Before setting up a program, they don't always have the reflex to check whether my office has been informed of it. There are improvements to be made in that regard. We're talking about departments that use this tool for a specific purpose: Some use it for internal investigations and others for investigations within their mandate.
The use isn't necessarily inappropriate per se, but that assessment has to be done. However, as we've seen, people sometimes say that they don't need to do that assessment because their legal mandate includes authorization to carry out those activities. My message to the departments is that it isn't enough. The privacy impact assessment is a separate topic that needs to be dealt with more proactively.