I would emphasize the importance of two levels of breach reporting, similar to what's been done with PIPEDA.
When the PIPEDA amendments come into effect, you're going to have a first level of breach reporting when breaches reach a certain threshold of harm, and that triggers an obligation to notify both the Privacy Commissioner and individuals who may be facing that potential for harm. That's one level, and it's a tremendously important one, because it's not just reporting the breach but also trying to mitigate harm and notify those individuals who may be affected.
The second level that's in PIPEDA, one which I think is quite interesting, is a requirement for organizations to document any breaches whether they reach that threshold or not, meaning things that are essentially breaches even though the information ultimately didn't end up in anyone's hands. I think that kind of record-keeping and reporting to the Privacy Commissioner doesn't necessarily have to be made open to the broader public—that decision would have to be made—but it could be just reporting to the Privacy Commissioner.
I think it's important because this goes to another thing, which is trying to identify those security practices that are weak and need to be improved within. If the Privacy Commissioner has access to this information, it gives a chance to see whether this is a common problem across government that should be addressed or whether it's a particular department that hasn't adequately trained its staff on certain privacy measures. It allows a more proactive approach to try to address security problems that become visible through this level of reporting.
I would encourage having those two levels so that it's not just harm that triggers notification, but that there's another level where any breach should be reported in order to try to diagnose problems and address them before they become more significant.