As I told you, there could be a privacy impact assessment. Risks would be identified and how to reduce them. Organizations wishing to exchange data could be required to provide this assessment to the Office of the Privacy Commissioner of Canada, allowing oversight of projects where data is exchanged. These organizations could also be required to enter into contracts that include minimum requirements for the implementation of security measures.
If we notify the commissioner, assess the risks, provide contractual clauses and ensure that data is properly secured and de‑identified in certain situations, I think we could strike an acceptable balance.