In speaking of accountability, which is one of the features of the Canadian law that has become very popular internationally because it well encapsulates the obligations of companies to privacy law, I think ideally—and this is why I would urge the committee and the honourable members to think of embarking on the second review PIPEDA that is already overdue—that it would be very helpful to have in the law that the Office of the Privacy Commissioner could request companies to show, to demonstrate, how they are accountable. We have an entire document on that, honourable member, that we could send to you.
It basically means being able to demonstrate that you have done all the things to make sure that you are privacy compliant: that you have a chief privacy officer, that your staff has been trained, that they know what to do, that you don't retain data longer than necessary, that you've invested in securing personal information, that you have the right procedures so that when people come under the law asking to see their personal information, you know how to handle that, and so on. Accountability goes to the range of your obligations under the law.
Presently when we go in for an audit or go in because of a complaint, we look at how the companies have been accountable, but we don't have a specific proviso that says they must show us how they are accountable.