Victoria: OVIC publishes audit report on the identification and security value assessment of public sector information
The Office of the Victorian Information Commissioner ('OVIC') published, on 26 November 2021, an audit report that assessed four Victorian public sector ('VPS') organisations' adherence to Standard 2 of the Victorian Protective Data Security Standards ('the Standards'). In particular, the OVIC noted that organisations subject to Part 4 of the Privacy and Data Protection Act 2014 ('PDP Act') must adhere to the Standards, and that Standard 2 requires VPS organisations to identify and assess the security value of public sector information. Furthermore, the OVIC confirmed that it audited the Department of Treasury and Finance, the Barwon Region Water Corporation, the Victorian Institute of Forensic Medicine, and CenITex. Additionally, the OVIC highlighted that it assessed each organisation against the elements under Standard 2 and examined whether the organisations had accurately reported in their 2020 Protective Data Security Plans to OVIC. Further to this, the OVIC stated that all audited agencies had practices, procedures, and systems in place to assess the security value of information they hold.
Moreover, the OVIC observed that each organisation used security value assessment outcomes to inform appropriate security measures needed to protect public sector information. In addition, the OVIC noted that, in some cases, the audit found some differences between how organisations assessed themselves against some elements of the Standards and the OVIC's assessment of their information. Finally, the OVIC has outlined a range of recommendations for each agency to strengthen the identification and security value assessment of public sector information.