The Assurance Model sets out activities led by CPDP designed to monitor and measure the protective data security practices within the Victorian public sector, including compliance with Part Four of the PDPA and the VPDSS. Activities will typically foster a partnership approach with CPDP and take the form of self-attestations and/or assurance activities to ensure organisations are:

  • meeting their obligations as stated in Part Four of the Act
  • applying protective data security measures commensurate with the organisational security risk profile.

These activities help establish a better understanding of each organisation’s protective data security practices, including adherence to the VPDSS. More broadly, they provide a level of assurance regarding the protection of information across the Victorian government.


August 2018 Reporting


On 27 February 2018, the Victorian Information Commissioner wrote toDepartmental Secretaries, CenITex and Victoria Police advising them of the release of the high level Protective Data Security Plan (PDSP) template which includes an attestation. Text from the letter can be downloaded here 


When completed, this is the only document to be submitted to OVIC by 31 August 2018, in compliance with the Privacy and Data Protection Act 2014.

The high level PDSP template comprises three parts:

Part A:  Agency or Body details

Part B:  Compliance status and key activities (planned or in progress)

Part C:  Attestation

Organisations have two options to use when submitting their reports:


Option 1 - Single Organisation Model

Option 2 - Multiple Organisational Model

Download here

• An organisation submits a high level PDSP and provides an attestation on its own behalf only

Download here

• An organisation submits a consolidated high level PDSP and provides an attestation on its own behalf, and for and on behalf of one or more additional public-sector agencies or bodies (multiple organisation model).

• The multiple organisation model may be used in a portfolio setting where agencies or bodies fall within the portfolio of responsibilities of a Department or where a number of organisations of a similar form or function choose to consolidate their efforts.

Single Org Model Image

Multiple Org Model Image

Nb. OVIC does not mandate the use of any particular approach, with the selection of either reporting option residing with each organisation.



Submission process

OVIC has established an online portal to enable to August 2018 submission of high level PDSPs. To submit your high level PDSP, navigate to www.cpdp.vic.gov.au/security


The portal will be available for high level PDSP submission from 1 July 2018 to 31 August 2018.

Further material will be published to the website to support agencies or bodies reporing obligations in due course.