Thank you very much.
I will say that prior to ATIPPA, 2015, our office could only undertake a privacy investigation if we received a complaint. Under the new act we can undertake own-motion investigations.
In fact, in terms of the public bodies reporting, it's a work-in-progress. As I said, the legislation is very new. One of the things the former government did, however, was initiate a couple of early actions. The legislation wasn't proclaimed in force until the first of June, but I think by the middle of March there had been some early actions taken, such as getting rid of the fees and mandatory reporting of all privacy breaches through the commissioner's office.
We thought that we would be inundated, because there are a lot of privacy breaches, many of them internal, many of them minor. For example, inside a large public body you could have faxes that are going to the wrong fax machine, but it's still within that same organization.
We set up a protocol, we have a reporting document, and we've had hundreds of public bodies report privacy breaches to us since March past. One of the tools we have in our tool box now that didn't exist before is our ability to conduct audits into access and privacy with the public bodies. We're just starting that process—we're involved in our first audit now—but during subsequent audits we'll be able to look at those kinds of issues.
We have no tool that is a blunt instrument at this point in time, but we have to develop ways to ensure, beyond just trying to encourage public bodies, that it's not bad to report a privacy breach to the privacy commissioner, because what we will hopefully do at the end of the day is make recommendations to that public body that can be used by others and will help make their system more solid, and the risk of breaches will be minimized, if not eliminated.