15 July 2016

Data Protection Frameworks

The Victorian Commissioner for Privacy and Data Protection (CPDP) has released the Victorian Protective Data Security Framework (VPDSF) under the Privacy and Data Protection Act 2014 (Vic).

The Framework is to provide
direction to Victorian public sector agencies or bodies on their data security obligations. Reflecting the sector’s unique operating requirements, it will build security risk management capability and maturity through the use of existing risk management principles and guidelines. ... 
The VPDSF has been developed to establish, monitor and assure security of information within the Victorian Government.
Consistent with the Victorian  Information Privacy Principle 4 (Data security) state entities are to "take reasonable steps to protect the personal information ... from misuse and loss and from unauthorised access, modification or disclosure", using the VPDSF "as the primary reference point in complying with IPP 4.1".

The VPDSF states
The VPDSF has been developed to help Victorian public sector organisations:
• identify information and determine ownership 
• assess the value of information 
• identify and manage protective data security risks 
• apply security measures 
• create a positive security culture 
• mature their protective data security capability.
The VPDSF provides your organisation with a minimum set of protective data security requirements across governance and the four protective security domains. These requirements, coupled with assurance actions, are designed to assist you mitigate information security risks. Where Victorian organisations handle information of national interest, the Protective Security Policy Framework (PSPF) requirements remain mandatory and supersede any obligations set out in the VPDSF. The VPDSF should be read in conjunction with existing legislative obligations. Where relevant legislation mandates lower standards than those of the VPDSF, you are encouraged to meet the minimum requirements of the VPDSF.