How to comply with VPDSS 2.0

Prepare with Janusnet

In October 2018, the Commonwealth Attorney Generals announced reforms to the Commonwealth's  Protective Security Policy Framework (PSPF), including changes to their Protective Marking Scheme and Business Impact Levels (BILs).

Some PSPF revisions have implications for agencies or bodies within Victorian Government, particularly those accessing or using Commonwealth generated information. As part of this, the Office of the Victorian Information Commissioner (OVIC) is looking to support information sharing across Victoria and with other jurisdictions which includes aligning with Commonwealth markings. OVIC issued the updated Victorian Protective Data Security Framework (VPDSF) covering Protective Marking Reforms and Business Impact Levels in February 2019.

The Victorian Protective Data Security Standards (VPDSS2.0) came into effect at the end of last year. “The VPDSS establish 12 high level mandatory requirements to protect public sector information across all security areas including governance, information, personnel, Information Communications Technology (ICT) and physical security.” - https://ovic.vic.gov.au/data-protection/standards/. The second requirement of the VPDSS is titled “Information Security Value” and the standard is that “An organisation identifies and accesses the security value of public sector information”.

PROTECTIVE MARKINGS IN USE IN VICTORIA

This is covered in detail in OVIC’s Practitioner Guide: Protective Markings.  Therein Victorian Government describes its approach to classifying and labelling sensitive information and is generally aligned with the Commonwealth system. Consistent classification and labelling allow sensitive information to be securely shared across Australian jurisdictions, with confidence that the information will be handled and protected according to its sensitivity.

There are three main components of a protective marking: security classification, information management markers and caveats.  Specific definitions of each protective marking are set out in the table below. (This table does not list caveats or information management markers, which may be used in conjunction with security classifications – in accordance with the OVIC Practitioner Guide.)

Protective Marking

Business Impact Level

Description

UNOFFICIAL

         0

An optional marking that is used (particularly with email messages) to indicate that the information has no relation to official activities, such as personal correspondence.

OFFICIAL

         1

Applied to public sector information that requires some form of protection, or compromise of this information may cause minor harm/damage to government operations, organisations and/or individuals.

OFFICIAL: Sensitive

         2

Applied to public sector information where secrecy provisions or enactments apply to the content, or where disclosure of the material may be limited or prohibited under legislation. This indicates compromise of the confidentiality of the information may cause limited harm/damage to government operations, organisations and/or individuals.

PROTECTED

         3

Applied to public sector information where compromise of the confidentiality of the information may cause major harm/damage to government operations, organisations and/or individuals.

SECRET  

        4

Applied to public sector information where compromise of the confidentiality of the information may cause serious harm/damage to government operations, organisations and/or individuals.

PROTECTED and SECRET are the only two true security classifications used in Victoria; the lower sensitivity protective markings can be thought of as pseudo-classifications.

Information Management Markers can be added to the protective marking for anything OFFICIAL and above. They are used to reflect ‘rights properties’ for particular content and can inform access restrictions. They are not mandatory. The three commonly recognised IMMs in Victoria are:

• Legislative Secrecy

• Personal Privacy, and

• Legal Privilege

Caveats indicate extra special security requirements for public sector information in addition to the confidentiality requirements of the security classification, further restricting access to the material. Victoria generally recognises the national level caveats of the Commonwealth, as well as its own Cabinet-In-Confidence caveat that can be used with information at a security classification of either PROTECTED or SECRET. 

Click here for further information about Compliance with the Victorian Protective Data Security Standards 2019 Protective Markings

If you would like to obtain a fully working evaluation with VPDSS configuration, please complete the form below:

(If you're a human, don't change the following field)
Your first name.