I mentioned briefly the kinds of breaches that we've seen in government. I'd like to highlight a couple that resulted in investigations. One was with the University of Victoria and involved an unencrypted hard drive containing employee personal information. The other was with our Ministry of Education and also involved an unencrypted hard drive. Although it was lost, it contained student data for over 300,000 students in B.C. These are serious circumstances where people may need to take action.
I'd like to add a further note on the need for thresholds in reporting. We have identified that the threshold in the public sector is when a breach could be reasonably expected to cause harm to an individual or if it involves a large number of individuals. We've set that for the notification of the commissioner, and when notifying individuals, we've recommended that the threshold be when it's expected to cause significant harm to the individual. Again, significant harm is contextual. We don't have experience with it yet. We've set the two thresholds to be slightly different in that a lower threshold for reporting to the commissioner would allow us to work with public bodies to make sure they have programs in place to prevent disclosure of this information to the unauthorized access user. It would also ensure that individuals are informed without unreasonable delay so that they may protect themselves.