Lessons to learn: OVIC tests public sector data security

Victorian public sector agencies and bodies subject to Part 4 of the Privacy and Data Protection Act 2014 (Vic) (PDP Act) must comply with the Victorian Protective Data Security Standards (VPDSS). The VPDSS establish a set of consistent criteria for applying risk-based security practices to manage and protect public sector information.

Recently, the Office of the Victorian Information Commissioner (OVIC) conducted an audit to assess how four representative bodies (large and small) complied with Standard 2 of the VPDSS:¹

'An organisation identifies and assesses the security value of public sector information'. 

Why identify and assess the security value of your information?

OVIC provides the short answer: it says that an 'agency cannot protect information it does not know it holds – let alone put appropriate protections in place that reflect the security value of that information'.²

So, compliance with Standard 2 helps organisations to mitigate risks in handling public sector information, by identifying the information and establishing its value. This informs how that information is protected. OVIC chose to audit organisations on Standard 2 having noticed it had the lowest reported level of implementation across the whole of the Victorian government.

The Audit

The four organisations submitted a completed Protective Data Security Plan in which they completed a self-assessment of their performance against each element. OVIC audited these organisations to confirm whether their assessments were reasonable.

Overall, OVIC concluded that the organisations had good practices in place to assess the security value of the information they held.  However, the Audit also identified areas for improvement. These provide important lessons for all Victorian public sector organisations when strengthening their data protection practices.

Areas for improvement identified from the Audit

• Cohesive Information Management Framework (IMF) - organisations should ensure they have an organisation-specific IMF which describes the 'information management landscape of [their] organisation'.³ OVIC's preferred IMF includes any legislative or regulatory drivers affecting the organisation, and articulates a 'shared direction and approach for the organisation to securely govern information assets'.⁴ Equally, the IMF should address high-level security areas, such as information, personnel and physical security, while also addressing organisation-specific information security risks.
• Management of Information Asset Registers (IARs) - IARs facilitate the central oversight and management of an organisation's information holdings. OVIC recommended that organisations should review, validate and update their IARs at least annually. OVIC also recommended that organisations should regularly consult with external stakeholders. Among other things, this will assist organisations to identify and record the full range of information assets they handle. External stakeholders include the organisation's information sharing partners, as well as their contracted service providers.
• Use of contextualised Business Impact Level tables (BIL tables) - BIL tables summarise the harm or damage which may be caused to government operations, organisations, or individuals, if the confidentiality of public sector information is compromised. A BIL table may be contextualised by modifying its content to suit the organisation's operational requirements so that the described impacts are 'proportionate to the organisation's risk posture'.⁵
• Clearly established roles and responsibilities - organisations can allocate someone to regularly review their IAR, as well as their BIL table, to ensure that the security value of their information is correctly represented.
• Consistent use of protective marking terminology - organisations should ensure that their protective markings are applied in a consistent manner to individual pieces of information.
• Increasing awareness of aggregated security value - organisations should create policies and procedures for handling aggregated information assets and their corresponding security value.
• Guidance regarding management of externally generated information - organisations ought to prepare a guide for personnel to manage external information in accordance with the originator's requirements.

Key Takeaways

• You can't protect data if you don't know what you have or what its value is.
• Managing privacy is a risk management activity, not a compliance activity. So make sure your Information Management Framework covers your organisation's specific risks, needs and data repositories. Take the time to judge the potential impacts of a data breach in your Business Impact Level table and make sure roles and responsibilities are properly recorded in policies and procedures.
• Your compliance must be meaningful. OVIC has clearly indicated it will look closely at all organisations' compliance with Standard 2.  It states that it will carefully scrutinise any claims that an organisation has fully implemented this requirement:

'….[A] status of ‘implemented’ will be closely examined and needs to not only reflect the key controls of the element, but also the process to implement those controls, and that the controls can operate and are operating effectively in their environment.'

If you need help

OVIC publishes a range of helpful guidance on its website, including How-To guides.

The VMIA also publishes risk management framework resources.

The VGSO can also help you plan, assess, review and draft the privacy documents you need - from organisation-specific  Information Management Frameworks and Business Impact Level tables, to reporting to OVIC or responding to particular issues as they arise.

For more information about the Audit, please click here to access OVIC's report.

Contact Our Team

For advice on technology issues in a Victorian public sector context, contact:

Bea Stathy, Managing Principal Solicitor
Email: bea.stathy@vgso.vic.gov.au

You can also contact one of our technology team members.

Publication Written by: Sam Connop, Law Graduate and Alexandra Lioudvigova, Law Graduate

The information is of a general nature only and does not convey or contain legal advice. If you would like to obtain legal advice in relation to any matter discussed on this page, please contact us.

Footnotes

^{1 Office of the Victorian Information Commissioner, Standard 2 of the Victorian Protective Data Security Standards, Audit under section 8D(2)(b) of the Privacy and Data protection Act 2014 (VIC), https://ovic.vic.gov.au/wp-content/uploads/2021/11/Audit-report-Standard-2-Information-Security-Value.pdf (Audit),  page 5 .}

^{2 Audit, page 5.} 

^{3 Audit, page 17.}

^{4 Audit, page 17.}

^{5 Audit, page 26.}