There are a number of things that we'd want to see.
I talked about breach reporting. We need to see this as a legal obligation in the Privacy Act.
We need to see order-making powers for my office. This is something I don't have at the moment, and that adds potential delays. If you have a department that agrees with the recommendations, that works, but if it doesn't, then we need to go to court, and that adds delays and costs.
I want to see privacy impact assessments made mandatory and not just Treasury Board policy, because privacy impact assessments are also part of the solution to this. It's early risk assessment of new programs and new tools, so this is important.
We want to see necessity and proportionality as requirements under the Privacy Act. They're not currently, but they're requirements for the private sector. There should be similar standards of protection for the public sector and private sector.
As well, there should be collaboration between different offices. One of the challenges currently in Canadian privacy law is that I cannot do a joint investigation with my colleague, the competition commissioner of Canada, but I can do that with the U.S. FTC. That's a gap. We need more of that collaboration, including to deal with breaches.