The Victorian Protective Data Security Framework (VPDSF) is the mandatory scheme for managing protective data security risks across Victoria’s public sector. Victorian public sector agencies, including local Councils with Committees of Management, must comply with the VPDSF and should have attested their compliance by August 2018 and every two years thereafter. The Office of the Victorian Information Commissioner reserves the right to conduct audits and spot checks at any time.
The VPDSF oﬀers a means to continually improve information security practices, manage risks, promote innovation and increase productivity. It encourages cultural change in the Victorian public sector by promoting information security as part of everyday business. Information security involves most areas of an organisation’s activities, including people (personnel security), buildings and offices (physical security), systems (IT security), paper records (records management) and standard business processes; it is not “just an IT thing”.
The 18 standards prescribe the Victorian Government’s approach to protecting public sector information. They address governance and four other security domains and feature core messages, including:
|Security Governance||(12 standards) Executive sponsorship of, and investment in, security management utilising a risk-based approach.|
|Information Security||(Three standards) Protection of information, regardless of media or format (hard and soft copy material), across the information lifecycle from when it is created to when it is disposed.|
|Personnel Security||(One standard) Engagement and employment of eligible and suitable people to access information.|
|ICT Security||(One standard) Secure communications and technology systems processing or storing information.|
|Physical Security||(One standard) Secure physical environment (i.e. facilities, equipment and services) and the application of physical security measures to protect information.|
You need to comply with the VPDSF if you are:
Check your organisation’s applicability to the framework using the diagram below:
The OVIC recommends a five-step approach to develop your Protective Data Security Plan and secure your organisation’s information assets:
In practical terms, this means you need to:
By August 2018, you should have reported the following to the OVIC:
Thereafter, you are obliged to submit follow-up reports every 2 years (or sooner if there is significant organisational change).
Centium has vast experience in supporting Victorian public-sector organisations to cut through the complexity and implement the VPDSF in a structured, practical and “fit for purpose” way.
We have already assisted Victorian agencies to meet their VPDSF obligations and can share our experiences and “lessons learnt” with you. We can share these experiences with you and save you from reinventing the wheel. If you have not met your 2018 obligations, we can help you to do so.
We can help you to meet your mandatory VPDSF obligations by:
Our team includes specialist practitioners with decades of hands-on and practical protective data security expertise We have helped Victorian government entities to meet their VPDSF obligations and can share those experiences and innovations with you.
For more information, please download our Service Sheet
To discuss how we can help you meet your compliance obligations and help improve your protective data security, email us at firstname.lastname@example.org or call us on 13002378100.