Thank you for the question.
The overcollection I was referring to was, I think, a likely outcome of proposed section 10.3 in the bill that requires organizations to “keep and maintain a record of every breach of security safeguards involving personal information under its control”. Personal information is a very broadly defined term. It's really any information about an identifiable individual and there can be frequent small breaches, technical breaches happening every day. I will give a couple of examples. Let's say a misprinted address label goes out in the mail that includes in the address window the party's age. That's a breach, a piece of personal information tied to an identifiable individual. Let's say you're in a store and the clerk leaves somebody's order printed out on the counter while he turns to get the phone and it's visible to other consumers and all that may have been disclosed was somebody's shoe size. That's a breach. A record would have to kept for each of them under this law and retained indefinitely until the OPC requested it.
I think that's our concern, that there's no threshold here of materiality and I think because of the concern that this provision is tied to an offence provision, there will be overcollection. Businesses will err on the side of caution and will record everything in all the stores and all the call centres everywhere across the country.