Victorian Protective Data Security Framework...Commissioner for Privacy and Data Protection...

Victorian Protective Data Security Framework

Victorian Information Security Network - VPS Forum MELBOURNE – MARCH 2017

Commissioner forPrivacy and Data Protection



ORANGE – PMS 1655UPBLUE – PMS 2756UPMUSEO SLAB – 100/700

Commissionerfor Privacy and Data Protection




2

Data Protection Branch

Assistant Commissioner, Data Protection Anthony Corso (Presenting)

Senior Data Protection Advisor Laurencia Dimelow (Presenting)

Senior Data Protection Officer Anna Harris

GRC Security Manager Karl Will

Specialist Data Protection Advisor Martin Harris

Contact details

Email: [email protected]

Ph. 8684 1660

VISN – What the VPDSF means for you…

Introductions









3VISN – What the VPDSF means for you…

Run through… •  Introduction

•  Sli.do

•  Who’s here today

•  Privacy & Data Protection Act (2014)

•  Video – Data Protection and You

•  The Framework

•  The Standards

•  What information is covered?

•  Who is involved?

•  Indirect security obligations

•  Third party engagement

•  What does this mean for partner organisations?

•  Why do we need to do this?

•  Where to start?

•  When do VPS organisations have to report?

•  Tool to support you










Sli.do During the event we will be using an online tool (Sli.do) offering you an opportunity to interact with our presentation, engage in polls and ask questions. For those using the tool you will have the option of posting anonymously and can also download the presentation and a summary infographic onto your local device. The team will moderate the tool and will post any relevant comments or material to the audience…










Sli.do

3190










Who’s here today…

Local Councils Funded AgenciesVictorian Public

Sector Organisations









Privacy & Data Protection Act (2014)










8

‘Data Protection and You’

Awareness video of the Victorian Protective Data Security Framework










The Framework


The Standards









10

The Victorian Protective Data Security Standards (VPDSS) were formally

issued on 28th of July, 2016.










What is covered?


Any information obtained, received or held by an agency or body to which Part 4 of the Privacy and

Data Protection Act (2014) applies.

This includes both hard and soft copy information, regardless of media or format!









12

Who’s involved?


CPDP - Office of the Commissioner for Privacy and Data Protection

Indirect obligations - Organisations with access to Victorian public sector data, have indirect protective data security obligations

Public sector body Head

Directly in scope - Applicable agencies or bodies set out under Part 4 of Privacy and Data Protection Act (PDPA) 2014









Indirect security obligations

IPP 4

13

Information Sharing Arrangements

Other legal & regulatory obligations

Contractual obligations

Health Privacy Principles (HPP4)

Information Privacy Principles (IPP4)










Why do we need to do this?


Enable VPS organisations to achieve their business objectives in a secure way

Have confidence in the information you are using

Support secure information sharing practices (within and beyond government)

Ensure the right people have access to the right information at the right time…

Adhere to legislative requirements and offer a level of assurance around your organisations security practices









15

Applicable VPS organisations must ensure that any contractual arrangements or information sharing agreements (including Memorandum of Understandings) have the relevant protective

data security requirements embedded into the terms or conditions of the agreement.

Third party engagement










What does this mean for partner organisations?

IPP 4


•  Under the VPDSS partner organisations do not need to provide CPDP a -

•  Security Risk Profile Assessment (SRPA), or

•  Protective Data Security Plan (PDSP) •  Given this, Standards 11 & 12 do not strictly apply to

partner organisations

Instead, VPS agencies who are in scope for the VPDSF will require partner organisations provide a level of assurance on their protective data security practices.

Responses from partner organisations will inform the SRPA and PDSP of the VPS agency.

How VPS agencies will seek this assurance form their partners will differ, depending on the value of the information and the type of engagement or arrangement.

Five Step Action Plan









Where to start?


Identify your

information assets

Determine the 'value'

of this information

Identify any risks to this information

Apply security

measures to protect the information

Manage risks across

the information

lifecycle

By July 2018 each applicable organisation must provide CPDP with their

first round of reporting…

Compliance self-assessment

(including an attestation by

the organisations Public sector body Head of current implemented security

controls)

Protective Data Security Plan

(PDSP)

Security Risk Profile Assessment

(SRPA)

When?


















Tools to support you


‘BIL’ Mobile App

Currently available for download on table devices (iPad and Android)

Simply search for ‘CPDP’ in the app store to download your own copy

CPDP Mobile App









20

Question & Answer session










21

For any other feedback or enquiries please direct your comments to the the [email protected] mailbox

Questions?


Opportunity for you to ask questions through Sli.do or to take questions from the floor…

Date post:	14-Aug-2020
Category:	Documents
Upload:	others
View:	1 times
Download:	0 times

Victorian Protective Data Security Framework...Commissioner for Privacy and Data Protection...

Documents