Help with complying with the Victorian Government VPDSS 2.0

Image of Parliament House, Melbourne courtesy of Elekhh, CC BY-SA 3.0, via Wikimedia Commons


The Office of the Victorian Information Commissioner (OVIC) published the Email Protective Marking Standard V1.1. to be effective from October 2020. This standard uses a similar method of marking used by the Commonwealth Government, as it utilises the same internet message header, but with a different namespace (reference section 9). OVIC is offering guidance and a method that allows the smooth interchange, handling and control of messages between the Victorian public sector and its Commonwealth correspondents through leveraging the Attorney General's (Cmwlth) EPMS 2018.4. 

The EPM is one of OVIC's technical specifications, written to support the Victorian Protective Data Security Standards (VPDSS2.0), which came into effect at the end of last year. “The VPDSS establish 12 high level mandatory requirements to protect public sector information across all security areas including governance, information, personnel, Information Communications Technology (ICT) and physical security.” The second requirement of the VPDSS is titled “Information Security Value” and the standard is that “An organisation identifies and accesses the security value of public sector information”.

OVIC gave Victorian Public Sector (VPS) organisations the deadline of October 2020 to transition to the new Victorian Protection Data Security Framework (VPDSF) protective marking scheme. Janusnet's Victorian Government base configurations are in accordance with current requirements. Having helped several Victorian agencies with the transition to the new scheme, we were delighted to be advised that our software solves at least 25% of the information security elements, either totally or partially. To demonstrate this, we produced this table to show how Janusnet can assist with meeting VPDSS2.0 requirements. If your agency still needs to update your settings or if you want to take advantage of the full benefit of OVIC's EPM, please talk to us today.


This is covered in detail in the User Guide Handling Protectively Marked Information V2.0.  Therein Victorian Government describes its approach to classifying and labelling sensitive information and is generally aligned with the Commonwealth system. Consistent classification and labelling allow sensitive information to be securely shared across Australian jurisdictions, with confidence that the information will be handled and protected according to its sensitivity. Another useful document is Protective Marking Flowchart and Mapping V2.1.

There are three main components of a protective marking: security classification, information management markers and caveats.  Specific definitions of each protective marking are set out in the table below. (This table does not list caveats or information management markers, which may be used in conjunction with security classifications – in accordance with the OVIC Practitioner Guide.)

Protective Marking

Business Impact Level




An optional marking that is used (particularly with email messages) to indicate that the information has no relation to official activities, such as personal correspondence.



Applied to public sector information that requires some form of protection, or compromise of this information may cause minor harm/damage to government operations, organisations and/or individuals.

OFFICIAL: Sensitive


Applied to public sector information where secrecy provisions or enactments apply to the content, or where disclosure of the material may be limited or prohibited under legislation. This indicates compromise of the confidentiality of the information may cause limited harm/damage to government operations, organisations and/or individuals.



Applied to public sector information where compromise of the confidentiality of the information may cause major harm/damage to government operations, organisations and/or individuals.



Applied to public sector information where compromise of the confidentiality of the information may cause serious harm/damage to government operations, organisations and/or individuals.

PROTECTED and SECRET are the only two true security classifications used in Victoria; the lower sensitivity protective markings can be thought of as pseudo-classifications.

Information Management Markers can be added to the protective marking for anything OFFICIAL and above. They are used to reflect ‘rights properties’ for particular content and can inform access restrictions. They are not mandatory. The three commonly recognised IMMs in Victoria are:

  • Legislative Secrecy
  • Personal Privacy, and
  • Legal Privilege

Caveats indicate extra special security requirements for public sector information in addition to the confidentiality requirements of the security classification, further restricting access to the material. Victoria generally recognises the national level caveats of the Commonwealth, as well as its own Cabinet-In-Confidence caveat that can be used with information at a security classification of either PROTECTED or SECRET. 

If you would like to discuss how Janusnet can help you comply with VIC compliance standards, please contact us or to obtain a fully working evaluation with VPDSS configuration, please complete the form below: