Information for funded agencies and contracted service providers – Victorian Protective Data Security Framework obligations
Section 84 of the Privacy and Data Protection Act 2014 (Vic) (PDP Act) outlines who is subject to Part 4 including a public sector agency (where “public sector agency” means a public service body or a public entity within the meaning of the Public Administration Act 2004 (Vic))
Funded agencies and contracted service providers are not public sector agencies and therefore do not have direct obligations under Part 4 of the PDP Act. However, funded agencies and contracted service providers may need to adhere to the Victorian Protective Data Security Standards (VPDSS) if required to by their employing public sector agency (such as a Victorian government department). In such cases, the funded agency or contracted service provider does not need to report its compliance to us.
In regard to the expectations that the employing public sector agency adheres to the VPDSS, we suggest that you contact the public sector agency directly to discuss this.
It is important to note that the Victorian Protective Data Security Framework (VPDSF) is not a compliance-focused initiative. The primary objective of the VPDSF is to increase the maturity of information security management within the Victorian public sector and drive positive changes to the culture of information security across the Victorian public sector.
There is no certification process to demonstrate compliance by funded agencies and contracted service providers. We provide the following general advice for how a funded agency may wish to demonstrate to a Victorian government agency that it is adhering to the VPDSS:
1. Review the Victorian Protective Data Security Standards.
2. Work through the VPDSS self-assessment template.
A completed VPDSS self-assessment may demonstrate that you have considered your practices against the VPDSS and have identified gaps to be addressed in the future.
Please note this is general advice. Ultimately, the employing public sector agency will determine the assurance activities it requires from the funded agency so it is important to establish these requirements this up front.
For further information see our data security resources, including videos to and an overview document of the 5 step action plan.