Frequently asked questions
How should an agency get started with meeting the requirements of the VPDSS?
We have created a suggested Five Step Action Plan to assist you to effectively manage your protective data security risks. By completing the five steps, you should have all the information you need to develop your Protective Data Security Plan
What assistance is provided to public sector agencies?
We provide a range of guides, templates and supporting resources to help you on your way. We are constantly reviewing our materials and providing future guidance. You can also join the Victorian Information Security Network (VISN) to receive information and forum updates. Send a request to email@example.com.
Which Victorian agencies have obligations under Part 4 of the Privacy and Data Protection Act 2014?
- Administrative Offices
- Victorian Public Service Commissioner
- Special bodies listed in Section 6 of the Public Administration Act (2004)
- Victoria Police
- Crime Statistics Agency
- Public entities, as defined in section 5 of the Public Administration Act (2004) (meaning
- certain bodies created under an Act, by a Minister or by the Governor in Council that exercise a public function on the State)
For more information, see: ‘Does the VPDSF Apply to Your Organisation?’
Do local councils have obligations under Part 4 of the Privacy and Data Protection Act 2014?
In general, councils do not have direct obligations under Part 4 of the Privacy and Data Protection Act 2014 as they are exempt under section 84(2)(a).
However, some councils may have obligations. For more information, please download ‘Does the VPDSF Apply to Your Organisation?’.
On page 8 there is a specific diagram for councils. If an exempt body (i.e. council) acts or performs the functions of a public entity, then they need to apply the VPDSF in relation to those functions. As an example, sometimes councils have a committee of management (CoM) for crown land reserves. The CoM function is nested within the council’s functions, but the CoM is actually a public entity in its own right (with its own legislative basis). For the council’s specific functions with the CoM, the VPDSF does apply (including the mandated reporting processes).
As an aside, all councils do need to comply with Part 3 of the Privacy and Data Protection Act 2014. (Part 3 covers Information Privacy). The relationship between Information Privacy Principle (IPP) 4 and the VPDSF is indirect. IPP4 is about Data Security and Data Retention – ‘Organisations must take reasonable steps to protect individuals’ personal information from misuse, loss, unauthorised access, modification or disclosure’. Many councils use the VPDSF as the reasonable steps to meet IPP4. However, the reporting obligations of the VPDSF do not apply in such cases.
For further information regarding how to apply IPP4, refer to the IPP4 guideline.
Is the use of cloud services and solutions supported?
We support Victorian public sector organisations’ adopting cloud solutions (in line with the Information Technology Strategy Victorian Government 2016-2020) to meet their business objectives.
When considering a cloud solution, organisations are advised to follow our 5 step action plan when protecting Victorian public sector information that will be stored, processed or transmitted in the cloud:
- Identify the information.
- Determine the value of the information.
- Identify any risks to the information – encompassing information security, privacy, freedom of information and recordkeeping requirements.
- Apply security measures to protect the information.
- Manage the risks across the information lifecycle.
As part of this planning, organisations are, amongst other things, expected to pay particular attention to:
- The organisation’s enabling legislation – does it permit the use of cloud?
- The laws applying in the jurisdictions in which the information will be stored, processed or transmitted as well as the laws applying to the owning company jurisdictions; and
- The need for strong contract clauses protecting the confidentiality, integrity and availability of the information.
These actions need to occur in a transparent and accountable way that maintains equivalent privacy, security, freedom of information and record keeping safeguards as if the solution was located within the organisation’s physical premises.
The former Commissioner for Privacy and Data Protection produced a discussion paper in 2015 ‘Cloud Computing in the Victorian Public Sector’ that provided an overview of cloud computing relevant to a wide range of public sector managers working in various roles across government.
What is the VISN?
The Victorian Information Security Network (VISN) is a regular forum that was established in 2016 to support the release of the Victorian Protective Data Security Framework (VPDSF) and the formal issue of the Victorian Protective Data Security Standards (VPDSS).
The purpose of the VISN is to promote the uptake of protective data security standards by the public sector by facilitating dialogue on the Victorian Protective Data Security Framework (VPDSF) and offering a platform for stakeholders to discuss data protection issues and initiatives.
We will facilitate conversations across the broader Victorian public sector and partner groups, fostering collaboration between interested stakeholders. The VISN also provides the us with an opportunity to gain feedback on our programs and activities, ensuring these offerings meet the needs of our stakeholders.
You can read more about VISN, joining the network, and past events here.
What is law enforcement data security?
Part 5 of the Privacy and Data Protection Act 2014 (Vic) (PDP Act), empowers the Information Commissioner to develop standards for the security and integrity of law enforcement data systems and crime statistics data systems.
The relevant provisions of the PDP Act apply to Victoria Police and the Crime Statistics Agency.
The Information Commissioner’s primary role with regard to law enforcement data is to promote the use by Victoria Police and the Crime Statistics Agency of appropriate and secure data management practices.
The Information Commissioner’s key functions with regard to law enforcement data are:
- to establish standards and protocols for the security and integrity of law enforcement data systems; and
- to monitor compliance with those standards and protocols and conduct reviews of law enforcement data issues in general.
What is law enforcement data?
Law enforcement data means any information obtained, received or held by Victoria Police:
- for the purpose of one or more of its, or any other law enforcement agency’s law enforcement functions;
- for the enforcement of laws relating to the confiscation of the proceeds of crime in connection with the conduct of proceedings commenced, or about to be commenced, in any court or tribunal; or
- for the purpose of its community policing functions.
Law enforcement data includes text, images, audio and video held electronically or in hard copy or any other storage format, including, but not limited to data relating to individuals and aggregated data.
Connecting the Victorian Protective Data Security Standard 11 (ICT Security) and ASD TOP 4
The VPDSS control reference for Standard 11 (ICT Security) states that ‘an organisation should align its ICT security controls with the Information Security Manual (ISM) published by the Australian Signals Directorate (ASD)’.
To help organisations prioritise the application of risk-based ICT controls, we encourage agencies and bodies to consider the ASD strategies to mitigate targeted cyber intrusions. These 35 strategies set out key technical measures designed to prevent targeted cyber intrusion based on intrusion observations from the ASD Cyber Security Operations Centre (CSOC).
The ASD CSOC estimates that at least 85% of the cyber intrusion techniques could be prevented by implementing the Top 4 mitigation strategies. As a package, the Top 4 mitigation strategies are highly effective in helping achieve a stronger ICT system.
These four mitigation strategies are more commonly referred to as the ASD Top 4:
- Application whitelisting to ensure that only software that is specified and authorised can run on a system;
- Patching third party applications;
- Patching operating systems; and
- Restricting administrative privileges.
Implementing the top four strategies helps to secure an ICT system by preventing cyber intrusions and making your network more resilient. Organisations should continue to conduct risk assessments and implement other mitigation strategies as required to protect their ICT systems.
The evidence to date indicates the ‘Catch, Patch, Match’ approach is the best way to mitigate against cyber intrusions, protect your most valuable information and enhance the resilience of your networks.
To help explain this approach, ASD has produced a short video, which can be accessed here:
- Catch malware by application whitelisting;
- Patch software and operating systems; and
- Match administrator rights to the right people.
ASD have also produced a range of supporting material to help organisations implement the strategies to mitigate targeted cyber intrusions. This material can be accessed here.
What is crime statistics data?
Crime statistics data means:
- any law enforcement data obtained by the Chief Statistician from the Chief Commissioner of Police under the provisions of the Crime Statistics Act 2014;
- any information derived from such data by the Crime Statistics Agency.