A high priority: manage your contracted service providers
Department and agency heads will be responsible for ensuring that both their own organisations and their Contracted Service Providers (CSP) comply with the Standards. Contract terms making CSPs liable for compliance with the Information Privacy Principles won't remove the risk of privacy and data security incidents occurring.
The finding in the Report showed that while agencies must ensure their agreements with CSPs are consistent and reflect up to date information governance requirements, there needs to be appropriate and effective resourcing, due diligence and monitoring of CSP compliance too. Without appropriate monitoring, there is a greater risk of incidents which could mean that the agency may not have met its obligations under the Act.
Achieving compliance with the Victorian Protective Data Security Standards
The Report recognises that not all Victorian Public Sector organisations may be fully compliant with the Standards by July 2018. Showing that you are on track is crucial though, and submitting a security assessment and plan to the CPDP is mandatory. Further, the CPDP recognises that some agencies may already comply with much of the Standards by having implemented the Information Security Management Framework (2009) and through annual reporting to the Victorian Auditor-General's Office. The steps required to achieve compliance will not necessarily be the same for all agencies or wholly new or particularly onerous.
Other factors to consider in your compliance framework
- Are your information policies and procedures consistent and do they reference each other? Are your staff aware of where to find them, and are they regularly checked and updated?
- Does your organisation have up to date privacy and data security incident management procedures? Does your organisation need defined criteria of when to notify others and escalate incidents?
- Have you developed scenario-based privacy and data-security training for CSPs and your frontline staff based on their day-to-day roles?
- Do you need an information asset register? This can identify the information you handle, its value, risks and regulatory requirements, and how to use and manage it.
If you have any queries regarding privacy law in Victoria, please call:
Managing Principal Solicitor