No. There's a protocol from Treasury Board that gives departments guidance on which cases should be reported to the Privacy Commissioner. It covers a fairly detailed risk assessment. Departments are asked to look at the sensitivity of the information that was disclosed. Is it, for example, financial or medical information? Departments are asked to make an assessment of the risk of identity theft or fraud as a result of the loss. Departments are asked to assess the potential to cause harm to the individual, for example, to the individual's reputation, their career—
On April 8th, 2014. See this statement in context.