Skip to Content
From Monday 12 September 2020, OVIC's website will no longer be supported in Internet Explorer (IE).
We recommend installing Microsoft Edge, Google Chrome, Safari, Firefox, or Opera to visit the site.


Audit report on managing information security risks when engaging third-parties published

Victorian public sector (VPS) organisations must take steps to ensure the protection of public sector information when it is being handled by third-parties on their behalf. This includes effectively managing information security risks before, during, and after engaging third-parties.

Standard 8 of the Victorian Protective Data Security Standards (VPDSS) requires VPS organisations to ensure that any third-parties they engage manage public sector information in a secure way.

On 18 October 2021, the Privacy and Data Protection Deputy Commissioner commenced an audit of Standard 8 of the VPDSS of four VPS organisations. These organisations include the Department of Environment, Land, Water and Planning (DELWP), the Department of Jobs, Precincts and Regions (DJPR), the Transport Accident Commission (TAC), and Victorian WorkCover Authority (WorkSafe).

In this audit, OVIC examined whether these four organisations have appropriate practices and procedures in place to ensure that third-parties they share public sector information with are protecting it appropriately, including when they collect, hold, use, disclose or transfer information.

The audit involved OVIC meeting with staff from these organisations to discuss their adherence to Standard 8, reviewing supporting documentation, and reviewing selected third-party arrangements from each organisation.

While the audit considered none of the organisations completely effective across all four audit criteria, there were a wide range of practices and procedures the organisations had implemented at varying levels of effectiveness. This report aims to highlight some of the good practices and lessons from the audit.

In the audit report, OVIC made a range of recommendations to each organisation.


For guidance on ensuring the protection of public sector information in third-party arrangements:


Simone Martin
t:      (03) 8684 7585
e: or


Office of the Victorian Information Commissioner (OVIC)
t:    1300 006 842


Back to top
Back to Top