When we determine the activities that are to be reviewed and the priority of those activities, we're looking at risks to compliance and risk to privacy. For those that we go through, we receive the briefings from CSE, and where we identify activities, something like that may be part of those activities. We go down from there and determine what are the risks to privacy in that and what are the risks to compliance generally. We then determine what priority will be placed on that.
If there's a requirement to get into the kind of granular detail that you're talking about, we go to, as required, under the commissioner's authority, under-contract computer engineers, for example, to ensure that we're understanding what is going on. CSE, I have to say, is quite co-operative and transparent with the commissioner's office, as demonstrated in the metadata issue of last year.