OUR BUSINESS PLAN TABLE OF CONTENTS OUR BUSINESS PLAN OBJECTIVE by salazarcannon

VIEWS: 27 PAGES: 15

									OUR BUSINESS PLAN 2008

1

TABLE OF CONTENTS
OUR BUSINESS PLAN 2008 ................................................................................................................2 OBJECTIVE 1: TO PROVIDE COMPREHENSIVE, DEFINITIVE AND CLEAR INFORMATION AND ADVICE TO OUR CUSTOMERS REGARDING DATA PROTECTION MATTERS. .............................................................................................................................................2 OBJECTIVE 2: TO DEVELOP STRATEGIES AND MATERIALS AIMED AT MEASURABLE IMPROVEMENTS IN LEVELS OF AWARENESS ABOUT DATA PROTECTION RIGHTS AND OBLIGATIONS AND HOW TO EXERCISE THEM. .................4 OBJECTIVE 3: TO TAKE PROACTIVE MEASURES TO IMPROVE LEVELS OF COMPLIANCE WITH DATA PROTECTION OBLIGATIONS.....................................................7 OBJECTIVE 4: TO RESOLVE COMPLAINTS UNDER THE DATA PROTECTION ACTS, IN ACCORDANCE WITH BEST DATA PROTECTION PRACTICE AND THE HIGHEST STANDARDS OF CUSTOMER SERVICE. .......................................................................................8 OBJECTIVE 5: TO MAINTAIN A TRANSPARENT AND RELEVANT REGISTRATION SYSTEM WHICH CONTRIBUTES TO DATA CONTROLLERS/PROCESSORS COMPLYING WITH THEIR OBLIGATIONS AND WHICH ENABLES DATA SUBJECTS TO UNDERSTAND HOW THEIR PERSONAL DATA ARE PROCESSED..................................9 OBJECTIVE 6: TO DEVELOP THE ABILITIES OF STAFF TO ENSURE CONTINUED IMPROVEMENT IN ORGANISATIONAL PERFORMANCE AND SUPPORT STAFF IN THEIR WORK. ....................................................................................................................................11 OBJECTIVE 7: TO PERFORM OUR ROLE AND INDEPENDENT FUNCTIONS IN A MANNER THAT IS TRANSPARENT, ACCOUNTABLE AND EFFICIENT. ............................12 OBJECTIVE 8: TO BE INFLUENTIAL AT BOTH NATIONAL AND INTERNATIONAL LEVEL IN RELATION TO DATA PROTECTION ISSUES AND TO CONTRIBUTE EFFECTIVELY TO INTERNATIONAL COOPERATION AND TO OUR INTERNATIONAL FUNCTIONS. .......................................................................................................................................14

OUR BUSINESS PLAN 2008
Our Strategy Statement 2007-2008 sets out our high-level goals and objectives for this period. This Business Plan explains how we intend to give effect to these in the course of 2008. As previous years have demonstrated, the Office of the Data Protection Commissioner is required to be responsive to emerging issues in relation to the handling of personal data. This requires continuous flexibility on the part of the Office if we are to be in a position to respond quickly and effectively to those issues. The Business Plan is predicated on this basis.

Objective 1: To provide comprehensive, definitive and clear information and advice to our customers regarding data protection matters.
Our mission requires that people should be aware of their rights, as a first step to exercising these rights. Equally, data controllers must know their obligations if they are to ensure that they are compliant. Therefore, when people come to us for advice or information, they should receive a professional response. This means that our advice is –

2

Comprehensive – we can answer any questions about data protection law (while acknowledging that some data protection issues are more complex and do not lend themselves to easy answers) Definitive – the advice we give is authoritative and reliable Clear – our advice is easy for people to understand and put into practice. The provision of a professional and efficient service to our customers is the cornerstone of this Business Plan. A more detailed iteration of our customer service standards is outlined in our Customer Service Plan. Key Deliverables Telephone Service 1.1 To continue to provide an efficient, effective and courteous telephone advice service. Key Performance Indicators • Fully-manned telephone ‘help-desk’ in operation from 0915 to 1730 Monday to Friday (1715 Fridays), with calls answered normally within 15 seconds. • Help-desk staff able to respond to all routine enquiries. • Scripts for key data protection enquiries to be available as required for helpdesk use. • An effective system in place for monitoring emerging themes from enquiries so that relevant and timely guidance material can be produced or updated as necessary. 1.2 To respond promptly to written, including email, requests for advice.

Key Performance Indicators • All correspondence to be acknowledged within 3 working days. In many instances a definitive reply will issue within this period. • A further response will issue within 15 working days if we are not in a position to forward a definitive reply at that point. This will detail progress to date. • An enhanced level of information resources (including leaflets on paper and downloadable from our website) will be developed to further improved response times in relation to general queries. 1.3 To provide comprehensive, clear and definitive information on our website, www.dataprotection.ie . Key Performance Indicators • Our website will be redeveloped with a continued emphasis on a customer – friendly format.

3

•

The Frequently Asked Questions (FAQs) section of our website will continue to be updated on an ongoing basis in response to customer requirements identified from our helpdesk and other sources.

1.4 To provide a prompt response to Government departments, offices and the business sector when they seek advice on data protection in the context of policy and business initiatives. Key Performance Indicators • Practical solution-focused approach with initial response to customer, or meeting arranged, within one week of matter being raised. • We will take the opportunity of such contacts to raise data protection awareness in the sectors concerned. • We will liaise inter alia with the Irish Human Rights Commission, ComReg, Regtel, the Information Commissioner, the Financial Regulator, the National Consumer Agency and other relevant regulatory authorities where matters of mutual interest arise. 1.5 To develop policy on data protection in the light of issues arising from complaints, enquiries and developments at national, European and international levels. Key Performance Indicators • Issues arising to be considered at Management meetings. • Pro-active engagement with Government departments, sectoral regulators, private-sector bodies and advocacy groups with a view towards the incorporation of privacy safeguards into developing proposals. • Draft guidance to be prepared and promulgated, following external consultation as necessary. • Use of legal powers available to shape such issues where proposals do not reflect privacy safeguards after interaction with the Office.

Objective 2: To develop strategies and materials aimed at measurable improvements in levels of awareness about data protection rights and obligations and how to exercise them.
The first requirement in promoting people’s privacy rights is that people should have a reasonable appreciation of these rights. This is why our mission requires that people be “enabled to know, and to exercise control over, how their personal information is used”. Accordingly, spreading the word about data protection is a principal objective. Ignorance of data protection law on the part of those entrusted with personal data is not an excuse for failure to comply – particularly given that the basic principles of data protection are matters of common sense and common courtesy. Nevertheless, we will continue to seek to minimise the scope for accidental or casual breaches of the law by promoting awareness of the law among data controllers. We will continue to

4

produce and update our comprehensive guidance material to ensure consistency. We will make this material as accessible as possible. Key Deliverables Develop Awareness 2.1 Develop initiatives for promoting awareness of data protection rights and responsibilities. Key Performance Indicators • Planned activities for Data Protection Day, 28 January 2008 to include the announcement of a video clip competition 'Privacy in the 21st Century'; launch of the new CSPE resource; a general press release; and media interviews. Organise a data protection attitudes and awareness survey to gain insight into public consciousness of data protection and privacy issues. The survey will be conducted in a manner that facilitates comparison with the 2005 public attitudes survey. A strategic plan for awareness initiatives will be drawn up on the basis of the survey, with particular attention to levels of awareness among the general public. A dedicated web area or zone for teenagers and young adults www.dataprotection.ie/teens - will continue to be developed throughout 2008. The Office will highlight and promote the data protection resource targeted at schools – “Sign Up, Log In, Opt Out: Protecting your Privacy & Controlling your Data” - developed as part of the Civil and Political Education school curriculum. Targeted presentations will be delivered to teachers throughout 2008 as part of official CSPE in-service days. A data protection road-show will be held in 2008 targeting data controllers in a specific region or city. Develop a one day course / seminar on Data Protection for inclusion in CMOD's official training programme. Ensure information on data protection is available in all Citizen’s Information Centres (CIC’s) and libraries. The Office will assist in updating/revising online course material on data protection developed by CIC. Continue circulation of our tailored DVD/CD.

•

• • •

• • •

•

Website 2.2 Develop website to maximise access to and distribution of guidance and advice. Key Performance Indicators • Implement redesign of website to increase usability with final implementation by end-year. • Continue to review all existing information and guidance material on an ongoing basis. • Continue to improve Irish language version of website as detailed in our Irish Language Scheme.

5

•

The feedback option on our website to be given greater prominence to help our customers to inform the development of relevant information material.

Presentations 2.3 Deliver informative and authoritative presentations.

Key Performance Indicators • Respond positively to maximum extent to requests for presentations at appropriate events. • Incorporate audio/visual material from DVD in presentations where this would be effective. • Continue to develop and publish generic presentations on the website for use by outside presenters as well as DPC staff. Media 2.4 Provide an informative and prompt media and public relations service. Key Performance Indicators • • • Respond promptly to media enquiries in an informed manner, where appropriate, through the designated Press Officer. Ensure an appropriate spokesperson, depending on the issue, is available to give media interviews. Review of key media stories by Press Officer and by other staff examining newspapers with appropriate DP stories brought to the attention of appropriate staff.

6

Objective 3: To take proactive measures to improve levels of compliance with data protection obligations.
Protecting each person’s data protection rights is the key objective of our Office. To meet our mission effectively and in a proactive way, we will take positive steps to promote and to police data protection practice. The benefits of meeting this objective are two-fold: We serve the public interest by promoting a climate of good privacy practice; and, by bringing the provisions of the law to bear upon wrongdoers, we send out a clear signal that the right to privacy is to be taken seriously as a fundamental human right. Key Deliverables Proactive Policing 3.1 Carry out privacy audits and inspections. Key Performance Indicators • • • • Complete at least 30 audits/ inspections in 2008 (including on-site audits, desk-based audits and ‘spot’ inspections). Produce an outline plan in January 2008 of the sectors to be targeted. Audits will continue to be given priority and will reflect the pattern of complaints received by the Office. Utilise external specialist expertise as necessary to ensure the functions of the Office are performed to maximum effect. An audit manual of the procedures followed by the Office will be produced and published by April 2008. This can be used by data controllers to ensure that their standards of compliance with the Acts are appropriate.

Active Self-regulation 3.2 Encourage adoption of sectoral codes of practice and responsible selfregulation. Key Performance Indicators • • • Code of practice in relation to the Insurance sector to be approved by the Commissioner by first quarter-2008. Continue work with the National Recruitment Federation on a Code for the recruitment sector, aiming for an approved Code by mid-2008. Building on previous successes, continue discussions with other sectors, as appropriate, working towards Codes for their areas, emphasising and promoting the benefits arising from an agreed Code.

7

Objective 4: To resolve complaints under the Data Protection Acts, in accordance with best Data Protection practice and the highest standards of customer service.
One of the key functions of the Office is to deal with complaints from members of the public. Clearly, where people feel so strongly about their data protection and privacy rights that they make a formal complaint to us, we must give this matter a high priority. People do not complain unless they feel that they are not in a position to exercise control over their personal data – something that is at the heart of our mission. Since tackling complaints is a fundamental public service function, we will ensure that we respond with the highest standards of customer service – including courtesy, timeliness and getting results. Our approach in this area will continue to be to seek to reach a mediated resolution of the data protection problem at issue where possible. Where we are faced with delaying or obstructive tactics by data controllers or their legal advisers, we will not hesitate to use the full extent of our enforcement powers – especially where the fundamental right of access to personal data is concerned. We will prioritise complaints where the breach of data protection principles is ongoing or where there is a pattern of complaints suggesting a systemic problem. The Privacy in Electronic Communications Regulations (S.I. 535 of 2003) make the sending of certain direct marketing communications without consent an automatic offence. It is also an offence for the sender to conceal their identity or to fail to provide a cost-free means of opting-out from such communications. The investigation of these complaints must, as always, be conducted in a manner that will allow for a successful prosecution to be made, where this is deemed the appropriate response to a contravention of the law. Key Deliverables Timeliness 4.1 Address complaints as promptly as possible in order to facilitate their speedy and effective resolution, with due regard to the complexity of particular cases. Key Performance Indicators • All new complaints dealt with ordinarily according to the following schedule unless special issues arise : Case acknowledgement - 3-4 days Referral to respondent - 14 days Appropriate reminders to respondent or use of legal functions to require response where it is not forthcoming. Case investigation (ordinarily) - 6-8 weeks Mediated outcome or draft decision - as soon as possible Draft and final decision - as soon as possible Updates to complainant - every 28 days • Bring complaints to prosecution where required and provided for within the statutory timeframe of twelve months.

8

An Effective Prosecution Function 4.2 Refine and enhance the effectiveness of our prosecution policy and procedures. Key Performance Indicators • Earlier identification of trends which suggest a need for prosecution to bring about improved behaviour on the part of a data controller. • Continuing and earlier use of enforcement notices to provide a legal basis for a prosecution should a particular behaviour, in breach of the Acts, not be improved. • Investigation completed and decision to prosecute made promptly to ensure prosecution time limits are met. • In the light of experience and given the large volume of prosecutions currently underway, we will analyse the effectiveness of our prosecution functions during the first half of the year. Effective Organisation 4.3 Maintain and develop an effective casework management system.

Key Performance Indicators • Fortnightly investigations team review of progress. • Continued production of weekly statistics bulletin to check progress. • Continue tracking of high profile cases, information and enforcement notices to ensure key staff are aware of the status of these.

Objective 5: To maintain a transparent and relevant registration system which contributes to data controllers/processors complying with their obligations and which enables data subjects to understand how their personal data are processed.
The Data Protection Commissioner is charged under the Acts with maintaining a register of certain data controllers and data processors that can be viewed by members of the public. The purpose that underlies the registration system is to ensure that data is being processed legitimately and that it takes place in an open and transparent manner. An effective registration system is therefore directly linked to the achievement of our mission, by “enabling people to know how their personal data is used”. Key Deliverables Meaningful and Informative Register Entries

9

5.1 Increase the usefulness of the public register by ensuring that register entries are more meaningful, informative and relevant. Key Performance Indicators • Ensure that registration guidelines are in a format that will ensure that data controllers have to think through the details they want to be entered on the register. • Continue to ensure that new applications meet the standard set out in the guidelines in this area. Compliance and enforcement 5.2 Promote compliance with section 16 of the Act.

Key performance indicators • Investigate former registrations that went “off-register” in 2007 following changes to registration requirements to ensure that relevant data controllers are in compliance. • Pursue sectors with a low rate of compliance. • Follow up particular cases, as required. • Random check of selected registrations per week to ensure appropriate standard is met. Efficient processing of Registrations 5.3 Maintain efficiency of registration procedures.

Key performance indicators • All applications accepted or queried ordinarily within one week of receipt. • All applications for continuation dealt with ordinarily within five days of receipt. • Notification of pending renewal date and off-register dealt with according to the following schedule: o Invitation to renew registration - 3 weeks before renewal o Phone contact - within 1 week of off-register o Caution letter - 2 weeks after off-register • Twice-monthly review meetings of registration staff to monitor progress and plan ahead. Efficient Administration 5.4 Maximise efficiency of the registration system.

Key performance indicators • All registration fees lodged or queried within a week of receipt. • Fresh copy of register published on web every week. • On-line registration and payments system used to maximum extent. • On-line bank transfer of registration fees accommodated by end-2008.

10

•

Preparation of a tender for a fully on-line registration process incorporating all reminders, renewals, registrations and updates to maximise service to the user and bring increased efficiencies to the Office.

Objective 6: To develop the abilities of staff to ensure continued improvement in organisational performance and support staff in their work.
The quality of our service to the public is crucially dependent upon the capacity, the performance and the motivation of our staff. We as an Office must show commitment to the development of our staff to further the development of Data Protection expertise. We will ensure that staff receive the support they need to do their jobs efficiently and effectively. Key Deliverables Human Resource Management 6.1 Manage the human resource functions of the office.

Key Performance Indicators • Full staff meetings to be held every month to six weeks. • Partnership Committee to meet every two months or as necessary. • Section meetings focusing on ongoing work priorities and issues raised by staff themselves to be held every two weeks. • Management meetings every two months. Training and Development 6.2 To support and encourage continued staff training and development.

Key Performance Indicators • One Workshop per quarter on Data Protection topics driven by priorities identified by staff. • Continue induction and support programme for new staff, including access to external courses. • Para-legal and other specialised training to be sourced externally. • On-the-job training to be prioritised as part of PMDS process, including experience of dealing with our international functions. • At least one experience-exchange activity with another data protection authority. Making PMDS happen 6.3 To incorporate the Performance Management and Development System as a core element of our business development strategy Key Performance Indicators • All Role Profile Forms agreed and completed not later than end January; in the case of new staff, within 1 month of joining the Office.

11

• •

All Role Profile Forms reviewed by July and final reviews by December. Training recommendations followed up appropriately.

Objective 7: To perform our role and independent functions in a manner that is transparent, accountable and efficient.
This Office is established by law, and we must be seen to carry out our functions in a fair and independent manner. At the same time, we are public servants, and the requirements of accountability and transparency are essential if we are to retain the confidence of the public. Our organisational structure will be continuously reviewed to ensure that it supports good communications and coordination of our activities to achieve effective outcomes. The Office will respond to its new designation as a scheduled body for the purposes of the FOI Act (in regard to certain activities) in an enthusiastic and positive manner and follow best practice in dealing with requests received. Key Deliverables Timely Accounts 7.1 Prepare annual financial accounts in a timely manner.

Key Performance Indicators • Internal monthly accounting procedures (upon which annual accounts are based) completed by mid-January. • Annual financial accounts completed, signed-off and ready for submission to C&AG by end-March. Annual Report 7.2 Prepare a timely, concise and informative Annual Report. Key Performance Indicators • • • • Annual Report to be published by end –April at the latest. Update on our business plan and strategic objectives included in Report. Material for inclusion in the following year’s report to be prepared on an ongoing basis by all staff members as issues are encountered. Annual Report to include a list of organisations that received enforcement notices and certain organisations that received information notices during the year, including a short explanation as to the basis for the serving of each such notice.

Transparency and Openness 7.3 Pursue efficiency and effectiveness in our operations which will be open to public scrutiny. Key Performance Indicators

12

• • • •

Statistics detailing volume of our processing of complaints, registration applications and enquiries compiled and published in our Annual Report. Website enhanced on an on-going basis by publication of relevant advices, guidance, FAQs and case studies. All email and phone enquiries logged centrally. FOI requests (when we become a scheduled body) responded to promptly and within deadlines laid down by law.

Efficient Administration 7.4 Maximise the efficiency of the general administrative functions of the office. Key Performance Indicators • • • • • The Office will continue to liaise with other offices decentralising to Portarlington to keep informed of the likely impact and timing. Post opened, sorted and logged before lunch each day and outgoing post franked before 4.00pm each day. Office fully resourced as regards disposable supplies. Travel arrangements ordinarily completed 2 weeks before travel. Flexi-time clock kept up to date.

Good Financial Management 7.5 Manage the financial transactions of the office in a timely and efficient manner. Key Performance Indicators • Budget allocated to the various areas of expenditure and a monthly expenditure projection produced by mid-January each year. • Monthly projections update at end of each month. • Monthly general ledger accounts reconciled within 5 working days of receipt. • Petty cash accounts reconciled monthly. • The budget control function of the Administration Section will be strengthened to ensure correct Purchase Order procedures are followed etc. Meeting Our Commitments 7.6 Ensure adherence to Prompt Payments Act. Key Performance Indicators • All invoices sent for payment within five days of receipt. 7.7 Ensure Implementation of our Irish Language Plan. Key Performance Indicators • All commitments set out in our Irish Language Plan (available separately on our website) will continue to be fully met. • Irish language training to be made available to staff.

13

Accommodation Management 7.8 Management of office accommodation. Key Performance Indicators • All office support systems and services fully operational and maintained and serviced as contracted or appropriate.

Objective 8: To be influential at both national and international level in relation to Data Protection issues and to contribute effectively to international cooperation and to our international functions.
The Office is not limited in its functions to Ireland alone; we are also an integral element of the Data Protection infrastructure at European and international level. It is our objective to play a leading, formative role in our European operations and to be recognised internationally as an authoritative contributor. Key Deliverables National Influence Continue to engage with partners nationally to increase the profile of data protection concerns in the public and private sector. Key Performance Indicators • Continue to input into and influence national policy-making with regard to data protection and to raise awareness within Government departments of our role in this regard. • Remain accessible to the media for comment on emerging issues. • As far as possible the Office will respond positively to conference speaking invitations and other opportunities to engage with public discourse on data protection issues. Article 29 Group 8.2 Strengthen our contribution to the Article 29 Group. Key Performance Indicators • • • Relevant staff actively involved in work related to the Article 29 Group. Commissioner given briefing from relevant staff prior to Article 29 meetings. Opinions from Article 29 Group to be evaluated and fed into guidance formulation. All opinions to be referenced on our website. 8.1

The Third Pillar 8.3 Strengthen our contribution to the Joint Supervisory Bodies. Key Performance Indicators • Discussion and agreement on position prior to each JSB meeting.

14

8.4 Carry out our national “first and third pillar” supervisory functions. Key Performance Indicators • • Ongoing discussions with An Garda Síochána on data protection issues in relation to Europol and Schengen drawing upon experience from previous audits. Further audits will be carried out as appropriate. Ongoing liaison with ORAC regarding Eurodac and focusing in particular on previous audits. Further audits will be carried out as appropriate.

International Relations Enhance our good relations with other international data protection authorities. Key Performance Indicators • • • • Two members of staff to attend the Spring Conference of European Data Protection Commissioners and the International Privacy and Data Protection Conference. Attendance at EU Complaints/Case-Handling Workshops and regional data protection conference. Attendance at meetings of the International Working Group on Data Protection in Telecommunications. Participation as appropriate in the ongoing work of the OECD in relation to enhanced co-operation amongst data protection authorities internationally. The opportunity will also be taken to continue to develop ties with the US (Federal Trade Commission etc.) through this forum and otherwise. Liaison on a regular basis with Assistant Information Commissioner in Belfast. Cooperation with other enforcement authorities on SPAM and other issues. 8.5

• •

Transfers Abroad 8.6 Supervise the transfer of personal data to third countries. Key Performance Indicators • Continue to encourage use of business-friendly mechanisms such as “Safe Harbour” and Binding Corporate Rules. • Respond promptly to requests from other supervisory authorities who are performing the lead role in relation to approval of Binding Corporate Rules. • Perform the lead supervisor role efficiently and provide effective leadership where we are designated in that role for approval of Binding Corporate Rules, in line with Article 29 Guidance.

15


								
To top