Skip to content

Impending VPDSS 2.0 reporting deadline!

Andrew Robinson |

January 22, 2020
Impending VPDSS 2.0 reporting deadline!



Work with VicGov on VPDSS assessment & implementation.


Well…it’s almost been 2 years. OVIC are asking ‘what have you done for me lately?’. 

2019 ended with a significant update to the Victorian Protective Data Security Standards (VPDSS), now known colloquially as VPDSS 2.0.

It brings into sharper focus the need for Victorian departments and agencies to assess the impact of these changes across their organisations and to have adequate information and assurance.

Here’s the fun part! They’ll need to provide a copy of their reporting to the Office of the Victorian Information Commissioner (OVIC) by 31 August 2020…Tick tock!



Heads up: The Subtle Changes. 

Taking a look, we can see how it’s been simplified. OVIC has reduced the number of Standards from 18 to 12, as well as cutting the number of associated Elements from 117 to 95.  

OVIC have also used crisper language, free from the shackles previously imposed by legacy ‘must’ and ‘should’ statements. Compliance is dead. Long live… risk management!  

Side note: compliance is not dead…ahem. 

Certainly, compliance is still necessary and apparent but is gratefully no longer used as a driving force for the adoption of arbitrary security controls. You determine what is applicable and not.


Good Controversy: The Dramatic Changes 

OVIC has raised the bar, as any good regulator should, by lifting the VPDSS Elements up from a supporting document and into the standards themselves. 

We think this is somewhat controversial, as it appears to make the VPDSS more prescriptive, owing to it taking away some of the flexibility for Victorian departments/agencies to adopt an alternative (i.e. a more mature and stable control framework) to achieve the same – or indeed better – outcomes.

But wait, there’s more. The increased emphasis on the VPDSS Elements continues, with updated PDSP Protective Data Security Plan reporting. Instead of a high-level summary for each of the 18 standards used previously, you will need to assess (and provide) the status of all 95 Elements… by 31 August 2020…surprise!

Oh, don’t forget to prepare a Security Risk Profile Assessment (SRPA) that supports the PDSP you submit to OVIC. You can find threquirements for an SRPA and PDSP in the Victorian Privacy and Data Protection Act (2014). That’s the compliance bit that remains steadfast.


Don’t worry, it’s good news!

We’re happy that the reporting against VPDSS Elements is very much the equivalent of a Statement of Applicability (SOA) used by industry for ISO/IEC 27001 and by the Australian Government in its information security assessments. That’s a good thing in our book! It makes the uplift workable.


Here’s how to make your VPDSS task easier…much easier. 

Get yourself a combined assessment and management system (as a service) functionality that will help you help Victorian departments/agencies and drive repeat custom.

With 6clicks for Service Providers, you can quickly and easily perform assessments of Victorian departments and agencies against the VPDSS 2.0.

Use our built-in question set available from the 6clicks Marketplace or, create your own.

When you help client’s complete assessments of their third parties, you can refer customers using your unique 6clicks Referral URL – giving you easy access to customer accounts to work with them, similar accountants and their customers on Xero.

Our platform can also help you:

– Implement the requirements of VPDSS 2.0 for Victorian departments/agencies.

– Record your information assets and classifications,

Develop risks and treatment plans,

Report progress of control implementation and security incidents and issues

– Map VPDSS requirements against other frameworks such as ISO/IEC 27001 and the NIST Cyber Security Framework


For more information, Book a Demo with us today! 

Book your demo

Andrew Robinson

Written by Andrew Robinson

Andrew started his career in the startup world and went on to perform in cyber and information security advisory roles for the Australian Federal Government and several Victorian Government entities. Andrew has a Masters in Policing, Intelligence and Counter-Terrorism (PICT) specialising in Cyber Security and holds IRAP, ISO 27001 LA, CISSP, CISM and SCF certifications.