Yes, certainly.
As Mr. Guénette just mentioned, the Agency follows a well-established process for reporting all types of incidents. Following an incident, the Security and Internal Affairs Directorate conducts an investigation and sends us its findings. The question to be determined is whether there's been a security breach. If there has been we report the breach to the Privacy Commissioner. We also have a disciplinary framework at the Agency. Based on that framework, we verify how the breach was reported, and whether a disciplinary measure is applicable in such a case.
As for what we do to mitigate the impact of security breaches, I will come back to the example you gave concerning the CBC. When the incident occurred, what we did in terms of access to information and privacy measures was to verify the processes implemented by the Agency, and determine where surveillance or review could be enhanced with a view to preventing such a situation from recurring.
Another process was developed too. A private firm verified whether our processes were indeed adequate, and whether there were still shortcomings. Following that audit, the firm made a few recommendations. The measures it recommended were mainly about systems, system audits, and quality assurance. We have implemented those procedures, to prevent such situations from recurring.