There is a regime now adopted in PIPEDA that could probably work very effectively in the Privacy Act as well. It focuses on notifying individuals where there is a risk of harm, and harm is defined as a way that entails there are mitigation efforts the individual could take so they should be notified in a timely manner so they can take those measures.
It also entails record keeping at the institutional level of even less harmful breaches so that we have a better picture of what's happening in security breaches, which again is going to be important moving forward so entities like the Privacy Commissioner and whatever entities become responsible for cybersecurity can look and get a clearer picture of what's happening. If there's no record keeping, if every agency is just dealing with these on their own, you don't have that holistic picture, and we're not able to keep these standards going forward.
Again, we'll try to address that more comprehensively in our written brief. Our thinking right now is that mechanism in PIPEDA roughly works in the Privacy Act context as well, but we're still trying to see if there are any specific peculiarities in the public sector context that should be addressed, if that helps.