The Office of the Information Commissioner (the Office) conducts business continuity planning an annual basis to ensure continuity of service in the event of human, technological or natural disaster.
The Business Continuity Plan consists of contingency plans to respond to emergencies, minimise disruption, and to continue to operate the business and recover the infrastructure to resume normal operations. Specifically, the Office Business Continuity Plan (BCP) consists of the:
The BCP is closely linked to the Office Risk Management Plan. Collectively these plans are important to achieving business continuity through planning, risk mitigation and the timely response to and recovering from serious incidents. The effective formulation of strategies to identify and treat potential causes of human and technological threat is important to reducing the threat of risk. The plans also provide clear direction to assist the timely restoration of business operations in the event of an unforeseen disaster event.
The Office’s Emergency Response Procedure (ERP) identifies strategies to reduce the impact of a hazardous event on the Office environment by initially containing the incident, then minimising damage to Office resources, such as staff, premises and equipment and setting the Office on the road to recovery. Refer to the separate Emergency Response Procedure document for the detailed Office plan.
The ERP is to be invoked when the normal functioning of the Office is seriously affected.
The ERP will be in effect until the Information Commissioner has determined that the Office can return to normal functioning.
The implementation of this plan is the responsibility of the Information Commissioner the Executive Leadership Team, Chief Operating Officer (COO) and floor emergency personnel.
All staff of the Office will be notified if this plan is invoked. Subsequent to this, the Minister for Justice and Attorney-General, Director-General for the Department of Justice and Attorney-General,and key staff in the Queensland Parliamentary Service in Information Technology, Finance and Human Resource Management will also be notified as per the Emergency Communication Plan for emergent or disaster planning.
Depending on the severity and estimated length of time of the emergency, external stakeholders of the Office will also be notified.
The Information Commissioner may invoke the ERP when she is alerted to, or become aware of serious deficiencies in the normal operating environment for the Office and determines that the ERP requires to be invoked.
The Information Commissioner will determine any necessary alterations to the staff levels of the Office in response to the invoking of the ERP. Other resource issues such as alternative accommodation, equipment and process methods will be determined by the Information Commissioner dependant on the type of incident and situational demands.
The following procedures for returning to a normal operating mode will be initiated when the Information Commissioner is satisfied that the normal operating environment for the Office can be supported:
The COO will keep records of the number of days out of office, number of employees affected, and possible destruction/damage to equipment and data (both electronic and paper-based).
Within two weeks of returning to normal operating conditions, COO will debrief the Information Commissioner and Executive Leadership Team to evaluate the effectiveness of the plan and recommend any improvements.
The Disaster Recovery Plan (DRP) establishes a program for restoring the Office environment and its associated functions, according to their pre-determined priorities and agreed timeframes for restoration. The aim of the DRP is to achieve the continued provision, or immediate resumption, of critical services and the restoration of normal services as soon as possible without unnecessary expenditure.
The DRP will be in effect until the Information Commissioner has determined that the Office can return to normal functioning.
The implementation of this plan is the responsibility of the Information Commissioner, the Executive Leadership Team, and COO.
All staff of the Office will be notified if this plan is invoked. Subsequent to this, the Minister for Justice and Attorney-General, Director-General for the Department of Justice and Attorney-General,and key staff from the Queensland Parliamentary Service will be notified as per the Emergency Communication Plan for emergent or disaster planning. Depending on the severity and estimated length of time of the emergency, external stakeholders of the Office may also be notified.
The Information Commissioner will also consider notifying the Department of Public Works and the Department of the Premier and Cabinet depending on the status and severity of the incident.
The Information Commissioner may invoke the DRP when they are alerted to or become aware of deficiencies in the normal operating environment for the Office and determines that the DRP should be invoked.
The Information Commissioner will determine any necessary amendment to staff levels of the Office in response to the invoking of the DRP. Other resource issues such as alternative accommodation, equipment and process methods will be determined by the Information Commissioner dependant on the type of incident and situational demands.
The following procedures for returning to a normal operating mode will be initiated when the Information Commissioner is satisfied that the normal operating environment for the Office can be supported:
The COO to conduct immediate discussions with the Parliamentary Service to assess the IT environment and undertake briefing to the Information Commissioner on recommendations and actions required. The briefing is to include a risk assessment of the IT environment for the Office outlining what needs to be done to mitigate identified risks.
The Operating Level Agreement between the Office and the Queensland Parliamentary Service identifies process and procedure to respond to any interruption of service.
COO will keep records of the number of days out of office, number of employees affected and possible destruction/damage to equipment and data (both electronic and paper-based).
Within two weeks of returning to normal operating conditions, COO will debrief the Information Commissioner and Executive Leadership Team to evaluate the effectiveness of the plan and recommend any improvements.
The Emergency Communication Plan (ECP) can only be invoked by instruction from the Information Commissioner. The use of the ECP is for emergency or disaster recovery incidents is to ensure communication channels are established and kept open between the staff of the Office of the Information Commissioner (Office) and all key stakeholders, both internal and external.
The Information Commissioner is to be advised of an incident (either disaster or emergency incident)and will make a decision whether or not to invoke the ECP.
The Information Commissioner will advise staff if the ECP is invoked and provide details of the incident. Staff will also be advised about the anticipated length of time away from workplace (if applicable) and details about an alternative workplace (if applicable).
The COO to contact the Department of Justice Accommodation Unit and/or Department of Public Works to arrange alternative accommodation if required.
The Information Commissioner will advise the Minister for Justice and Attorney-General and Director-General Department of Justice and Attorney-General of details of alternative accommodation.
The COO is responsible for:
The Information Commissioner is to conduct a review of the ECP within two weeks of resumption of the normal operating environment.