I can go ahead.
At CBSA, we have in place a robust privacy breach protocol, and it's aligned with Treasury Board standards. Any new requirements would be aligned with our breach protocol as well.
All employees are trained to use the breach protocol, and there is a direct linkage with the departmental security officer. As you all know, a privacy breach, for example, is first and foremost a security incident, so everything is reported to a centralized office, which is a departmental security office. If it involves personal information, then the privacy breach protocol is triggered. Any material privacy breach that involves personal information right now is reported to the Office of the Privacy Commissioner. That is a new requirement.
Any change in legislation obviously would require adjustment, but at CBSA we're not expecting that making breach reporting mandatory to the Privacy Commissioner will be problematic at all.