We have a concern where the breach might be of a minor nature but it would still be subject to very serious penalties, as was being referred to earlier. Including those as part of the requirement for record-keeping would be inappropriate.
I mean, think of an example where you step away from your computer, and a colleague from another department who doesn't have access might come to visit and see something on your screen for a second. They see some piece of personal information. Technically that could be a breach. It would be subject to putting it on the list and, if you don't do it, it could be subject to the penalties.
I think there are examples like that, very minor in nature, where we could clarify that those kinds of things are not covered. That can be done, as we suggested earlier, by regulations, by guidelines, or some other means.
I like the risk-based approach so that if we're talking about a real risk of significant harm, then those should definitely go on the list. What should go beyond that on the list is something I think should be discussed and clarified in a guideline or in regulations.