Victorian Protective Security Standards – New framework to protect public sector data

The Victorian public sector owns, controls, uses and exchanges a vast array of data, including personal information. With the use and exchange of this data becoming more complex the Victorian Auditor-General’s report, Maintaining the Integrity and Confidentiality of Personal Information, identified the need to put in place standards to manage this data.

The Privacy and Data Protection Act 2014 (Vic) (PDP Act) introduced the Victorian Protective Data Security Framework (VPDSF) to address a number of data security issues identified in the Auditor General’s report, including the need for a whole of government approach to information security. The Victorian Protective Data Security Standards (VPDSS) are the foundation of the VPDSF and the Commissioner for Privacy and Data Protection (CPDP) has announced it expects public sector agencies to comply with the VPDSS from 1 July 2016.

Which agencies are affected by the VPDSS?

Section 84 of the PDP Act sets out which public sector bodies will be required to comply with the VPDSS. While there are a number of bodies exempt from complying with the VPDSF, such as universities, hospitals and councils, anyone unsure about whether they have to comply with the VPDSF should seek advice.

There are 18 data security standards that agencies are expected to comply with that cover topics ranging from security risk management through to training and awareness and incident management.

The impact of the VPDSS on suppliers to the Victorian Public sector

Of particular importance is Standard 9, which requires Victorian Government bodies to ensure that their contract services providers do not do an act or engage in a practice that contravenes the VPDSS.

If you supply services to Victorian Government bodies that must comply with the VPDSS and have access to public sector data when providing those services, it is likely you will be contractually required to comply with the VPDSS under future contractual arrangements.

We recommend you:

• Review your current security management framework, including risk assessment frameworks, policies and procedures and governance arrangements.
• Identify and address any gaps between your current security framework with the VPDSS.
• Consider whether any data security and privacy clauses in your agreements will need to be updated to ensure future contracts entered into with Victorian Government bodies comply with the VPDSS.