Currently there is already a mandatory policy requirement for institutions to report privacy breaches to our office as well as to the Treasury Board Secretariat when there is a material privacy breach that is identified in an institution. Putting it into law would probably just expand a little bit on what's already in existence. Whether or not institutions are following their policy requirements fully, that's.... We don't know what we don't know.
On November 1st, 2016. See this statement in context.