Skip to Content
From Monday 12 September 2020, OVIC's website will no longer be supported in Internet Explorer (IE).
We recommend installing Microsoft Edge, Google Chrome, Safari, Firefox, or Opera to visit the site.


The Assurance Model identifies the monitoring and assurance obligations for the protection of public sector information in accordance with the Victorian Protective Data Security Standards (VPDSS). These obligations comprise activities led by organisations and activities led by this Office.

Organisational assurance activities

A public sector organisation must undertake a range of activities to meet its obligations under the Privacy and Data Protection Act 2014. It must:

  • undertake a Security Risk Profile Assessment (SRPA), an assessment of the current risks to your organisation’s information assets;
  • develop a Protective Data Security Plan (PDSP), providing a plan of action to address protective data security risks and capability improvement; and
  • submit a copy of the PDSP including attestation by 31 August 2020 and every two years thereafter (or sooner if there is significant organisational change).

Additionally, organisations are required to cooperate with us when we undertake monitoring and assurance activities such as audits or reviews.

Protective Data Security Plan and Attestation submission resources

Our assurance activities

Our activities will typically foster a partnership approach and take the form of consultations, engagements, audits and reviews to ensure organisations are:

  • meeting their obligations; and
  • applying protective data security measures commensurate with information value and organisational security risk profile.

These activities help establish a better understanding of each organisation’s protective data security practices, including adherence to the VPDSS. More broadly, they provide a level of assurance regarding the protection of information across the Victorian government.


Back to top
Back to Top