Thank you.
I concur with my colleague, Commissioner Denham.
We have order-making power in Ontario, and I'm telling you it would not be the same without it. But let me be clear—it is a last resort. The order-making power, which gives you the teeth, is the stick. We rely on it infrequently.
I'll give you the example of PHIPA, the Personal Health Information Protection Act, which applies to both public and private sector health organizations in Ontario, of which there are many. That was introduced in 2004. I've only issued 11 orders under that—so in something like eight years, 11 orders—because there is enormous incentive on the part of organizations to work collaboratively with us early on, and we always try to do that. We work very collaboratively. We strive to reach informal resolutions to investigations and problems, and we've had hundreds, thousands of them. It works very well. The carrot is a much better inducement when they know the stick is there.
On occasion we've had to issue an order and we do it not gladly but certainly willingly, if necessary. Often the order serves the purpose of an educative tool. It sends out a very clear message to everyone of what the standard of practice is now, and what our expectations are in this area. So order-making power is absolutely essential.
We have mandatory breach notification under PHIPA. That is also very important because that informs the population involved in the breach. It gives them the openness and transparency of knowing what is taking place.
We've also had, through the Regulatory Modernization Act in this province, a policy-led hook, if you will, in terms of looking closely at how you embed privacy-types of solutions into regulatory activities. So it's very important to have that cooperation.
I should also tell you, though, that my staff and all of us are out there regularly meeting with organizations. So not only is public education very important, but you have to meet with the organizations that fall under your jurisdiction so that they gain a better understanding of what your expectations are and how they embed privacy by design into their practices, into their technologies, and into their day-to-day activities.
They need to learn that from us, and we do this regularly. I think that allows us to minimize the number of orders we issue, but everyone knows the order-making power is there. It's a very powerful tool.