The Victorian Protective Data Security Framework (VPDSF)
The VPDSF (Victorian Protective Data Security Framework) is the scheme for managing data security risks in Victoria’s public sector.
The framework comprises:
It was established by OVIC (the Office of the Victorian Information Commissioner) in July 2016 under Part Four of the PDPA (Privacy and Data Protection Act) 2014, and updated in March 2018.
Speak to an expert
If you would like more information about managing your organisations' security risk via the VPDSF scheme, please get in touch with one of our experts today.
Contact us
The Victorian Protective Data Security Standards (VPDSS)
The VPDSS (Victorian Protective Data Security Standards) are 18 high-level data security requirements for Victorian public-sector organisations.
They provide a set of criteria for consistently applying security practices across Victorian government information. These criteria cover governance, information security, personnel security, ICT (information communications technology) security and physical security.
Learn more about the VPDSS
Assurance model
The assurance model sets out a number of activities designed to ensure that Victorian public-sector organisations meet the following obligations under the PDPA and the VPDSS:
- Undertake an SRPA (security risk profile assessment) to determine the current risks to their information assets.
- Complete a VPDSS self-assessment.
- Develop a PDSP (protective data security plan) to address data security risks and capability improvement.
- Submit the PDSP to OVIC by 31 August 2018 and every two years thereafter.
- Review the PDSP at least every two years.
- Cooperate with OVIC’s monitoring and assurance activities, including audits.
The assurance model addresses the following areas:
- Security planning – the activities to assess organisations’ risks and capability, and development of an action plan.
- Organisational compliance – an approach based on a security capability model, which organisations can use to report their level of compliance with the VPDSS to OVIC.
- Risk-based assurance – OVIC’s activities to assess the level, implementation and effectiveness of protective data security across the Victorian public sector.
- Assurance reporting – the reporting obligations and requirements for OVIC.
Each area is supported by the following operational components:
VPDSF principles |
Assurance model |
Security planning
|
Organisational compliance
|
Risk-based assurance
|
Assurance reporting
|
Security risk profile assessment
|
VPDSS self-assessment
|
Assurance context
|
OVIC reporting
|
Protective data security plan
|
Maturity assessment
|
Assessment criteria
|
Ministerial reporting
|
|
Maturity target assessment
|
Organisation impact assessment
|
|
|
Organisational reporting
|
Assurance activities
|
|
Organisational activities |
OVIC activities |
Complying with the VPDSF
If your organisation needs help complying with the VPDSF and PDPA, we can help.
The VPDSS states that organisations should align their security management frameworks with standards such as ISO 27001, and their access management regimes and information sharing practices with ISO 27001’s code of practice, ISO 27002.
IT Governance has more than 15 years’ experience helping hundreds of organisations worldwide implement ISO 27001, having led ISMS (information security management system) implementation projects since the Standard’s inception.
If you need more guidance or advice on implementing ISO 27001, please contact us.
Speak to an expert
Please contact us for further information or to speak to one of our in-house experts.