Established under Part 4 of the Privacy and Data Protection Act 2014, the Victorian Protective Data Security Framework (VPDSF) provides direction to Victorian public sector agencies or bodies on their data security obligations. Reflecting the sector’s unique operating requirements, it will build security risk management capability and maturity through the use of existing risk management principles and guidelines.
The Victorian Protective Data Security Framework (the Framework) and accompanying Victorian Protective Data Security Standards (the Standards) were released and issued to Victorian Public Sector (VPS) agencies and bodies (VPS organisations) in 2016. Adherence to the Standards is mandatory for all organisations within the scope of Parts 4 and 5 of the Privacy and Data Protection Act 2014 (Vic) (PDP Act).
In 2018, VPS organisations submitted their first Protective Data Security Plans and Attestations to my office. These plans provide important insights into the information security practices of the VPS and describe future work programs to enhance efforts in protecting public sector information.
The VPS operates in an increasingly interconnected and complex world, facing new risks and managing competing priorities. The threat landscape in which the Framework was initially released, and the Standards were first issued, continues to evolve. Given this context, OVIC commissioned an external review of the Framework and Standards in 2017, to assess their effectiveness and identify areas for improvement.
This review found that the Framework and Standards had an overwhelming positive impact for Victorian government, and that the attestation process substantially contributed to executive awareness of information security. These were both welcome findings. It also identified opportunities for improvement by recommending:
- simplification of communications surrounding the Framework and Standards;
- clarification of roles and responsibilities as they relate to information security; and
- enhancement of guidance material to accommodate the varying size and diverse nature of the VPS organisations operating under the scheme.
With these improvements in mind, OVIC’s Information Security team sought input from a wide variety of stakeholders before and during the drafting of the revised Standards, resulting in a streamlined and easier-to-understand set of requirements. The revised Standards were agreed to by the Special Minister of State, The Honourable Gavin Jennings MLC in October 2019 and have been issued in accordance with my powers under the PDP Act. The latest version of the Standards contains references to supporting material to help VPS organisations map their existing security efforts to the updated requirements, as well as providing the basis for these information security obligations.
In addition, the Framework has been updated to address the recommendations from the Review.
I encourage VPS organisations to continue to build resilient business practices, supported by a strong information security culture. By doing so, we help build public trust and ensure a solid future for all Victorians. OVIC will continue to develop support for VPS organisations by developing resources to assist in implementing the Standards. My office looks forward to working with the VPS to deliver efficient, effective and secure outcomes for all.