Skip to Content
From Monday 12 September 2020, OVIC's website will no longer be supported in Internet Explorer (IE).
We recommend installing Microsoft Edge, Google Chrome, Safari, Firefox, or Opera to visit the site.

Contracted service providers

Information for funded agencies and contracted service providers – Victorian Protective Data Security Framework obligations

Section 84 of the Privacy and Data Protection Act 2014 (Vic) (PDP Act) outlines who is subject to Part 4 including a public sector agency (where “public sector agency” means a public service body or a public entity within the meaning of the Public Administration Act 2004 (Vic))

Funded agencies and contracted service providers are not public sector agencies and therefore do not have direct obligations under Part 4 of the PDP Act. However, funded agencies and contracted service providers may need to adhere to the Victorian Protective Data Security Standards (VPDSS) if required to by their engaging public sector agency (such as a Victorian government department). In such cases, the funded agency or contracted service provider does not need to report its compliance to us.

In regard to the expectations that the employing public sector agency adheres to the VPDSS, we suggest that you contact the public sector agency directly to discuss this.

The primary objective of the VPDSS is to increase the maturity of information security management within the Victorian public sector and drive positive changes to the culture of information security across the Victorian public sector.

There is no certification process to demonstrate compliance by funded agencies and contracted service providers. A funded agency or contracted service provider may be asked to demonstrate to their engaging agency that they are adhering to the VPDSS. This is often described as providing assurance.

Download a copy of the Victorian Protective Data Security Standards.

Ultimately, the employing public sector agency will determine the assurance activities it requires from the funded agency or contracted service provider. It is important that agencies and third parties consider these requirements prior to engagement, establish expectations up front, and manage risks to the agency’s information assets across the lifecycle of the engagement.

For further information see our VPDSF resources.

Back to top
Back to Top