I appreciate your comments very much.
Somebody is going to have to maintain a record of the breaches for the Office of the Privacy Commissioner of Canada in order for him to be able to verify them. However, if the commissioner does not have the necessary resources, I fail to see how he will be able to do that. In that case, these records may be of no use.
I will continue in this vein and ask you for your opinion. What would the solution be in that case?