Tuesday 14 March 2017

Victorian Commissioner for Privacy and Data Protection Report - Learnings and Hurdles

A recent Commissioner for Privacy and Data Protection (CPDP) report on information governance at the Department of Health and Human Services (DHHS) provides valuable guidance to assist government agencies to comply with the Privacy and Data Protection Act 2014 (Act) and the Victorian Protective Data Security Standards, in particular.  Below we look at key learnings that other agencies can take on board as part of their own compliance preparation.

A high priority: manage your contracted service providers


Department and agency heads will be responsible for ensuring that both their own organisations and their Contracted Service Providers (CSP) comply with the Standards.  Contract terms making CSPs liable for compliance with the Information Privacy Principles won't remove the risk of privacy and data security incidents occurring.

The finding in the Report showed that while agencies must ensure their agreements with CSPs are consistent and reflect up to date information governance requirements, there needs to be appropriate and effective resourcing, due diligence and monitoring of CSP compliance too.  Without appropriate monitoring, there is a greater risk of incidents which could mean that the agency may not have met its obligations under the Act.

Achieving compliance with the Victorian Protective Data Security Standards


The Report recognises that not all Victorian Public Sector organisations may be fully compliant with the Standards by July 2018.  Showing that you are on track is crucial though, and submitting a security assessment and plan to the CPDP is mandatory.  Further, the CPDP recognises that some agencies may already comply with much of the Standards by having implemented the Information Security Management Framework (2009) and through annual reporting to the Victorian Auditor-General's Office.  The steps required to achieve compliance will not necessarily be the same for all agencies or wholly new or particularly onerous.

Other factors to consider in your compliance framework


  • Are your information policies and procedures consistent and do they reference each other?  Are your staff aware of where to find them, and are they regularly checked and updated?
  • Does your organisation have up to date privacy and data security incident management procedures? Does your organisation need defined criteria of when to notify others and escalate incidents?
  • Have you developed scenario-based privacy and data-security training for CSPs and your frontline staff based on their day-to-day roles?
  • Do you need an information asset register?  This can identify the information you handle, its value, risks and regulatory requirements, and how to use and manage it.


If you have any queries regarding privacy law in Victoria, please call:

Rebecca Radford
Managing Principal Solicitor
9947 1403

Molina Asthana
Principal Solicitor
9947 1420

James Stephens
Principal Solicitor
9947 1422