The Assurance Model identifies the monitoring and assurance obligations for the protection of public sector information in accordance with the Victorian Protective Data Security Standards (VPDSS). These obligations comprise activities led by organisations and activities led by this Office.
Organisational assurance activities
A public sector organisation must undertake a range of activities to meet its obligations under the Privacy and Data Protection Act 2014. It must:
- undertake a Security Risk Profile Assessment (SRPA), an assessment of the current risks to your organisation’s information assets;
- complete a VPDSS self-assessment (assessing adherence and maturity against the VPDSS elements);
- develop a detailed Protective Data Security Plan (PDSP), providing a plan of action to address protective data security risks and capability improvement; and
- submit a high level PDSP including attestation by 31 August 2018 and every two years thereafter (or sooner if there is significant organisational change).
Additionally, organisations are required to cooperate with us when we undertake monitoring and assurance activities such as audits or reviews.
Our assurance activities
Our activities will typically foster a partnership approach and take the form of consultations, engagements, audits and reviews to ensure organisations are:
- meeting their obligations; and
- applying protective data security measures commensurate with information value and organisational security risk profile.
These activities help establish a better understanding of each organisation’s protective data security practices, including adherence to the VPDSS. More broadly, they provide a level of assurance regarding the protection of information across the Victorian government.