I find that very impressive.
I studied privacy breaches in the previous Parliament when that was my beat. My concern is how often departments decided not to tell the Privacy Commissioner. Maybe 10% of the time they came forward, and they said that they didn't think it was big or that it was a problem.
People don't want to make it look like they really blew it. When you have hundreds of breaches, it doesn't look good for the department.
How do we know that all the breaches are being reported? That was the Privacy Commissioner's frustration before. It should be the Privacy Commissioner who decides whether or not the breach is significant, not the department.