I agree. I think there are probably multiple solutions here. One is improving the quality of the training and awareness available to officials. The second is improving the design of some of the systems. For example, why do so many screens, when officials access them, reveal in plain text everything about an individual? If they need to know whether somebody's in receipt of a particular benefit or over a certain age, why reveal the person's date of birth or the particular benefits they're receiving? You could just have a confirmation flag showing on the screen, which would prevent an amount of data from being leaked.
Ultimately I guess you need stronger sanctions, such that when these things happen, people are held to account. It sounds as though you have a situation in Canada that's similar to ours in the U.K. Very, very rarely does anyone personally or individually seem to be held to account.
Worse sometimes, in my opinion, is that we see organizations fined that are part of the public sector. Let's say a health trust has had a breach; they may have a fine of several million pounds imposed on them for the breach. That seems to me like a double punishment to the innocent, because that fine will directly impact the rest of us, the people relying on medical services from that trust. It also ultimately avoids the issue of finding out who was accountable for that breach. It's as if a mysterious faceless entity was responsible.
Also, at the senior level here, we rarely have the right accountability, at the senior board or executive team level, of somebody who owns it, so that you can say, “It stops with them. They are accountable for that.” Maybe if we had greater clarity that a particular named official would be held to account and we could move away in the U.K. from the culture of fining rather than looking to see who was responsible for ensuring all of those aspects we're talking about—making sure the culture of the organization is right and the systems are well designed—people would be held to account when things went wrong and would fix them.
Ultimately, if they haven't managed to fix all those things over an agreed period, then they should be held accountable.