This document is intended for VPS organisations (including employees, contractors and external parties) that are subject to the protective data security provisions under Part 4 of Victoria’s PDP Act.
This document is primarily written to inform executives and designed to support information security practitioners.
Commencement of the PDP Act
In 2014, the PDP Act was passed by the Parliament, ushering in Australia’s first broad-based legislated information security requirements.
The PDP Act significantly changed the information security regulatory landscape, empowering1 the Victorian Information Commissioner to:
- develop the Framework for monitoring and assuring public sector data security; and
- issue the Standards2.
What is protective data security?
Protective data security is a risk management process designed to safeguard information assets and systems in a way that is proportionate to threats and supportive of business outcomes.
A combination of procedural, information, personnel, information communications technology and physical security measures are used to protect information assets against a range of security threats.
The Framework and the Standards rely on protective data security principles, to maintain the confidentiality, integrity and availability of public sector information.
In this document, protective data security and information security are used interchangeably.
What is the Framework?
Established under Part 4 of the PDP Act, the Framework has been developed to monitor and assure the security of public sector information, and information systems, across the VPS.
The monitoring and assurance activities outlined in the Framework are based on:
- the compliance requirements3 of VPS organisations; and
- OVIC’s responsibilities, powers and functions4.
The Framework provides a model to monitor and measure the extent to which VPS organisations implement the Standards and comply with the requirements under the PDP Act. It employs a risk-based approach, seeking to enhance information security capability and maturity of VPS organisations, through the use of existing risk management principles and guidelines.
The Framework is based on an outcome focused regulatory model that concentrates on high-level assurance principles, supported by risk-informed monitoring activities. It is intended to reflect the sector’s unique operating requirements and delivers scalable, efficient, effective and economic security outcomes.
The monitoring and assurance activities set out in the Framework are formulated from statutory obligations of VPS organisations5 and OVIC’s statutory responsibilities, powers and functions6 in the PDP Act. They are designed to assist VPS organisations mitigate information security risks and provides OVIC with insight into information security practices across the VPS.
The Framework draws on intelligence feeds and insights from information security incidents, research projects, enquiries and referrals. OVIC uses these insights to report back to Government.
Figure 1 – Depiction of the monitoring and assurance activities of the Framework
Applicability of the Framework
Information covered by the Framework
The Framework captures ‘public sector data’ which is broadly defined by section 3 of the PDP Act as:
any information (including personal information) obtained, received or held by an agency or body which Part 4 applies, whether or not the agency or body obtained, received or holds that information in connection with the functions of that agency or body7.
The definition of public sector data is broad, as it includes:
- any information received by or on behalf of the VPS organisation, not just information connected to their functions;
- information collected or held by contracted service providers of the VPS organisation such as contractors and consultants; and
- health information.
In this document, public sector data is also referred to as public sector information or information.
VPS Organisations covered by the Framework (Part 4 of the PDP Act)
Section 84 of the PDP Act defines the VPS organisations that are covered by the Framework and the Standards as well as those that are exempt.
The Framework regulates Victorian public sector agencies and bodies defined in section 84 of the PDP Act. This includes including departments, public entities8 and Victoria Police and the Crime Statistics Agency.9 The Framework generally excludes10 councils, universities, ambulance services, public hospitals, public health services and multipurpose services under the Health Services Act 1988 (Vic).
Extract of Part 4, Section 84, PDP Act
| wdt_ID |   |   |
|---|---|---|
| 1 | 1 | Subject to subsection (2), this Part applies to – |
| 2 | (a) a public sector agency; and | |
| 3 | (b) a body that is a special body, within the meaning of section 6 of the Public Administration Act 2004; and | |
| 4 | (c) a body declared under subsection (3) to be a body to which this Part applies. | |
| 5 | 2 | This Part does not apply to the following – |
| 6 | (a) a Council; | |
| 7 | (b) a university within the meaning of the Education and Training Reform Act 2006; | |
| 8 | (c) a body to which, or to the governing body of which, the government of another jurisdiction, or a person appointed, or body established under the law of another jurisdiction, has the right to appoint a member, irrespective of how that right arises; | |
| 9 | (d) a public hospital within the meaning of the Health Services Act 1988; | |
| 10 | (e) a public health service within the meaning of the Health Services Act 1988; | |
| 11 | (f) a multi-purpose service within the meaning of the Health Services Act 1988; | |
| 12 | (g) an ambulance service, within the meaning of the Ambulance Services Act 1986. | |
| 13 | 3 | The Governor in Council, by Order published in the Government Gazette, may declare a body to be a body to which this Part applies. |
For more information on whether the Framework and Standards apply to your VPS organisation, refer to the VPDSF resources section of the OVIC website.
Victoria Police and Crime Statistics Agency (Part 5 of the PDP Act)
Part 5 of the PDP Act describes the information security responsibilities of Victoria Police and the Crime Statistics Agency.
From 2017, Victoria Police and the Crime Statistics Agency are covered by the Framework and Standards, in line with other VPS organisations to which Part 4 of the PDP Act applies.
Contracted Service Providers / Third Parties
Part 4 of the PDP Act applies to all sta?, contractors and consultants of VPS organisations identified in Section 84(1) of the PDP Act.
Section 88 (2) of the PDP Act extends the information security obligations of VPS organisations to contracted service providers (CSPs), which states:
A public sector body Head for an agency or a body to which this Part applies must ensure that a contracted service provider of the agency or bod does not do an act or engage in a practice that contravenes a protective data security standard, in respect of public sector data collected, held, used, managed, disclosed or transferred by the contracted service provider for the agency or body.
VPS organisations must include assessments of CSPs in their Security Risk Profile Assessment (SRPA) process11.
The Framework in context
The Framework has been developed to monitor and assure the security of public sector information12.
To do this, OVIC’s monitors and measures VPS organisations’:
- implementation of the Standards; and
- compliance with the PDP Act.
Figure 2 – Visual representation of the interlinked nature of the PDP Act, Standards and Framework
The monitoring and assurance activities outlined in this Framework are complemented by the regulatory actions outlined in OVIC’s Regulatory Action Policy, available on the OVIC website.
How the Framework interacts with other legal obligations
VPS organisations have a variety of legal, regulatory and administrative obligations governing the access, use, security and preservation of their information. As such, VPS organisations should read the Framework and accompanying Standards in conjunction with existing requirements and consider how these may intersect with obligations under Part 4 of the PDP Act.
Where relevant legislation mandates lower requirements than those of the Framework or Standards, VPS organisations are encouraged to meet the highest applicable standard.
Where VPS organisations handle information of “national interest”, the Commonwealth Protective Security Policy Framework (PSPF) requirements remain mandatory.
To access a current copy of the Standards and guidance material, refer to the VPDSF resources section of the OVIC website.
Roles, responsibilities and relationships
The Victorian Public Sector is made up of a diverse range of VPS organisations, each delivering specific services or functions. Due to the distinct nature of these services and functions, different VPS organisations face different threats to their information assets and information systems. The Framework recognises that these threats cannot be entirely eliminated and that VPS organisations have operational responsibilities and finite resources to draw on. The Framework assists VPS organisations mitigate information security risks as much as possible by using risk management principles and guidelines.
Given this complex operational landscape, coupled with the varied nature of the threats facing VPS organisations, it is essential that all parties work together to foster a strong information security culture based on robust information security work practices. By building these relationships, we can establish governance arrangements that support the protection of public sector information.
In support of these efforts and to illustrate these connections, the following section describes the roles and responsibilities of:
- OVIC;
- VPS organisations13; and
- partnering entities.
Office of the Victorian Information Commissioner
Part 6 of the PDP Act details the functions and powers of OVIC as they relate to the monitoring and assurance activities for the security of public sector information. These functions and powers include:
- developing a protective data security framework for monitoring and assuring the security of public sector information;
- promoting responsible information security practices in the public sector;
- conducting monitoring and assurance activities, including audits, to ascertain compliance with information security standards;
- formal reporting and recommendations regarding information security;
- referring findings of monitoring and assurance activities, including audits, to an appropriate person or body for further action;
- undertaking research relevant to information security in the VPS; and
- retaining copies of protective data security plans.
These functions and powers enable OVIC to provide reasonable assurance to Government that VPS organisations’ information security risks are being managed e?ectively, whilst still providing them the autonomy to determine how to achieve their business objectives in an efficient, effective and economic manner.
VPS organisations
When implementing the Standards and performing assurance activities in accordance with the Framework, VPS organisations should remain mindful of the broader context in which they operate, and how these requirements intersect with their obligations under Part 4 of the PDP Act.
All VPS organisations identified in section 84 of the PDP Act must monitor their information security practices and provide assurance around the measures they take to protect public sector information.
Under the PDP Act, VPS organisations are specifically required to:
- adhere to the Standards;
- undertake a SRPA;
- develop, implement and maintain a Protective Data Security Plan (PDSP);
- provide OVIC free and full access to public sector information or information systems, when requested, including participating in any monitoring and assurance activities conducted by OVIC14; and
- ensure that a CSP of a VPS organisation, does not do an act or engage in a practice that contravenes the Standards, regarding public sector information collected, held, used, managed, disclosed or transferred by the provider for the VPS organisation.
- Further, the Standards require VPS organisations to:
- provide an annual attestation to OVIC; and
- notify OVIC of information security incidents15.
Partnering entities that also have a role to play in information security
OVIC’s information security efforts are supported by a range of partnering entities. A brief outline of these entities is depicted below.
For more information on the relationship between these entities and the Framework and Standards, refer to the Info Sheet Partnering Entities16 refer to the VPDSF resources section of the OVIC website.
Figure 3- Partnering entities
- Commissioners functions set out under Part 6 – Division 2, s 103(2) of the PDP Act
- For a current copy of the Standards, or VPDSS Implementation Guide, refer to the VPDSF resources section of the OVIC website.
- Part 4S, Section 88 and Section 89, of the PDP Act
- Commissioners functions set out under Part 6 – Division 2, s 103(2) of the PDP Act
- Part 4, Section 88 and Section 89, of the PDP Act.
- Commissioners functions set out under Part 6 – Division 2, s 103(2) of the PDP Act.
- Part 1, Section 3 of the PDP Act
- Defined In section 5 of the Public Administration Act 2004 (Vic).
- Part 5 of the PDP Act specifically regulates information security of Victoria Police and the Crime Statistics Agency. Nevertheless, in 2017, the Victorian Information Commissioner transitioned Victoria Police and the Crime Statistics Agency to the Framework and Standards under Part 4 of the PDP Act.
- While Section 84 (2) provides exemptions from Part 4 of the PDP Act, for particular VPS organisations, these exemptions need to be applied with care. If exempt entities are performing a public function on behalf of a regulated VPS organisation, they may have obligations under the PDP Act. For further clarification refer to VPDSF resources section of the OVIC website, and resource ‘Does the VPDSF apply to your organisation?’
- See section 9.1 of this document for more information and refer to Practitioner Guides: Information Security Risk Management available under the VPDSF resources section of the OVIC website
- Part 4 s85 (1) of the PDP Act
- Agencies and bodies identified in Part 4 (s84) of the PDP Act
- Part 6, Division 1, section 106 of the PDP Act
- Refer to the VPDSF resources section on the OVIC website for more information on the Information Security Incident Notification Scheme
- Refer to the VPDSF resourcessection on the OVIC website to access this document