Customer Service Action Plan 2010 - 2011
1. To maximise people's ability to exercise their data protection rights.
2. To maximise levels of awareness and compliance with data protection obligations among those keeping personal information.
3. To provide timely, practical and easily understood advice to people and organisations to fully protect Data Protection rights.
The right to know what personal data is held about us, and to ensure that these data are used in accordance with the law, is a key human right for all of us. The Data Protection Commissioner is responsible for upholding the rights of individuals as set out in legislation, and for enforcing the corresponding obligations upon data controllers, i.e. people or organisations holding information about individuals. The Office of the Commissioner, therefore, provides services to an extensive range of customers, including private citizens (as data subjects) and state agencies and corporate bodies (as data controllers). Our international mutual assistance obligations mean that Data Protection Authorities in other jurisdictions, as well as the EU Commission for instance, are also our customers. In addition to serving customers’ needs, the Commissioner also has a statutory duty to raise awareness of data protection, having regard to the interests of data subjects and the obligations placed on data controllers.
The Office is committed to delivering quality customer services in achieving its mission and high-level goals. This commitment is reflected in successive Strategy Statements and has informed the business planning process. Our annual reports provide updates on progress in the implementation of the objectives set out in the business plans. Our Customer Charter contains a more detailed statement of service standards. To support the implementation of the Charter, we have developed this Customer Service Action Plan, 2010 - 2011, which sets out the specific actions which we will take in delivering, evaluating and reporting on our service standards.
The Data Protection Acts 1988 and 2003, which established the Office of the Data Protection Commissioner, provide for the general principle that individuals should be in a position to control how personal data relating to them is used. "Data controllers" (i.e. people or organisations holding information about individuals on computer or in certain paper files) must comply with the requirements of the Acts in order to use personal data, and individuals have corresponding rights.
The Data Protection Commissioner is responsible for upholding the rights of individuals as set out in the Acts, and ensuring that data controllers comply with their obligations. Individuals who feel their rights are being infringed can complain to the Commissioner, who will investigate the matter and take whatever steps may be necessary to resolve it.
The Commissioner also maintains a register, available for public inspection, giving general details about the data-handling practices of many important data controllers, such as Government Departments and financial institutions.
In addition to the primary responsibilities outlined above, the Data Protection Commissioner also exercises functions arising from
The Commissioner is a member of the Working Party on data protection established under Article 29 of EU Data Protection Directive 95/46/EC. This Working Party brings together the Data Protection Commissioners of the EU, the European Data Protection Supervisor and the European Commission. It discusses matters of common interest, and agrees common positions on the application of the Directive.
The Commissioner is designated under the Europol Act, 1997 as the "national supervisory body" for Ireland for the purposes of the Europol Decision. This function involves monitoring the activities of An Garda Síochána in liaising with Europol Headquarters in The Hague, The Netherlands. The Commissioner is a member of the Europol Joint Supervisory Body, which monitors Europol’s operations to ensure that people’s privacy rights are respected.
The Commissioner is designated under the Customs and Excise (Mutual Assistance) Act, 2001 as the “national supervisory body” for
All of these initiatives involve the maintenance of large databases with sensitive personal information, and therefore data protection safeguards are needed.
· Information and advice to data subjects, data controllers, data processors and their advisers (includes telephone and written advice including by email, meetings and detailed information on our website and in guidance booklets).
- Investigating, resolving and, where necessary, adjudicating on complaints about infringement of data protection rights.
- Raising awareness of data protection issues:
Developing, implementing and reviewing our strategy for promoting awareness;
Implementing initiatives for promoting awareness;
Website development and maintenance;
Providing presentations to organisations and groups.
- Enforcing data protection compliance:
Issuing statutory notices where necessary (information and enforcement notices);
Carrying out privacy audits;
Encouraging sectoral bodies to develop codes of practice;
Initiating prosecutions where necessary.
- Maintaining a Public Register of relevant data controllers and data processors.
- Processing requests by companies for approval of model contracts or Binding Corporate Rules in regard to transfers of data outside of the E.U.
The service standards set out in the Customer Charter were developed following a review of customer feedback from a number of sources, as described below.
· Direct contact through talks, presentations, media interviews and participation in trade events
The interaction with customers at these presentations and events provides the Commissioner and staff of the Office with the opportunity to hear the concerns of members of our customers at first hand. The practical business problems which data controllers may experience in achieving compliance are explored and meetings also take place regularly with Government Departments and industry. The Commissioner and staff give frequent interviews on national and local radio, as well as giving presentations to various sectoral groups (such as banking, health and insurance sectors). Queries and issues discussed during and after these interactions provide valuable insights into the concerns of customers.
· Surveys of public awareness of data protection and privacy issues
The standards set out in our first Customer Charter were informed by the results of a survey completed in late 2005. A new survey commissioned in 2008 revealed that awareness levels have changed a great deal in the intervening period. The issues identified by the survey and the levels of awareness demonstrated by the public have informed the quality service standards set out here and in our Customer Charter.
· Monitoring systems
These provide ongoing analysis of enquiries received. They enable identification of the volume and range of queries and identify issues that the Office should address with new guidance and information resources.
· The conduct of privacy audits
Data Protection auditing is used primarily to assist data controllers in complying with their obligations. Audit findings identify areas where enhanced information or service provision may be required of the Office.
· Consultations with staff
Team meetings and feedback from the staff of the Office was an important element in the development of the service standards.
The Customer Charter sets out the Key Service Standards which we are committed to providing for our customers. The Customer Service Action Plan outlines the services we provide and our commitments to improve these services.
- nitor the targets set for quality services.
The Data Protection principles, particularly that personal data being processed should be accurate, complete and up to date and be adequate, relevant and not excessive, as well as the right of access to one’s data, contribute to the promotion of equality and diversity. Our mission, therefore, requires that people should be aware of their rights, as a first step to exercising these rights.
In promoting awareness and providing information and advice we aim to use plain language which is suitable for all customers. We provide publications for use at Citizens Information Centres and also give presentations to information providers in these centres. As well as giving regular interviews on local and national radio, we publicise our role and how we can help people to vindicate their data protection rights in a practical way.
We have produced a DVD, guides and presentations aimed at informing data controllers about complying with data protection standards, copies of which are available from our Office or can be downloaded from the Training and Awareness section of our website.
· Ensure website conforms to high level of accessibility for all users (we conform to WAI guidelines level AA for public websites)
· Ensure that public information leaflets/booklets take equality and diversity issues into account in relation to design, content and dissemination
· Strive to be pro-active in disseminating information through a wide variety of media, including through on-line media, local and regional media outlets and Citizens Information Centres.
· The Office of the Data Protection Commissioner sources training for staff to assist in improving the accessibility of the services it offers on an ongoing basis. Where necessary the Office has and will continue to source expertise and skills to improve the accessibility of its services externally.
· All procurement related to the provision of services at the Office of the Data Protection Commissioner must be preceded by a consideration of the accessibility of the service to people with disabilities. The record of the procurement must include confirmation that this has taken place and the results of the consideration must be recorded.
· All new basic guidance documents will continue to be produced in plain English format.
· The Office of the Data Protection Commissioner has appointed Ms Caroline Rawlinson as Access Officer. He can be contacted by e-mail - email@example.com or phone (057) 8684800.
Nature of feedback from customers and representative groups on service standards.
· Monitor accessibility of Office for customers;
· Provide space to comment on accessibility of offices on customer feedback form;
· Monitor feedback received in relation to accessibility of facilities;
The ongoing objectives of the Office include the provision of practical, comprehensive, definitive and clear information and advice to customers regarding data protection
matters and the development of materials aimed at achieving measurable
improvements in levels of awareness. Information is provided by telephone, email, letter, media interviews and through our website, www.dataprotection.ie. The Office has developed a range of on-line resources, including leaflets, presentations and a DVD. The Office has also produced a special resource for schools. These can be accessed through the Training and Awareness section of our website.
- Ensure that all new staff have sufficient knowledge to deal with routine requests for information or advice within three months of appointment;
- Continue to develop the website (www.dataprotection.ie) as a key information resource for customers;
- Continue to expand the Frequently Asked Questions facility and to develop guidance on specific data protection topics of general public concern;
- Organise regular opportunities for targeted sectors to increase their awareness of their responsibilities in relation to data protection compliance, including registration, if applicable;
- Maintain the usefulness of the public register by ensuring that register entries are meaningful, informative and relevant;
- Provide a timely concise and informative Annual Report each year;
- Provide an update on the implementation of our business plan and strategic objectives in the Annual Report.
The Office has published specific targets for response times to written communication, in particular in our Customer Charter. The aim is to address issues as promptly as possible, having regard to the varying complexity of cases, which can have significant implications for time scales. Contact names are given in written and telephone communications and the website has a list of staff responsible for various functions within the Office.
- Maximise the speed and efficiency of the registration procedure;
- As resources permit, continue to develop the IT system to support speedy and effective response to correspondence;
- Provide on-going training for staff to ensure they are kept up-to-date on developments in data protection and that they use appropriate interpersonal and writing skills in communicating with customers;
- Give contact names in all communications to ensure ease of ongoing communications;
- Ensure callers to the office have services available during public office hours - ( on Fridays);
- Answer 80% of telephone calls received during office hours (, on Fridays) within 20 seconds;
- Ensure that customers leaving voice mail messages receive a call back within one working day at the latest;
- Ensure that callers to voicemail are made aware if the person they are calling will be away for more than one day, and are provided with an alternative contact number.
We welcome customers’ views, received both formally and informally, and their advice on how we can improve our services.
- Have a simple, easy-to-use customer complaints system in place, where complaints are handled at the point of service, where practicable;
- Respond to complaints at the point of service if the customer wishes;
- Ensure that customers know that they can complain about service levels/quality directly to the Commissioner;
- Respond to a customer service complaint as soon as possible and, at the very latest, within 15 working days;
- When it is not possible to issue a comprehensive response immediately, an acknowledgement will issue in relation to the complaint within 3 working days;
- Provide information and procedures for staff on handling quality of service complaints.
The Data Protection Commissioner is charged under the Acts with maintaining a register of certain data controllers and data processors. The purpose that underlies the registration system is to ensure that data processing takes place in an open and transparent manner, thus enabling people to know how their personal data is used. It is also used to ensure that those entities subject to registration comply with their obligations, including annual renewal of their registration.
The Office has developed web-based resources in order to increase the usefulness of the public register by ensuring that register entries are more meaningful, informative and relevant, and also that the register is available on line. On-line registration and payment facilities are now in place for the convenience of customers.
- Continue to update the register to maintain the effectiveness of the registration system and to increase awareness among the public of how their data is used;
- Ensure procedures are in place to process new applications for registration and renewal applications ordinarily within 3 working days.
An Irish Language Scheme for the Office has been in place since April 2007 and is available on our website. A new scheme will be available by April 2010.
- Continue to meet the commitments of our Irish Language Scheme to ensure we meet our commitments under the provisions of the Official Languages Act, 2003;
- Provide information to staff on the requirements of the Act;
- Develop a new scheme to improve our services through Irish within the timeframe required;
Key Performance Indicators
Major documents such as our Annual Report published simultaneously in both Irish and English.
Irish language version of our website (www.cosantasonrai.ie) maintained to ensure that it is an up-to-date, accurate and useful resource.
Improvement the ability of our staff to respond to a telephone call in Irish.
Customer satisfaction with our services in Irish as indicated by customer feedback forms.
Co-ordination with relevant bodies and with organisations such as the Human Rights Commission, the Commission for Communications Regulation (ComReg), the Information Commissioner, the Regulator of Premium Rate Services (Regtel) and the National Consumer Agency is a central element of service delivery. The Office provides data protection advice in the context of policy and business initiatives and is proactive in ensuring that data protection principles are considered at all stages of any new measures being introduced.
The Office is not limited in its functions to Ireland alone; it is an integral element of the data protection infrastructure at European level.
- Ensure regular liaison with key agencies takes place so that personal data protection issues are addressed early in the development of policy and systems.
Key Performance Indicator
Successful practice of joined up enforcement e.g. in cooperation with ComReg etc.
Effective operation of internal cross-functional teams e.g. in relation to our audit function.
The Office is a small, tightly-knit, flexible and adaptable organisation. The partnership process is well established and has been operating successfully as a consultative forum for change. The importance of well-trained and motivated staff in the delivery of quality service to external customers is well recognised, and a range of training initiatives have been developed to support staff in this aspect of their work.
- Provide quarterly workshops for staff with reference to emerging data protection issues or data protection issues of particular public concern;
- Develop and maintain the partnership process;
- Continue to support the PMDS process;
- Ensure maintenance and development of good communications structures within the Office, including regular staff meetings;
- Consult with and encourage staff to contribute their views on an ongoing basis on issues affecting them.
Key performance indicator
Levels of staff satisfaction with internal customer service delivery.
» Permanent Link