The recommendation on audits was one that was made for proactivity. It was this notion that with great power comes great responsibility, so if you have authorities in cases where there may be an exception to consent for the use of information, there should be an ability to do what I think my predecessor referred to as “looking under the hood”, so having verifications. That's what the audit process allows.
There were concerns with the criteria for initiating an audit. I'm looking for the section in Bill C-27. My colleagues can point it out to me. At the time, under the existing legislation, it talked about having reasonable grounds to believe that the act had been violated, and there is recognition that that was too strict. The current proposal in Bill C-27 now talks about having been violated or being likely to be violated, as I recall, and I'll be able to correct that.... Proposed section 97 says:
The Commissioner may, on reasonable notice and at any reasonable time, audit the personal information management practices of an organization if the Commissioner has reasonable grounds to believe that the organization has contravened, is contravening or is likely to contravene Part 1.
So it has been improved in the proposal on Bill C-27. The test is not as reactive as it was before, because of this notion of “is likely to contravene”.