This particular recommendation came to light because it has happened in my office that an institution came to us and said, “We will no longer be able to respond to access to information requests for the coming several months because we have had a massive technology incident.” We were grateful to have this information, because we were aware of what was going on. If we had complaints come in, we knew what had happened in the institution. It wasn't something the institution had control over. It was a security breach, and they had to shut down their computers, in simple terms.
That led us to realize that in some instances institutions have unauthorized destruction of records or data, and there's no obligation to report that to anyone. If there is a privacy breach, it is reported to the Privacy Commissioner, but if there is a non-authorized loss of data, there's no obligation anywhere to report it. That struck us as a gap in this day and age, with all of our information essentially stored in the digital world.