I want to follow up on some comments from the original opening statements.
We have this threshold of real risk of significant harm and, Mr. Smith, you referred to that: an organization determines that there's a breach that poses a real risk of significant harm, and they have to report it to their clients, the people who are affected by it, but you would suggest that they need not notify the Privacy Commissioner. You don't think they should have to notify the Privacy Commissioner.
Why, if it is a breach that is significant enough to pose a real risk of significant harm, significant enough that they would take the step of notifying their own clients, people who are affected by it, would they not have to notify the Privacy Commissioner?