Thank you for the question.
First, we need to do an impact study on the software we use.
The way it should work—this is the theory—is that when the chief information officer's branch becomes aware of a new software product, they look at it from a security perspective—the first tension point—and then from a privacy perspective. If they believe that a privacy impact assessment is warranted, it would then come over to the corporate secretary's team to action.
The reason a privacy impact assessment might not be warranted is it is possible that, in some cases, the assessment would have been done by another government department. Shared Services Canada, for example, might do something on behalf of the whole government, so it's possible there is already one in place from a government-wide perspective.
With the testimony that I've seen in the last couple of weeks on some of these issues, we are going to check and make sure that people are indeed respecting the need to do a privacy impact assessment. Sometimes it takes longer than we would like, but the question of.... Do the security assessment and the impact assessment at the same time. That's the way the process should work.