The foundation should pretty well remain stable. I'm saying five years seems to be cautious and too often. I don't know what the formula should be: 10 years, 15 years, and let it work out. I don't see the urgency to do it every five years.
When we're talking about privacy, particularly within the Privacy Act itself, we've got to remind ourselves that privacy is a large mosaic, and the act is only looking at a very finite portion, which is information in records under the control of the federal government. That's it. It doesn't look at any personal, private, confidential information that's passed orally. It doesn't look at information covered by the health care professions, banking, or police forces. I could go on and on. Most of these all have something to do with the protection of, and disclosure of, personal information.
The part that doesn't really work within the federal government at the moment in its administration of the Privacy Act is the disclosure element of it, and what is referred to by the Privacy Commissioner as "consistent use".
I see abuses of that in my own practice. Once the government has this information, there is a tendency to use it and to disclose it for use by federal institutions, consistent with the consent that the person whose personal information has been provided has given to use it for different purposes. That's where problems arise. I see it particularly in some departments that have access to the health care information of individuals. They want to use that, and they do use it, for instance, in the settlement of a workplace grievance. I would question that, and I am questioning it, but at the moment, the Privacy Act allows a department to make that decision—to say they can use this information provided to them about a person's health care for other purposes.