Select regional store:

The Victorian Protective Data Security Framework (VPDSF)

The VPDSF (Victorian Protective Data Security Framework) is the scheme for managing data security risks in Victoria’s public sector.

The framework comprises:

It was established by OVIC (the Office of the Victorian Information Commissioner) in July 2016 under Part Four of the PDPA (Privacy and Data Protection Act) 2014, and updated in March 2018.

Speak to an expert

If you would like more information about managing your organisations' security risk via the VPDSF scheme, please get in touch with one of our experts today.

Contact us

The Victorian Protective Data Security Standards (VPDSS)

The VPDSS (Victorian Protective Data Security Standards) are 18 high-level data security requirements for Victorian public-sector organisations.

They provide a set of criteria for consistently applying security practices across Victorian government information. These criteria cover governance, information security, personnel security, ICT (information communications technology) security and physical security.

Learn more about the VPDSS

Assurance model

The assurance model sets out a number of activities designed to ensure that Victorian public-sector organisations meet the following obligations under the PDPA and the VPDSS:

  • Undertake an SRPA (security risk profile assessment) to determine the current risks to their information assets.
  • Complete a VPDSS self-assessment.
  • Develop a PDSP (protective data security plan) to address data security risks and capability improvement.
  • Submit the PDSP to OVIC by 31 August 2018 and every two years thereafter.
  • Review the PDSP at least every two years.
  • Cooperate with OVIC’s monitoring and assurance activities, including audits.

The assurance model addresses the following areas:

  • Security planning – the activities to assess organisations’ risks and capability, and development of an action plan.
  • Organisational compliance – an approach based on a security capability model, which organisations can use to report their level of compliance with the VPDSS to OVIC.
  • Risk-based assurance – OVIC’s activities to assess the level, implementation and effectiveness of protective data security across the Victorian public sector.
  • Assurance reporting – the reporting obligations and requirements for OVIC.

Each area is supported by the following operational components:

VPDSF principles
Assurance model

Security planning

Organisational compliance

Risk-based assurance

Assurance reporting

Security risk profile assessment

VPDSS self-assessment

Assurance context

OVIC reporting

Protective data security plan

Maturity assessment

Assessment criteria

Ministerial reporting


Maturity target assessment

Organisation impact assessment



Organisational reporting

Assurance activities


Organisational activities OVIC activities

Complying with the VPDSF

If your organisation needs help complying with the VPDSF and PDPA, we can help.

The VPDSS states that organisations should align their security management frameworks with standards such as ISO 27001, and their access management regimes and information sharing practices with ISO 27001’s code of practice, ISO 27002.

IT Governance has more than 15 years’ experience helping hundreds of organisations worldwide implement ISO 27001, having led ISMS (information security management system) implementation projects since the Standard’s inception.

If you need more guidance or advice on implementing ISO 27001, please contact us.

Speak to an expert

Please contact us for further information or to speak to one of our in-house experts.

This website uses cookies. View our cookie policy