A number of funded organisations have contacted the Office of the Victorian Information Commissioner (OVIC) or the Department of Health and Human Services seeking clarification regarding their Victorian Protective Data Security Standards (VPDSS) compliance and reporting obligations.
Please note that funded organisations are not required to directly report to OVIC, or complete the VPDSS compliance documents published on the OVIC website.
The VPDSS categorises funded organisations as Contracted service providers. The information security compliance and reporting obligations between the department and funded organisations is defined by VPDSS Standard 9.
According to VPDDS Standard 9, it is the department's responsibility to ensure that Contracted service providers “do not do or act or engage in a practice that contravenes the Victorian Protective Data Security Standards (VPDSS).”
During 2018, the department will commence work with funded organisations to develop a risk based reporting arrangement to ensure they are taking suitable steps to protect client data.
Recommended next steps
- As an initial cybersecurity baseline that is applicable to all Contracted service providers, funded organisations should consider implementation of the Australian Signals Directorate's Essential Eight at: https://www.asd.gov.au/publications/protect/essential-eight-explained.htm
- Funded organisations should assess their respective compliance with the Essential Eight and plan to remediate any identified gaps as soon as practicable
- Free resources including a maturity model assessment tool are available at: https://www.asd.gov.au/publications/protect/essential-eight-maturity-model.htm
- Funded organisations should also subscribe to the Stay smart online website free service at: https://www.staysmartonline.gov.au
- Organisations utilising these resources will be well-placed to respond to Question 13 of the Organisation compliance checklist (regarding protective data security).