GPEN Sweep reveals Victoria’s commitment to privacy
The Office of the Victorian Information Commissioner (OVIC) took part in the annual Global Privacy Enforcement Network (GPEN) Sweep, which examined the privacy practices of organisations across 16 jurisdictions.
The objective for the GPEN Sweep was to analyse how organisations handle and respond to data breaches.
See here for the international GPEN Sweep 2019 report.
As part of the Sweep, OVIC surveyed 35 organisations subject to the Privacy and Data Protection Act 2014 (Vic) (PDP Act) on key aspects of successful data breach reporting and response procedures.
OVIC compared the results of Victorian government organisations that participated in the Sweep with the global findings of 258 organisations. OVIC would like to thank all the Victorian government organisations that participated in this year’s Sweep. Your participation will help OVIC identify areas for improvement and develop effective guidance material.
OVIC’s report sets out our statistical findings and compares the results of Victorian organisations with global results against 5 indicators.
See here for OVIC’s Global Privacy Enforcement Network Sweep report.
The Victorian Protective Data Security Standards (VPDSS) V2.0 introduced a new requirement for Victorian government organisations to notify OVIC of incidents that have an adverse impact on the confidentiality, integrity or availability of public sector information with a business impact level of 2 (limited) or higher.
In response to the Sweep findings and the introduction of the VPDSS V2.0, OVIC encourages organisations to take the following steps to improve their data breach notification practices.
- Review your data breach response plans and ensure your organisation is in line with Victorian organisation’s VPDSS obligations.
Under the VPDSS, Victorian public sector organisations must notify OVIC of incidents that have an adverse impact on the confidentiality, integrity or availability of public sector information with a business impact level of 2 (limited) or higher. This obligation covers all information held by the organisation, rather than only ‘personal information’ as defined in section 3 of the PDP Act. To find out more refer to OVIC’s Incident Notification page.
- Report data breaches to affected individuals and to OVIC if there is a foreseeable risk of harm arising from the data breach.
- Implement a clear structure for staff to escalate a data breach internally.
This could be in the form of a guide or message on organisations’ intranet page that advises staff who to contact in the event of a suspected data breach.
- Check that there are timeframes included in your data breach response and escalation plans.
This will help organisations act quickly in response to a data breach and gather enough information to notify individuals as soon as possible.
- Record incidents in a database or register and include details such as the causes of the data breach.
Doing so can enable organisations to monitor trends and address causes of data breaches – for example, where an incident indicates a low level of privacy awareness or lack of processes in place to protect personal information. The data base can also help organisations monitor internal performance in relation to data protection standards.
For more information about how to prepare for and manage data breaches please refer to the following agency guidance materials: