If I understand the question on the data breach provisions correctly, with regard to whether it's the private sector making the risk assessment versus the data breaches going specifically to the commissioner and having the commissioner review all the data breaches, in the approach that has been put forward in Bill S-4, the outcomes end up being the same.
When an individual company does an assessment of the risk of the data breach and whether there's going to be harm to the individual, they go through the procedure for figuring out whether they have the risk. Once they've identified that there's going to be a risk of harm, they identify both the individual and the Privacy Commissioner. At the same time, when they've done that assessment and they've reviewed the data breach, if they've found that there is no risk of harm, they're required to maintain a record on those and the commissioner can ask for those records at any time. They could ask the individual company to report all of those records to them at any time. So the commissioner has access to the same types of information and can review all those at any time.
The end result is the same. The commissioner has access to any and all data breach records at any time he wants, whether there's a real risk of significant harm or otherwise.