Is that decision completely internal? Is the risk assessment completely internal, or is there an external peer review process to say, “Yes, you're on the right track; these cases shouldn't be reported to the Privacy Commissioner”?
On April 8th, 2014. See this statement in context.