Customer Service Action Plan 2006 -2007

Customer Service Action Plan 2006 -2007

Office of the Data Protection Commissioner

Contents

Mission Statement

High Level Goals

Introduction

The Responsibilities of the Office of the Data Protection Commissioner

European Function

The Article 29 Working Party

Supervisory Role

The Services Provided by the Office

How We Developed our Service Standards

Action Plan for the Implementation of Quality Customer Service

Quality Service Standards

Equality/Diversity/Disability

Physical Access

Information

Timeliness and Courtesy

Complaints

Appeals

Consultation and Evaluation

Choice

Official Language Equality

Better Co-ordination

Internal Customer

Mission Statement

Office of the Data Protection Commissioner

Our Mission is to protect the individual's right to privacy by enabling people to know, and to exercise control over how their personal information is used, in accordance with the Data Protection Acts, 1988 and 2003.

.

High-Level Goals

1. To maximise people's ability to exercise their data
protection rights.

2. To maximise levels of awareness and compliance with data protection
obligations among those keeping personal information.

3. To provide timely, practical and easily understood advice to
people and organisations, which, while supporting Information Society developments, fully protects Data Protection rights.

Introduction

The right to know what personal data is held about us, and to ensure that these data are used in accordance with the law, is a key human right for all of us. The Data Protection Commissioner is responsible for upholding the rights of individuals as set out in legislation, and for enforcing the corresponding obligations upon data controllers, i.e. people or organisations holding information about individuals. The Office of the Commissioner, therefore, provides services to an extensive range of customers, including private citizens (as data subjects) and state agencies and corporate bodies (as data controllers). Our international mutual assistance obligations mean that Data Protection Authorities in other jurisdictions, as well as the EU Commission, are also our customers. In addition to serving customers’ needs, the Commissioner also has a statutory duty to raise awareness of data protection, having regard to the interests of data subjects.

The Office is committed to delivering quality customer services in achieving its mission and high-level goals. This commitment is reflected in successive Strategy Statements and has informed the Business Planning process. Customer Service Objectives and reports on progress with their implementation have been included in recent Annual Reports. The publication of the Customer Charter takes the process a step further with the provision ofa more detailed statement of service standards. To support the implementation of the Charter, we have developed this Customer Service Action Plan, 2006 - 2007,which sets out the specific actions which we will take in delivering, evaluating and reporting on our service standards.

The Office is scheduled to decentralise to Portalington in Autumn 2007 and staff changes in preparation for this are scheduled to take place in the first half of 2006. A major part of planning for the decentralisation involves reviewing processes with an emphasis on the retention of the Office’s corporate knowledge, and with a view to ensuring that the strong commitment to providing the best possible service to our customers is not jeopardised by the move to Portarlington. It will be a challenge to maintain service levels due to the huge staff turnover and the fact that the Office will have little say in the selection of people being assigned. This Customer Service Action Plan is drafted with the aim of maintaining service levels but the difficulties involved in a time of major transition must be acknowleged.

The Responsibilities of the Office of the Data Protection Commissioner

The Office of the Data Protection Commissioner was established under the 1988 Data Protection Act. The Data Protection Amendment Act, 2003, updated the legislation and transposed the provisions of EC Directive 95/46 into Irish Law. The Acts provide for the general principle that individuals should be in a position to control how personal data relating to them is used. "Data controllers" i.e.people or organisations holding information about individuals on computer or in certain paper files, must comply with the fair processing requirements of the Acts inorder to protect personal data, and individuals have corresponding rights. “Data processors” i.e. organisations that carry out processing operations on behalf of a data controller are also subject to the Acts.

The Data Protection Commissioner is responsible for upholding the rights of individuals as set out in the Acts, and ensuring that data controllers comply with their obligations. The Commissioner is appointed by Government and is independent in the exercise of his or her functions. The Commissioner makes an annual report to the Oireachtas. Individuals who feel their rights are being infringed can complain to the Commissioner, who will investigate the matter, and take whatever steps may be necessary to resolve it.

The Commissioner also maintains a register, available for public inspection, giving general details about the data-handling practices of many important data controllers, such as Government Departments, State-sector bodies and financial institutions.

European Functions

In addition to the primary responsibilities outlined above, the Data Protection Commissioner also exercises functions arising from Ireland’s commitments at European level.

Article 29 Working Party

The Commissioner is a member of the Working Party on data protection established under Article 29 of EU Data Protection Directive 95/46/EC. This Working Party brings together the Data ProtectionCommissioners of the EU, the European Data Protection Supervisor and the EU Commission. It discusses matters of common interest, and agrees common positions on the application of the Directive.

European Databases and Data Protection Supervision

The Commissioner is designated under the Europol Act, 1997 as the "national supervisory body" for Ireland for the purposes of the Europol Convention. This function involves monitoring the activities of An Garda Síochána in liaising with Europol Headquarters in The Hague, The Netherlands. The Commissioner is a member of the Europol Joint Supervisory Body, which monitors Europol’s operations to ensure that people’s privacy rights are respected.

The Commissioner is designated under the Customs and Excise (Mutual Assistance) Act, 2001 as the “national supervisory body” for Ireland for the purpose of the Customs Information System Convention. This involves the monitoring of the activities of the Customs Service on its use of the Customs Information System. The Commissioner is a member of the Customs Information System Joint Supervisory Authority.

The Commissioner is also a member of the Joint Supervisory Body for Eurojust (co-operation by judicial and prosecution authorities) and an observer on the Schengen Joint Supervisory Authority pending Ireland’s implementation of the Schengen Information System.

All of these initiatives involve the maintenance of large databases with sensitive personal information, and therefore data protection safeguards are needed.

The Services Provided by the Office

• Information and advice to data subjects, data controllers and their advisers

Includes telephone and written advice services, meetings and detailed

information on website and in guidance booklets

• Investigating, resolving and, where necessary, adjudicating on complaints about infringement of data protection rights

• Raising Awareness of Data Protection issues:

Developing, implementing and reviewing strategy for promoting awareness

Implementing initiatives (e.g. advertising campaigns) for promoting awareness

Website development and maintenance

Providing presentations to organisations and groups

• Enforcing Data Protection compliance:

Issuing Statutory Notices where necessary (Information and Enforcement Notices)

Carrying out privacy audits

Encouraging sectoral bodies to developcodes of practice

Initiating prosecutions where necessary

• Maintaining a Public Register of data controllers and data processors

• Processing requests by companies for approval of contracts or Binding Corporate Rules in regard to transfers of data outside of the E.U.

How We Developed our Service Standards

The Service Standards set out in the Customer Charter were developed following a review of customer feedback from a number of sources, as described below.

• A survey of public awareness of data protection and privacy issues

This survey was commissioned from a market research company and completed in late 2005. It provided insights which were of crucial importance in identifying the current issues which this Office needs to address. Among the key findings of the survey was an increase in peoples’ anxieties about intrusions into their privacy, as compared with the results of a similar survey conducted in 2003. Expressions of concern about businesses practices and about internet use had all increased significantly over the period. This survey pointed to a growing awareness of the importance of privacy and data protection rights among the public, with a particular emphasis on security in relation to online business transactions.

• Monitoring systems

These provide ongoing analysis of enquiries received. Theyenable identification of the volume and range of queriesand provide an indication of public response to awareness campaigns.

• Direct contact through talks, presentations, media interviews and participation in trade events

The interaction with customers at these presentations and events provides the Commissioner and staff of the Office with the opportunity to hear concerns at first hand. The practical business problems which data controllers may experience in achieving compliance are explored and meetings also take place regularly with Government Departments and industry. The Commissioner and staff give frequent interviews on national and local radio, as well as giving presentations to various sectoral groups (such as banking, health and insurance sectors). Staff also give presentations at local Citizen Information Centres, as well as participating in Comhairle’s educationprogramme for their advice staff. Queries and issues discussed during and after these interactions provide valuable insights into the concerns of customers.

• The conduct of privacy audits

Data Protection auditingwas provided for in the Data Protection (Amendment) Act 2003 and is being used primarily to assist data controllers in complying with their obligations. The findings of audits may identify areas where enhanced information or service provision may be required of the Office.

• Consultations with staff

Staff were involved through the partnership process in the development of the service standards.

Implementation of Quality Customer Service Action Plan

Quality Service Standards

Objective

Improve transparency by publishing a statement that outlines the nature and quality of service which customers can expect, and display it prominently at the point of service delivery.

The Customer Charter sets out the Key Service Standards which we are committed to providing for our customers. The Customer Service Action Plan outlines the services we provide and the commitments to improve these services.

Action Plan

• Publish the Customer Charter on our website to advise customers of the standards they can expect of us
• Make the Customer Charter and the Customer Action Plan available, in either hard copy or in electronic format, to any customer who wishes to have a copy
• Let customers know, at the point of service, the standard of service they can expect
• Monitor the targets set for quality services

Key Performance Indicator

Publication and availability of information to customers on Service Standards on our web-site and at our reception.

Equality/Diversity/Disability

Objective

Contribute to facilitating the rights to equal treatment established by equality legislation, and accommodate diversity(under the grounds of gender, marital status, family status, sexual orientation, religious belief, age, disability, race and membership of the Traveling Community).

Identify and work to eliminate barriers to access to services for people experiencing poverty and social exclusion, and for those facing geographic barriers to service.

The Data Protection principles, particularly that personal data being processed should be accurate, complete and up to date and be adequate, relevant and not excessive, as well as the right of access to one’s data, contribute to the promotion of equality and diversity. Our Mission, therefore, requires that people should be aware of their rights, as a first step to exercising these rights.

In promoting awareness and providing information and advice we aim to use plain language which is suitable for all customers. We provide publications at all Citizens Information Centres and also give face-to-face presentations in these centres, at various geographical locations. As well as giving regular interviews on local and national radio, we run regular poster campaigns, advertising data protection and publicising our role and how we can help people to vindicate their data protection rights in a practical way.

We have also produced a video/CD/DVD aimed at informing data controllers how to comply with data protection, copies of which are available from our Office.

Action Plan

• Ensure website conforms to high level of accessibility for all users (we conform to WAI guidelines level AA for public websites)
• Ensure that public information leaflets/booklets take equality and diversity issues into account in relation to design, content and dissemination
• Strive to be pro-active in disseminating information through a wide variety of media, including local and regional media outlets, particularly local radio, and Citizens Information Centres.

Key Performance Indicator

Nature of feedback from customers and representative groups on service standards.

Physical Access

Objective

Provide clean, accessible public offices that ensure privacy, comply with occupational and safety standards and, as part of this, facilitate access for people with disabilities and others with specific needs.

The Officehasre-located to new premises, which has accessto the public reception area for people with disabilities. We also provide a high standard of conference facilities for formal meetings with customers. The Office has been selected by Government for decentralisation to Portarlington and every effort is being made by OPW to ensure that the new office accommodation will conform to our existing standards of physical accessibility.

Action Plan

• Monitor accessibility of Office for customers
• Provide space to comment on accessibility of offices oncustomer feedback form
• Monitor feedback received in relation to accessibility of facilities
• Ensure, in liaison with OPW, that the premises to which the Office will be decentralised in Portarlington has high standards of physical access

Key Performance Indicator

Nature of feedback from customers, at point of service, through feedback forms and in correspondence.

Information

Objective

Take a proactive approach in providing information that is clear, timely and accurate, is available at all points of contact, and meets the requirements of people with specific needs. Ensure that the potential offered by Information Technology is fully availed of and that the information available on our websiteis presented in an easily accessible format. Continue the drive for practical advice on Data Protection in plain language andsimplification of forms, information leaflets and procedures.

The ongoing objectives of the Office include the provision of practical,comprehensive, definitive and clear information and advice to customers regarding data protection
matters and the development of materials aimed atachieving measurable
improvements in levels of awareness. Information is provided though a wide range of channels: telephone, letter and email, leaflets, website, presentations, advertising, radio/ tv interviews and video/DVD.

Action Plan

• Ensure that all new staff have sufficient knowledge to deal with routine requests for information or advice within three months of appointment
• Develop the website ( to accommodate expanded advice and guidance
• Expand the range of topics on which guidance notes are prepared
• Organise regular seminars for targeted sectors to increase their awareness of their responsibilities in relation to data protection compliance, including registration, if applicable
• Increase the usefulness of the public register by ensuring that register entries are meaningful, informative and relevant
• Explore other ways of raising public awareness of the information in the public Register
• Provide a timely concise and informative Annual Report by end-June each year
• Provide an update on the implementation of our business plan and strategic objectives in the Annual Report

Key Performance Indicator

Public awareness of data protection and privacy issues as indicated through surveys and coverage in public media.

Levels of customer satisfaction as indicated by comments received in the Office, by letter, telephone through online feedback forms.

Timeliness and Courtesy

Objective

Deliver quality services with courtesy, sensitivity and the minimum delay, fostering a climate of mutual respect between provider and customer.

Give contact names in all communications to ensure ease of ongoing transactions.

The Office has published specific targets for response times to written communication,in particular in our Customer Charter (see charter). The aim is to address issues raised as promptly as possible, having regard to the varying complexity of cases, which can have significant implications for time scales. Contact names are given in written and telephone communications and the website has a list of staff responsible for various functions within the Office.

Action Plan

• Maximise the speed and efficiency of the registration procedure
• Develop the IT system to support speedy and effective response to correspondence
• Provide on-going training for staff to ensure they are kept up-to-date on developments in Data Protection and that they use the appropriate interpersonal and writing skills in communicating with customers
• Ensure callers to the office have services available duringpublic office hours - Public Office - 9.45am– 12.45 pm and 2.15 pm–5.00 pm;
• Answer 80% of telephone calls received during office hourswithin 20 seconds(9.15 – 5.30 pm, closed 1.00 – 2.00 pm)
• Ensure that customers leaving voicemail messages receive a call back within one working day
• Ensure that callers to voicemail are made aware if the person they are calling will be away for more than one day, and are provided with an alternative contact number

Key Performance Indicator