Sorry, I agree that there should be two thresholds, but the second threshold should be an OPC reporting threshold. What I was trying to say was that, as my colleague mentioned, businesses have a clear understanding of what the two thresholds are for. One is for tracking the types of breaches that occur, and one is for ensuring that individuals are able to redress any potential harm that might come to them from the disclosure.
For us, the tracking must happen at the Privacy Commissioner level if we are to have a global and systemic understanding of the types of breaches that are happening, and if we are going to start addressing these breaches at a systemic level and start improving the technical safeguards in all our services, which is where we really need to go. That's the only way to solve breaches in general, so that's what I meant.