Under the PDP Act provisions, third parties that collect, access and/or manage the department’s public sector data share the responsibility for its protection, which aligns with the Service Agreement.
Most funded organisations are not public sector organisations and therefore do not have direct obligations under Part 4 of the PDP Act to attest against the Victorian Protective Data Security Standards (VPDSS). However, as funded organisations are considered the departments' third parties, Standard 8 of the VPDSS applies. The department is required to seek the assurance from third parties (including funded organisations) that adequate security measures are in place for all public sector data.
The department has developed a Third-Party Standard guidance document, which outlines the requirement of third parties engaged to work with public sector information, data and/or IT systems.
For further information, visit the Information Security and Funded Agency SharePoint site.
Please contact the VPDSS Project Team at vpdss.infosec@dhhs.vic.gov.au if you do not have access and would like to obtain access to the above site.