
We believe that there may be other agencies and government bodies that should be subject to the Privacy Act. I was very happy that the Federal Accountability Act covered more agencies, but we think that there may be a few more that we could find if their activities were reviewed.
Access to people's personal information has come up in our dealings with the European Union. Actually, you have to be a Canadian citizen or present in Canada to avail yourself of your rights under the Privacy Act. This is a bit embarrassing when we're dealing with transborder data flow, API/PNR, agreements with the European Union. Now, we have—and I have been consulted on this—agreed that if European people, for example, flying into Canada had a complaint about the use of their API/PNR, CBSA would investigate, and then I would treat it as a complaint, although strictly speaking it doesn't fall within the Privacy Act.