Information & Ethics committee  Well, in many cases, it's certainly not a course of action that we would recommend.

Information & Ethics committee  If you look at the act, it's the same for determining what form of consent to use. It's the same for determining how much access to give someone to personal information that you have on file. It's the same for determining what constitutes personal information in the first place.

Information & Ethics committee  I'm trying to understand your examples.

Information & Ethics committee  I think that in many cases there may well be an obligation.

Information & Ethics committee  The Privacy Commissioner is working through some of these schemes right now. As we mentioned, we're working with her office to develop a set of brief notification guidelines. But it's open to the commissioner to issue findings on a case-by-case basis as these things come up. I think we've recently seen that she initiated an investigation into T.J.

Information & Ethics committee  Yes.

Information & Ethics committee  Not immediately.

Information & Ethics committee  Actually, if I could add a gloss to that, I would say it's typically the decision of the organization at first instance, but it's ultimately a determination to be made by the Privacy Commissioner of Canada.

Information & Ethics committee  Yes, and I'm sure if he contacted his chamber, we could help him out.

Information & Ethics committee  Sorry, but if I could just jump in, I know Mr. Nelson too. I don't know the particular facts of your constituent, but I'm not sure he would necessarily have to get consent each and every time he ran a promotion. I think there are ways to do a more global sort of consent.

Information & Ethics committee  The banks are maybe in a slightly different position. Perhaps that's why they focused on fraud--because they're looking at people getting access to bank account information and then using that information.

Information & Ethics committee  Right. But again, that was a story about access to credit card information largely, that people's credit card information was exposed. So maybe that's the focus on fraud. I would say that, for the purposes of a lot of businesses, that may be too narrow a definition. Part of the problem with having a mandatory breach notification is determining in which circumstances that notification has to occur.

Information & Ethics committee  I guess the question is what was lost, how material was--

Information & Ethics committee  It's difficult to speak on behalf of all members. But I think when you have a breach where material information has been provided to third parties, including unknown third parties, and there is a risk that the information could be used for criminal purposes--for identity theft, for God knows what--then I think there should be a notification.

Information & Ethics committee  First of all, I'd confess that I'm not personally familiar with the breach notification tools that you have. There are certainly things that are being looked at within organizations.