As the OPC noted, any organization that
holds large amounts of PI must have safeguards appropriate to the sensitivity and
amount of information collected, supported by an adequate
information security governance framework that is often reviewed and updated, to ensure practices appropriate to the risks are consistently understood and effectively implemented.