Business Continuity Plan

1. Introduction

The Office of the Information Commissioner (the Office) conducts business continuity planning an annual basis to ensure continuity of service in the event of human, technological or natural disaster.

The Business Continuity Plan consists of contingency plans to respond to emergencies, minimise disruption, and to continue to operate the business and recover the infrastructure to resume normal operations. Specifically, the Office Business Continuity Plan (BCP) consists of the:

  • Emergency Response Plan
  • Disaster Recovery Plan
  • Emergency Communication Plan

The BCP is closely linked to the Office Risk Management Plan. Collectively these plans are important to achieving business continuity through planning, risk mitigation and the timely response to and recovering from serious incidents. The effective formulation of strategies to identify and treat potential causes of human and technological threat is important to reducing the threat of risk. The plans also provide clear direction to assist the timely restoration of business operations in the event of an unforeseen disaster event.

2. Emergency Response Plan

2.1 Objective

The Office’s Emergency Response Plan (ERP) identifies strategies to reduce the impact of a hazardous event on the Office environment by initially containing the incident, then minimising damage to Office resources, such as staff, premises and equipment and setting the Office on the road to recovery. Refer to the separate Emergency Response Plan document for the detailed Office plan.

2.2 Criteria to invoke plan

The ERP is to be invoked when the normal functioning of the Office is seriously affected.

2.3 Expected life of plan when invoked

The ERP will be in effect until the Information Commissioner has determined that the Office can return to normal functioning.

2.4 Personal responsibilities for implementation of this plan

The implementation of this plan is the responsibility of the Information Commissioner the Executive Leadership Team, DECS and floor emergency personnel.

2.5 Personnel to be notified if this plan is invoked

All staff of the Office will be notified if this plan is invoked. Subsequent to this, the Minister for Justice and Attorney-General, Director-General for the Department of Justice and Attorney-General,and key staff in the Queensland Parliamentary Service in Information Technology, Finance and Human Resource Management will also be notified as per the Emergency Communication Plan for emergent or disaster planning.

Depending on the severity and estimated length of time of the emergency, external stakeholders of the Office will also be notified.

2.6 Procedures for invoking contingency mode

The Information Commissioner may invoke the ERP when she is alerted to, or become aware of serious deficiencies in the normal operating environment for the Office and determines that the ERP requires to be invoked.

2.7 Resource plan for operation

The Information Commissioner will determine any necessary alterations to the staff levels of the Office in response to the invoking of the ERP. Other resource issues such as alternative accommodation, equipment and process methods will be determined by the Information Commissioner dependant on the type of incident and situational demands.

2.8 Criteria for returning to normal operating mode

The following procedures for returning to a normal operating mode will be initiated when the Information Commissioner is satisfied that the normal operating environment for the Office can be supported:

  • Procedures for returning to normal operating mode
    The Information Commissioner will instruct the Director, Engagement and Corporate Services (DECS) to initiate the procedures for returning to the normal operating environment by:
    • Activating Emergency Communication Plan to inform all staff and external stakeholders
    • Ensuring that the physical environment is safe
    • Ensuring that technological infrastructure is operational
    • Advising external stakeholders that the Office is operational (if applicable)
  • Procedures for recovering lost or damaged data
    DECS to commence immediate discussions with Parliamentary Services to assess the Information Technology (IT) environment and undertake briefing to the Information Commissioner on recommendations and actions required.

    This plan assesses risks in the IT environment for the Office and outlines what needs to be done to cover those risks as appropriate.

    The Service Level agreement between the Office and the Parliamentary Service identifies process and procedure to respond to any interruption of service.

2.9 Estimated cost of incidents

The DECS will keep records of the number of days out of office, number of employees affected, and possible destruction/damage to equipment and data (both electronic and paper-based).

2.10 Post contingency actions

Within two weeks of returning to normal operating conditions, DECS will debrief the Information Commissioner and Executive Leadership Team to evaluate the effectiveness of the plan and recommend any improvements.

3. Disaster Recovery Plan

3.1 Objective

The Disaster Recovery Plan (DRP) establishes a program for restoring the Office environment and its associated functions, according to their pre-determined priorities and agreed timeframes for restoration. The aim of the DRP is to achieve the continued provision, or immediate resumption, of critical services and the restoration of normal services as soon as possible without unnecessary expenditure.

3.2 Criteria to invoke plan

3.3 Expected life of plan

The DRP will be in effect until the Information Commissioner has determined that the Office can return to normal functioning.

3.4 Personal responsibilities for implementation of this plan

The implementation of this plan is the responsibility of the Information Commissioner, the Executive Leadership Team, and DECS.

3.5 Personnel to be notified if this plan is invoked

All staff of the Office will be notified if this plan is invoked. Subsequent to this, the Minister for Justice and Attorney-General, Director-General for the Department of Justice and Attorney-General,and key staff from the Queensland Parliamentary Service will be notified as per the Emergency Communication Plan for emergent or disaster planning. Depending on the severity and estimated length of time of the emergency, external stakeholders of the Office may also be notified.

The Information Commissioner will also consider notifying the Department of Public Works and the Department of the Premier and Cabinet depending on the status and severity of the incident.

3.6 Procedures for invoking contingency mode

The Information Commissioner may invoke the DRP when they are alerted to or become aware of deficiencies in the normal operating environment for the Office and determines that the DRP should be invoked.

3.7 Resource plan for operation

The Information Commissioner will determine any necessary amendment to staff levels of the Office in response to the invoking of the DRP. Other resource issues such as alternative accommodation, equipment and process methods will be determined by the Information Commissioner dependant on the type of incident and situational demands.

3.8 Criteria for returning to normal operating mode

The following procedures for returning to a normal operating mode will be initiated when the Information Commissioner is satisfied that the normal operating environment for the Office can be supported:

3.9 Procedures for returning to normal operating mode

  • Procedures for returning to normal operating mode
    The Information Commissioner will instruct the Director, Engagement and Corporate Services (DECS) to initiate the procedures for returning to the normal operating environment by:
    • Activating Emergency Communication Plan to inform all staff and external stakeholders
    • Ensuring that the physical environment is safe
    • Ensuring that technological infrastructure is operational
    • Advising external stakeholders that the Office is operational (if applicable)

3.10 Procedures for recovering lost or damaged data

The DECS to conduct immediate discussions with the Parliamentary Service to assess the IT environment and undertake briefing to the Information Commissioner on recommendations and actions required. The briefing is to include a risk assessment of the IT environment for the Office outlining what needs to be done to mitigate identified risks.

The Operating Level Agreement between the Office and the Queensland Parliamentary Service identifies process and procedure to respond to any interruption of service.

3.11 Estimated cost of incidents

DECS will keep records of the number of days out of office, number of employees affected and possible destruction/damage to equipment and data (both electronic and paper-based).

3.12 Post contingency actions

Within two weeks of returning to normal operating conditions, DECS will debrief the Information Commissioner and Executive Leadership Team to evaluate the effectiveness of the plan and recommend any improvements.

4. Emergency Communication Plan

The Emergency Communication Plan (ECP) can only be invoked by instruction from the Information Commissioner. The use of the ECP is for emergency or disaster recovery incidents is to ensure communication channels are established and kept open between the staff of the Office of the Information Commissioner (Office) and all key stakeholders, both internal and external.

The Information Commissioner is to be advised of an incident (either disaster or emergency incident)and will make a decision whether or not to invoke the ECP.

The Information Commissioner will advise staff if the ECP is invoked and provide details of the incident. Staff will also be advised about the anticipated length of time away from workplace (if applicable) and details about an alternative workplace (if applicable).

The DECS to contact the Department of Justice Accommodation Unit and/or Department of Public Works to arrange alternative accommodation if required.

The Information Commissioner will advise the Minister for Justice and Attorney-General and Director-General Department of Justice and Attorney-General of details of alternative accommodation.

The DECS is responsible for:

  • contacting Key Stakeholders (Attachment B (PDF, 22.31 KB)) to notify of the situation and to advise the current status
  • liaise with Department of Justice Communications Unit to determine if press release/media alert is required
  • notifying key stakeholders when the incident (either disaster or emergency) is resolved and normal operating environment is resumed

The Information Commissioner is to conduct a review of the ECP within two weeks of resumption of the normal operating environment.