In the amendments put into the private sector law, PIPEDA, by the Digital Privacy Act, there is a threshold that represents a real risk of significant harm. Part of that is a statement of principles, but if the information is encrypted and nobody can get access to it reasonably, that significantly lowers the risk of significant harm, so it might not even trigger the notification threshold. I think that there does need to be some flexibility. You don't want to be too prescriptive in that sort of thing.
Importantly, Parliament introduced new offences into the private sector legislation, through the Digital Privacy Act, related to not reporting those breaches. If you do not report one of those, you can in fact be convicted of an offence. I'm not sure that necessarily works in the public service per se. I think it's worth looking at. There should be an assumption that the government will follow the law if the law says you shall report it.
I would, in fact, be in favour of lowering the threshold for reporting to the Privacy Commissioner so that the Privacy Commissioner can provide knowledgeable, informed input on whether or not the breach actually represents a real risk of significant harm, and the commissioner should himself be able to notify the individuals at the institution's expense if the institution refuses to.