Audit report on managing information security risks when engaging third-parties published
Victorian public sector (VPS) organisations must take steps to ensure the protection of public sector information when it is being handled by third-parties on their behalf. This includes effectively managing information security risks before, during, and after engaging third-parties.
Standard 8 of the Victorian Protective Data Security Standards (VPDSS) requires VPS organisations to ensure that any third-parties they engage manage public sector information in a secure way.
On 18 October 2021, the Privacy and Data Protection Deputy Commissioner commenced an audit of Standard 8 of the VPDSS of four VPS organisations. These organisations include the Department of Environment, Land, Water and Planning (DELWP), the Department of Jobs, Precincts and Regions (DJPR), the Transport Accident Commission (TAC), and Victorian WorkCover Authority (WorkSafe).
In this audit, OVIC examined whether these four organisations have appropriate practices and procedures in place to ensure that third-parties they share public sector information with are protecting it appropriately, including when they collect, hold, use, disclose or transfer information.
The audit involved OVIC meeting with staff from these organisations to discuss their adherence to Standard 8, reviewing supporting documentation, and reviewing selected third-party arrangements from each organisation.
While the audit considered none of the organisations completely effective across all four audit criteria, there were a wide range of practices and procedures the organisations had implemented at varying levels of effectiveness. This report aims to highlight some of the good practices and lessons from the audit.
In the audit report, OVIC made a range of recommendations to each organisation.
For guidance on ensuring the protection of public sector information in third-party arrangements:
- Standard 8 of the Victorian Protective Data Security Standards
Audit of information security in third-party arrangements under section 8D(2)(b) of the Privacy and Data Protection Act 2014 (Vic)
- Victorian Protective Data Security Standards
- VPDSS Implementation Guidance
- Practitioner Guide on Information Security Risk Management
FOR MEDIA ENQUIRIES CONTACT:
FOR ENQUIRIES ABOUT INFORMATION SECURITY IN VICTORIA CONTACT:
Office of the Victorian Information Commissioner (OVIC)
t: 1300 006 842