The Assurance Model sets out activities led by CPDP designed to monitor and measure the protective data security practices within the Victorian public sector, including compliance with Part Four of the PDPA and the VPDSS. Activities will typically foster a partnership approach with CPDP and take the form of self-attestations and/or assurance activities to ensure organisations are:

  • meeting their obligations as stated in Part Four of the Act
  • applying protective data security measures commensurate with the organisational security risk profile.

These activities help establish a better understanding of each organisation’s protective data security practices, including adherence to the VPDSS. More broadly, they provide a level of assurance regarding the protection of information across the Victorian government.

To download your own copy of the Assurance Model (extracted from the broader framework document), navigate to the following links:

Assurance model icon

Overview of Assurance Model (Part Five of the VPDSF)


Mas icon

Visual representation of the Monitoring and Assurance System (MAS)


Update to VPDSF reporting requirements – November 2017

On the 10th November, the Victorian Information Commissioner advised Departments, Victoria Police and CenITex of updates to the VPDSF and reporting obligations of organisations. In the letter the Commissioner requested the assistance of the Departments to distribute this advice to all affected organisations in their portfolio. For those that may not have received this advice, a summary is included below:  

As required by s85 of the Privacy and Data Protection Act (2014), the Victorian Protective Data Security Framework (the Framework) and accompanying Standards were issued in July 2016. All entities/bodies/agencies* within the Victorian public sector should already be developing an Information Asset Register, valuing their information and doing the risk assessment that will inform their Protective Data Security Plans. A high-level Protective Data Security Plan and an attestation (capturing compliance status) is due for submission to OVIC in August 2018. 

To facilitate the fulfillment of statutory obligations, OVIC recommends that all Victorian public sector organisations designate an Information Security Lead to act as a contact point with our office. If you have not done this, please do so by sending the details of your lead to This email address is being protected from spambots. You need JavaScript enabled to view it.

In the meantime, OVIC has commenced the development of a robust and inclusive governance model for the Framework and Standards. The model is a high priority as it will inform and steer the next phase of the implementation. OVIC is aware that organisations are already devoting considerable resources towards the implementation of the Standards. To ensure that this effort is proportionate and targeted, OVIC has announced a number of immediate data protection changes:

  • • cessation of the procurement process for a Monitoring and Assurance Software solution to support the Framework’s Assurance Model;
  • • removal of the requirement (from the Framework) for organisations to provide OVIC with a copy of their Security Risk Profile Assessment (SRPA);
  • • through co-design with the VPS, we will review organisational reporting obligations for August 2018 including:
    • • an attestation capturing compliance status at a high-level
    • • a high-level Protective Data Security Plan

OVIC documentation will be updated in due course to reflect any outcomes of this program of works.

OVIC hopes that the Victorian public sector welcomes the Framework and its Standards, noting that its implementation provides the potential to reap real and positive changes to the culture of protective data security. 

* excluding exempt entities as defined by Part 4 of the Privacy and Data Protection Act 2014