Obviously, the Canada Revenue Agency takes into account the sensitivity of the information that's disclosed in assessing the severity of the breach. We have medical information, financial information, and personal identifiers like social insurance numbers. Those kinds of things would very obviously trigger the reporting of a breach, anything that could lead to the risk of identity theft or fraud.
However, to your point, and to speak a bit to what Madame McCulloch was alluding to, there are different types of breaches. One type of breach we see a lot in the CRA has to do with misdirected mail. The volume can appear to be high from an absolute number perspective, although I would flag that from a percentage point of view, given the 110 million pieces of mail that we move in a year, it is less than 0.001%. However, a piece of correspondence that went to the wrong address, wasn't opened, and was sent back to us, we log as a security breach internally. This isn't something that would warrant flagging to the Privacy Commissioner.
A security breach that has to do with an employee willfully accessing taxpayer information outside his normal duties is treated very differently. If I'm not mistaken, the 20 or 21 cases that were flagged with the Privacy Commissioner all had to do with wrongful access to taxpayer information by employees. There's quite a range, and different departments' business would very obviously be quite different. There is a certain amount of flexibility, which is built into the current framework, that's useful.