I think that one of the themes of my writing and thinking on this topic is that the location of the data is one factor, but it's not the overwhelming sine qua non of what the issue is. There are other factors that go into it. The Treasury Board policy related to this topic is in fact a really good and really rational approach to it, which is, if any government department is going to make any decision about the location of data in connection with outsourcing, or anything else like that, location is going to be a factor, but there are other things as well. Who is going to be the service provider? Who are they beholden to? What national ties do they have?
We're starting to see a more nuanced evolution of this as a question, which is in contrast to the situation in Nova Scotia and British Columbia where they have a statute that says thou shalt not allow the personal information outside of the country. You can still hire an American service provider to manage it for you on your own territory, and they—at least according to the U.S. Department of Justice—are as subject to the Patriot Act when they stand in Canada as they are in the United States. Just saying it needs to be here doesn't alleviate all those concerns. We need a nuanced risk analysis understanding.
There's been mention a number of times of privacy impact assessments. I think those are a really great tool that give you the opportunity to look at whatever is going on from a number of different perspectives, a number of different privacy risks, to force you to think about how to mitigate this and if the risk is acceptable depending on the sensitivity of the information, and then to have those reviewed by the commissioner and have those made public so there's transparency into these sorts of decision-making functions.