I would add that we follow exactly the same process as our colleagues from CBSA do, including having a close relationship with our departmental security officer. They're usually reported in as security breaches.
The concern we would have is with the mandatory reporting of all privacy breaches. Now we actually assess the damage, and when there's material damage we will report it to the Privacy Commissioner and Treasury Board. We do that on a regular basis.
I can give you an example where it would be perhaps not deemed necessary to report a privacy breach, if you wish.