OVIC has raised the bar, as any good regulator should, by lifting the VPDSS Elements up from a supporting document and into the standards themselves.
We think this is somewhat controversial, as it appears to make the VPDSS more prescriptive, owing to it taking away some of the flexibility for Victorian departments/agencies to adopt an alternative (i.e. a more mature and stable control framework) to achieve the same – or indeed better – outcomes.
But wait, there’s more. The increased emphasis on the VPDSS Elements continues, with updated PDSP Protective Data Security Plan reporting. Instead of a high-level summary for each of the 18 standards used previously, you will need to assess (and provide) the status of all 95 Elements… by 31 August 2020…surprise!
Oh, don’t forget to prepare a Security Risk Profile Assessment (SRPA) that supports the PDSP you submit to OVIC. You can find the requirements for an SRPA and PDSP in the Victorian Privacy and Data Protection Act (2014). That’s the compliance bit that remains steadfast.