Thank you very much.
You know, I'm thinking back to the work that we conducted on the RCMP, and my hope is that, at the time, these departments may have been tuned in, knowing that they were actively engaged in similar activities. My disappointment is that it took them this long to kind of come clean. There are 13 departments. Certainly, there are many more federal departments, some that may or may not be declared. I won't impugn what the other departments are doing.
I do note that in the language of the directive on privacy impact assessment, in paragraph 3.3, it states that the Privacy Act requires “assessing the privacy implications of new or substantially modified programs and activities involving personal information”. I believe you just referenced this, sir. Then the next line says, “However, if not properly framed within an institution's broader risk management framework, conducting a PIA can be a resource-intensive exercise.”
How resource-intensive is it?