I think there are certain models. Increasingly, privacy impact assessments are included within statutory provisions. They're included, for example, in the new general data protection regulation of the European Union. It's something that all European countries—their organizations there—have to do under most circumstances. It's good organizational practice, but unless it's formalized in law, experience is going to vary and quality is going to vary, and that, I believe, has been the experience of the Privacy Commissioner.
Under Treasury Board guidance, some agencies take that responsibility seriously, others less so. That's why I support his suggestion that you craft some language into the Privacy Act that mandates organizations to do PIAs and consult with the Privacy Commissioner when there are real, substantial risks to privacy.