Well, it continues to increase; every year we receive more reports under PIPA. We have managed so far. I will say I have some concerns. There is some expectation that we'll be seeing mandatory breach reporting in the health sector in Alberta sometime in the fairly near future. That will probably tax the resources of my office.
I will perhaps just say a bit about the structure of breach reporting notification requirements in Alberta, because they are fairly unique— certainly in Canada. While there are some similarities to what's proposed for PIPEDA through the Digital Privacy Act, they're not exactly the same.
In Alberta, the threshold for reporting a matter to my office is where there is a real risk of significant harm. This is the same threshold as for PIPEDA. However, the framework in Alberta gives me the ability to require an organization to notify affected individuals. The act in Alberta does not require the private sector organization immediately to notify. It instead requires them to tell me. If there is a real risk of significant harm, if a reasonable person would think that threshold had been met, then it's an offence for an organization not to report it to me.
When those reports come in, out of the 750 reports that we've received in almost six years, I have an active role in reviewing them. I review the assessment of harm and the likelihood that harm will result from the incident, and I issue a decision for each one.