Victorian Protective Data Security Framework

Established under Part 4 of the Privacy and Data Protection Act 2014, the Victorian Protective Data Security Framework (VPDSF) provides direction to Victorian public sector agencies or bodies on their data security obligations. Reflecting the sector’s unique operating requirements, it will build security risk management capability and maturity through the use of existing risk management principles and guidelines.

View our resources and introductory videos for further information.

Commissioner’s foreword

The Victorian Protective Data Security Framework (the Framework) and accompanying Victorian Protective Data Security Standards (the Standards) were released and issued to Victorian Public Sector (VPS) agencies and bodies (VPS organisations) in 2016. Adherence to the Standards is mandatory for all organisations within the scope of Parts 4 and 5 of the Privacy and Data Protection Act 2014 (Vic) (PDP Act). This update has been developed to harmonise some terms, and to conform to minor amendments to the PDP Act.

This framework update has been timed for release after the due date for attestations for 2023. Most organisations have now submitted two rounds of completed PDSPs and several biennial attestations. OVIC sees slow but continued improvement in the maturity of most submissions. While there is no such thing as perfect security, your continued attention to the Framework and your information security responsibilities will help to reduce risk and provide the public with some confidence that public sector information is being managed effectively.

My office looks forward to continuing to assist the VPS to deliver efficient, effective and secure outcomes for all. As always, I encourage you to engage with OVICs information security team and ensure that the Framework and Standards remain a useful regulatory tool.

Rachel Dixon
Acting Information Commissioner

September 2023