Data Protection Commissioner

         Customer Service Action Plan 2010 - 2011

Mission Statement                                                                                     2

High-Level Goals.                                                                                     2

Introduction.                                                                                             3

The Responsibilities of the Office of the Data Protection Commissioner      3

International  Functions.                                                                            4

Article 29 Working Party.                                                                         4

European Databases and Data Protection Supervision.                              4

The Services Provided by the Office.                                                        6

How We Developed our Service Standards.                                             7

Implementation of Quality Customer Service Action Plan.                          9

Quality Service Standards.                                                                    9

Equality/Diversity/Disability.                                                                  10

Physical Access.                                                                                   12

Information.                                                                                          13

Timeliness and Courtesy.                                                                       15

Customer Service Complaints.                                                               17

Registration.                                                                                          18

Official Languages Equality.                                                                   19

Better Co-ordination.                                                                            20

Internal Customer                                                                                  21


Mission Statement

Our Mission is to protect the individual's right to privacy by enabling people to know, and to exercise control over how their personal information is used, in accordance with the Data Protection Acts, 1988 and 2003.

High-Level Goals

1.      To maximise people's ability to exercise their data protection rights.

2.      To maximise levels of awareness and compliance with data protection obligations among those keeping personal information.

3.      To provide timely, practical and easily understood advice to people and organisations to fully protect Data Protection rights.


 


Introduction

The right to know what personal data is held about us, and to ensure that these data are used in accordance with the law, is a key human right for all of us.  The Data Protection Commissioner is responsible for upholding the rights of individuals as set out in legislation, and for enforcing the corresponding obligations upon data controllers, i.e. people or organisations holding information about individuals.   The Office of the Commissioner, therefore, provides services to an extensive range of customers, including private citizens (as data subjects) and state agencies and corporate bodies (as data controllers).  Our international mutual assistance obligations mean that Data Protection Authorities in other jurisdictions, as well as the EU Commission for instance, are also our customers.  In addition to serving customers' needs, the Commissioner also has a statutory duty to raise awareness of data protection, having regard to the interests of data subjects and the obligations placed on data controllers.

The Office is committed to delivering quality customer services in achieving its mission and high-level goals.  This commitment is reflected in successive Strategy Statements and has informed the business planning process.  Our annual reports provide updates on progress in the implementation of the objectives set out in the business plans.  Our Customer Charter contains a more detailed statement of service standards. To support the implementation of the Charter, we have developed this Customer Service Action Plan, 2010 - 2011, which sets out the specific actions which we will take in delivering, evaluating and reporting on our service standards.

The Responsibilities of the Office of the Data Protection Commissioner

The Data Protection Acts 1988 and 2003, which established the Office of the Data Protection Commissioner, provide for the general principle that individuals should be in a position to control how personal data relating to them is used. "Data controllers" (i.e. people or organisations holding information about individuals on computer or in certain paper files) must comply with the requirements of the Acts in order to use personal data, and individuals have corresponding rights.

The Data Protection Commissioner is responsible for upholding the rights of individuals as set out in the Acts, and ensuring that data controllers comply with their obligations.  Individuals who feel their rights are being infringed can complain to the Commissioner, who will investigate the matter and take whatever steps may be necessary to resolve it.

The Commissioner also maintains a register, available for public inspection, giving general details about the data-handling practices of many important data controllers, such as Government Departments and financial institutions.

International  Functions

In addition to the primary responsibilities outlined above, the Data Protection Commissioner also exercises functions arising from Ireland's commitments at European and international level.

Article 29 Working Party

The Commissioner is a member of the Working Party on data protection established under Article 29 of EU Data Protection Directive 95/46/EC. This Working Party brings together the Data Protection Commissioners of the EU, the European Data Protection Supervisor and the European Commission. It discusses matters of common interest, and agrees common positions on the application of the Directive.

European Databases and Data Protection Supervision

The Commissioner is designated under the Europol Act, 1997 as the "national supervisory body" for Ireland for the purposes of the Europol Decision. This function involves monitoring the activities of An Garda Síochána in liaising with Europol Headquarters in The Hague, The Netherlands. The Commissioner is a member of the Europol Joint Supervisory Body, which monitors Europol's operations to ensure that people's privacy rights are respected.

The Commissioner is designated under the Customs and Excise (Mutual Assistance) Act, 2001 as the "national supervisory body" for Ireland for the purpose of the Customs Information System Convention and is a member of the Customs Information System Joint Supervisory Authority. The Commissioner is also the designated representative to the Joint Supervisory Body for Eurojust (co-operation by judicial and prosecution authorities) and an observer on the Schengen Joint Supervisory Authority pending Ireland's implementation of the Schengen Information System.  The Commissioner also participates in the coordinated supervision of Eurodac, the information system for the comparison of fingerprints of asylum applicants and illegal immigrants.

All of these initiatives involve the maintenance of large databases with sensitive personal information, and therefore data protection safeguards are needed.


The Services Provided by the Office

?        Information and advice to data subjects, data controllers, data processors and their advisers (includes telephone and written advice including by email, meetings and detailed information on our website and in guidance booklets).

           

  • Investigating, resolving and, where necessary, adjudicating on complaints about infringement of data protection rights.

                                               

  • Raising awareness of data protection issues:

Developing, implementing and reviewing our strategy for promoting awareness;

Implementing initiatives for promoting awareness;

                        Website development and maintenance;

                        Providing presentations to organisations and groups.

  • Enforcing data protection compliance:

Issuing statutory notices where necessary (information and enforcement notices);

Carrying out privacy audits;

                        Encouraging sectoral bodies to develop codes of practice;

                        Initiating prosecutions where necessary.

  •  Maintaining a Public Register of relevant data controllers and data processors.

  • Processing requests by companies for approval of model contracts or Binding Corporate Rules in regard to transfers of data outside of the E.U.

How We Developed our Service Standards

The service standards set out in the Customer Charter were developed following a review of customer feedback from a number of sources, as described below.

?              Direct contact through talks, presentations, media interviews and participation in trade events

The interaction with customers at these presentations and events provides the Commissioner and staff of the Office with the opportunity to hear the concerns of members of our customers at first hand.   The practical business problems which data controllers may experience in achieving compliance are explored and meetings also take place regularly with Government Departments and industry. The Commissioner and staff give frequent interviews on national and local radio, as well as giving presentations to various sectoral groups (such as banking, health and insurance sectors).  Queries and issues discussed during and after these interactions provide valuable insights into the concerns of customers.

?           Surveys of public awareness of data protection and privacy issues

The standards set out in our first Customer Charter were informed by the results of a survey completed in late 2005.  A new survey commissioned in 2008 revealed that awareness levels have changed a great deal in the intervening period.  The issues identified by the survey and the levels of awareness demonstrated by the public have informed the quality service standards set out here and in our Customer Charter.

?           Monitoring systems

These provide ongoing analysis of enquiries received.  They enable identification of the volume and range of queries and identify issues that the Office should address with new guidance and information resources.

?           The conduct of privacy audits

Data Protection auditing is used primarily to assist data controllers in complying with their obligations.  Audit findings identify areas where enhanced information or service provision may be required of the Office.

?           Consultations with staff

Team meetings and feedback from the staff of the Office was an important element in the development of the service standards.


Implementation of Quality Customer Service Action Plan

Quality Service Standards

Objective

Improve transparency by publishing a statement that outlines the nature and quality of service which customers can expect, and display it prominently at the point of service delivery.

The Customer Charter sets out the Key Service Standards which we are committed to providing for our customers.  The Customer Service Action Plan outlines the services we provide and our commitments to improve these services.

Action Plan

  • Publish the Customer Charter on our website to advise customers of the standards they can expect of us;
  • Make the Customer Charter and the Customer Action Plan available, in either hard copy or in electronic format, to any customer who wishes to have a copy;
  • Let customers know, at the point of service, the standard of service they can expect;
  • Monitor the targets set for quality services.

Key Performance Indicator

Publication and availability of information to customers on Service Standards on our website and at our reception.


Equality/Diversity/Disability

Objective

Contribute to facilitating the rights to equal treatment established by equality legislation, and accommodate diversity (under the grounds of gender, marital status, family status, sexual orientation, religious belief, age, disability, race and membership of the Travelling Community).

Identify and work to eliminate barriers to access to services for people experiencing poverty and social exclusion, and for those facing geographic barriers to service.

The Data Protection principles, particularly that personal data being processed should be accurate, complete and up to date and be adequate, relevant and not excessive, as well as the right of access to one's data, contribute to the promotion of equality and diversity. Our mission, therefore, requires that people should be aware of their rights, as a first step to exercising these rights.  

In promoting awareness and providing information and advice we aim to use plain language which is suitable for all customers. We provide publications for use at Citizens Information Centres and also give presentations to information providers in these centres.  As well as giving regular interviews on local and national radio, we publicise our role and how we can help people to vindicate their data protection rights in a practical way.

We have produced a DVD, guides and presentations aimed at informing data controllers about complying with data protection standards, copies of which are available from our Office or can be downloaded from the Training and Awareness section of our website.

Action Plan

?        Ensure website conforms to high level of accessibility for all users (we conform to WAI guidelines level AA for public websites)

?        Ensure that public information leaflets/booklets take equality and diversity issues into account in relation to design, content and dissemination

?        Strive to be pro-active in disseminating information through a wide variety of media, including through on-line media, local and regional media outlets and Citizens Information Centres.

?        The Office of the Data Protection Commissioner sources training for staff to assist in improving the accessibility of the services it offers on an ongoing basis.  Where necessary the Office has and will continue to source expertise and skills to improve the accessibility of its services externally.

?        All procurement related to the provision of services at the Office of the Data Protection Commissioner must be preceded by a consideration of the accessibility of the service to people with disabilities. The record of the procurement must include confirmation that this has taken place and the results of the consideration must be recorded. 

?        All new basic guidance documents will continue to be produced in plain English format.

?        The Office of the Data Protection Commissioner has appointed Ms Caroline Rawlinson as Access Officer. He can be contacted by e-mail - info@datprotection.ie or phone (057) 8684800.

Key Performance Indicator

Nature of feedback from customers and representative groups on service standards.


 

Physical Access

Objective

Provide clean, accessible public offices that ensure privacy, comply with occupational and safety standards and, as part of this, facilitate access for people with disabilities and others with specific needs.

The office and its meeting room are fully accessible for people with disabilities. We also provide a high standard of conference facilities for formal meetings with customers. 

Action Plan

?        Monitor accessibility of Office for customers;

?        Provide space to comment on accessibility of offices on customer feedback form;

?        Monitor feedback received in relation to accessibility of facilities;

Key Performance Indicator

Nature of feedback from customers, at point of service, through feedback forms and in correspondence.


Information

 

Objective

Take a proactive approach in providing information that is clear, timely and accurate, is available at all points of contact, and meets the requirements of people with specific needs. Ensure that the information available on our website is presented in an easily accessible format.  Continue the drive for practical advice on data protection in plain language and simplification of forms, information leaflets and procedures.

The ongoing objectives of the Office include the provision of practical, comprehensive, definitive and clear information and advice to customers regarding data protection
matters and the development of materials aimed at achieving measurable
improvements in levels of awareness.  Information is provided by telephone, email, letter, media interviews and through our website, www.dataprotection.ie.  The Office has developed a range of on-line resources, including leaflets, presentations and a DVD. The Office has also produced a special resource for schools.  These can be accessed through the Training and Awareness section of our website. 

Action Plan

  • Ensure that all new staff have sufficient knowledge to deal with routine requests for information or advice within three months of appointment;
  • Continue to develop the website (www.dataprotection.ie) as a key information resource for customers;
  • Continue to expand the Frequently Asked Questions facility and to develop guidance on specific data protection topics of general public concern;
  • Organise regular opportunities for targeted sectors to increase their awareness of their responsibilities in relation to data protection compliance, including registration, if applicable;
  • Maintain the usefulness of the public register by ensuring that register entries are meaningful, informative and relevant;
  • Provide a timely concise and informative Annual Report each year;
  • Provide an update on the implementation of our business plan and strategic objectives in the Annual Report.

Key Performance Indicator

Increased public awareness of data protection and privacy issues as measured in surveys and indicated in media coverage.

Levels of customer satisfaction as indicated by comments received in the Office, by letter, telephone and through online feedback forms.


Timeliness and Courtesy

Objective

Deliver quality services with courtesy, sensitivity and the minimum delay, fostering a climate of mutual respect between provider and customer.

The Office has published specific targets for response times to written communication, in particular in our Customer Charter.   The aim is to address issues as promptly as possible, having regard to the varying complexity of cases, which can have significant implications for time scales.  Contact names are given in written and telephone communications and the website has a list of staff responsible for various functions within the Office. 

Action Plan

  • Maximise the speed and efficiency of the registration procedure;
  • As resources permit, continue to develop the IT system to support speedy and effective response to correspondence;
  • Provide on-going training for staff to ensure they are kept up-to-date on developments in data protection and that they use appropriate interpersonal and writing skills in communicating with customers;
  • Give contact names in all communications to ensure ease of ongoing communications;
  • Ensure callers to the office have services available during public office hours -  9.15am – 17.30 pm (17.15pm on Fridays);
  • Answer 80% of telephone calls received during office hours (09.15am – 17.30 pm, 17.15pm on Fridays) within 20 seconds;
  • Ensure that customers leaving voice mail messages receive a call back within one working day at the latest;
  • Ensure that callers to voicemail are made aware if the person they are calling will be away for more than one day, and are provided with an alternative contact number.

Key Performance Indicator

Achievement and if possible improvement on published service targets. Quality of service to be monitored and reviewed on an on-going basis by line managers.


Customer Service Complaints

Objective

Maintain a well-publicised, accessible, transparent and simple-to-use system of dealing with complaints about the quality of service provided.

We welcome customers' views, received both formally and informally, and their advice on how we can improve our services.

Action Plan

  • Have a simple, easy-to-use customer complaints system in place, where complaints are handled at the point of service, where practicable;
  • Respond to complaints at the point of service if the customer wishes;
  • Ensure that customers know that they can complain about service levels/quality directly to the Commissioner;
  • Respond to a customer service complaint as soon as possible and, at the very latest, within 15 working days;
  • When it is not possible to issue a comprehensive response immediately, an acknowledgement will issue in relation to the complaint within 3 working days;
  • Provide information and procedures for staff on handling quality of service complaints.

Key Performance Indicator

Report on customer service to be included in the Annual Report.


Registration

    

Objective

Maintain the efficiency of the registration system and maintain the usefulness of the public register.

The Data Protection Commissioner is charged under the Acts with maintaining a register of certain data controllers and data processors.  The purpose that underlies the registration system is to ensure that data processing takes place in an open and transparent manner, thus enabling people to know how their personal data is used.  It is also used to ensure that those entities subject to registration comply with their obligations, including annual renewal of their registration.

The Office has developed web-based resources in order to increase the usefulness of the public register by ensuring that register entries are more meaningful, informative and relevant, and also that the register is available on line.  On-line registration and payment facilities are now in place for the convenience of customers.

Action Plan

  • Continue to update the register to maintain the effectiveness of the registration system and to increase awareness among the public of how their data is used;
  • Ensure procedures are in place to process new applications for registration and renewal applications ordinarily within 3 working days.

Key Performance Indicator

Register regularly updated to reflect recent entries; new and renewal applications processed within agreed timescale.

Updated register published on our website every fortnight.


Official Languages Equality

Objective

Provide quality services through Irish and/or bilingually and inform customers of their right to choose to be dealt with through one or other of the official languages.

An Irish Language Scheme for the Office has been in place since April 2007 and is available on our website.  A new scheme will be available by April 2010.

Action Plan

  • Continue to meet the commitments of our Irish Language Scheme to ensure we meet our commitments under the provisions of the Official Languages Act, 2003;
  • Provide information to staff on the requirements of the Act;
  • Develop a new scheme to improve our services through Irish within the timeframe required;

Key Performance Indicators

Major documents such as our Annual Report published simultaneously in both Irish and English.

Irish language version of our website (www.cosantasonrai.ie) maintained to ensure that it is an up-to-date, accurate and useful resource.

Improvement the ability of our staff to respond to a telephone call in Irish.

Customer satisfaction with our services in Irish as indicated by customer feedback forms.


Better Co-ordination

Objective

Foster a more coordinated and integrated approach to the delivery of public services.

Co-ordination with relevant bodies and with organisations such as the Human Rights Commission, the Commission for Communications Regulation (ComReg), the Information Commissioner, the Regulator of Premium Rate Services (Regtel) and the National Consumer Agency is a central element of service delivery.  The Office provides data protection advice in the context of policy and business initiatives and is proactive in ensuring that data protection principles are considered at all stages of any new measures being introduced.

The Office is not limited in its functions to Ireland alone; it is an integral element of the data protection infrastructure at European level. 

Action Plan

  • Ensure regular liaison with key agencies takes place so that personal data protection issues are addressed early in the development of policy and systems.

Key Performance Indicator

Successful practice of joined up enforcement e.g. in cooperation with ComReg etc.

Effective operation of internal cross-functional teams e.g. in relation to our audit function.


Internal Customer

Objective

Ensure staff are recognised as internal customers and that they are properly supported and consulted with regard to service delivery issues.

The Office is a small, tightly-knit, flexible and adaptable organisation. The partnership process is well established and has been operating successfully as a consultative forum for change.  The importance of well-trained and motivated staff in the delivery of quality service to external customers is well recognised, and a range of training initiatives have been developed to support staff in this aspect of their work.  

Action Plan

  • Provide quarterly workshops for staff with reference to emerging data protection issues or data protection issues of particular public concern;
  • Develop and maintain the partnership process;
  • Continue to support the PMDS process;
  • Ensure maintenance and development of good communications structures within the Office, including regular staff meetings;
  • Consult with and encourage staff to contribute their views on an ongoing basis on issues affecting them.

Key performance indicator

Levels of staff satisfaction with internal customer service delivery.






» Permanent Link