victorian protective data security framework...commissioner for privacy and data protection...
TRANSCRIPT
Victorian Protective Data Security Framework
Victorian Information Security Network - VPS Forum MELBOURNE – MARCH 2017
Commissioner forPrivacy and Data Protection
Commissioner forPrivacy and Data Protection
Commissioner forPrivacy and Data Protection
ORANGE – PMS 1655UPBLUE – PMS 2756UPMUSEO SLAB – 100/700
Commissionerfor Privacy and Data Protection
Commissionerfor Privacy and Data Protection
Commissionerfor Privacy and Data Protection
ORANGE – PMS 1655UPBLUE – PMS 2756UPMUSEO SLAB – 100/700
2
Data Protection Branch
Assistant Commissioner, Data Protection Anthony Corso (Presenting)
Senior Data Protection Advisor Laurencia Dimelow (Presenting)
Senior Data Protection Officer Anna Harris
GRC Security Manager Karl Will
Specialist Data Protection Advisor Martin Harris
Contact details
Email: [email protected]
Ph. 8684 1660
VISN – What the VPDSF means for you…
Introductions
Commissioner forPrivacy and Data Protection
Commissioner forPrivacy and Data Protection
Commissioner forPrivacy and Data Protection
ORANGE – PMS 1655UPBLUE – PMS 2756UPMUSEO SLAB – 100/700
Commissionerfor Privacy and Data Protection
Commissionerfor Privacy and Data Protection
Commissionerfor Privacy and Data Protection
ORANGE – PMS 1655UPBLUE – PMS 2756UPMUSEO SLAB – 100/700
3VISN – What the VPDSF means for you…
Run through… • Introduction
• Sli.do
• Who’s here today
• Privacy & Data Protection Act (2014)
• Video – Data Protection and You
• The Framework
• The Standards
• What information is covered?
• Who is involved?
• Indirect security obligations
• Third party engagement
• What does this mean for partner organisations?
• Why do we need to do this?
• Where to start?
• When do VPS organisations have to report?
• Tool to support you
Commissioner forPrivacy and Data Protection
Commissioner forPrivacy and Data Protection
Commissioner forPrivacy and Data Protection
ORANGE – PMS 1655UPBLUE – PMS 2756UPMUSEO SLAB – 100/700
Commissionerfor Privacy and Data Protection
Commissionerfor Privacy and Data Protection
Commissionerfor Privacy and Data Protection
ORANGE – PMS 1655UPBLUE – PMS 2756UPMUSEO SLAB – 100/700
4VISN – What the VPDSF means for you…
Sli.do During the event we will be using an online tool (Sli.do) offering you an opportunity to interact with our presentation, engage in polls and ask questions. For those using the tool you will have the option of posting anonymously and can also download the presentation and a summary infographic onto your local device. The team will moderate the tool and will post any relevant comments or material to the audience…
Commissioner forPrivacy and Data Protection
Commissioner forPrivacy and Data Protection
Commissioner forPrivacy and Data Protection
ORANGE – PMS 1655UPBLUE – PMS 2756UPMUSEO SLAB – 100/700
Commissionerfor Privacy and Data Protection
Commissionerfor Privacy and Data Protection
Commissionerfor Privacy and Data Protection
ORANGE – PMS 1655UPBLUE – PMS 2756UPMUSEO SLAB – 100/700
5VISN – What the VPDSF means for you…
Sli.do
3190
Commissioner forPrivacy and Data Protection
Commissioner forPrivacy and Data Protection
Commissioner forPrivacy and Data Protection
ORANGE – PMS 1655UPBLUE – PMS 2756UPMUSEO SLAB – 100/700
Commissionerfor Privacy and Data Protection
Commissionerfor Privacy and Data Protection
Commissionerfor Privacy and Data Protection
ORANGE – PMS 1655UPBLUE – PMS 2756UPMUSEO SLAB – 100/700
6VISN – What the VPDSF means for you…
Who’s here today…
Local Councils Funded AgenciesVictorian Public
Sector Organisations
Commissioner forPrivacy and Data Protection
Commissioner forPrivacy and Data Protection
Commissioner forPrivacy and Data Protection
ORANGE – PMS 1655UPBLUE – PMS 2756UPMUSEO SLAB – 100/700
Commissionerfor Privacy and Data Protection
Commissionerfor Privacy and Data Protection
Commissionerfor Privacy and Data Protection
ORANGE – PMS 1655UPBLUE – PMS 2756UPMUSEO SLAB – 100/700
Privacy & Data Protection Act (2014)
7VISN – What the VPDSF means for you…
Commissioner forPrivacy and Data Protection
Commissioner forPrivacy and Data Protection
Commissioner forPrivacy and Data Protection
ORANGE – PMS 1655UPBLUE – PMS 2756UPMUSEO SLAB – 100/700
Commissionerfor Privacy and Data Protection
Commissionerfor Privacy and Data Protection
Commissionerfor Privacy and Data Protection
ORANGE – PMS 1655UPBLUE – PMS 2756UPMUSEO SLAB – 100/700
8
‘Data Protection and You’
Awareness video of the Victorian Protective Data Security Framework
VISN – What the VPDSF means for you…
Commissioner forPrivacy and Data Protection
Commissioner forPrivacy and Data Protection
Commissioner forPrivacy and Data Protection
ORANGE – PMS 1655UPBLUE – PMS 2756UPMUSEO SLAB – 100/700
Commissionerfor Privacy and Data Protection
Commissionerfor Privacy and Data Protection
Commissionerfor Privacy and Data Protection
ORANGE – PMS 1655UPBLUE – PMS 2756UPMUSEO SLAB – 100/700
The Framework
9VISN – What the VPDSF means for you…
The Standards
Commissioner forPrivacy and Data Protection
Commissioner forPrivacy and Data Protection
Commissioner forPrivacy and Data Protection
ORANGE – PMS 1655UPBLUE – PMS 2756UPMUSEO SLAB – 100/700
Commissionerfor Privacy and Data Protection
Commissionerfor Privacy and Data Protection
Commissionerfor Privacy and Data Protection
ORANGE – PMS 1655UPBLUE – PMS 2756UPMUSEO SLAB – 100/700
10
The Victorian Protective Data Security Standards (VPDSS) were formally
issued on 28th of July, 2016.
VISN – What the VPDSF means for you…
Commissioner forPrivacy and Data Protection
Commissioner forPrivacy and Data Protection
Commissioner forPrivacy and Data Protection
ORANGE – PMS 1655UPBLUE – PMS 2756UPMUSEO SLAB – 100/700
Commissionerfor Privacy and Data Protection
Commissionerfor Privacy and Data Protection
Commissionerfor Privacy and Data Protection
ORANGE – PMS 1655UPBLUE – PMS 2756UPMUSEO SLAB – 100/700
What is covered?
11VISN – What the VPDSF means for you…
Any information obtained, received or held by an agency or body to which Part 4 of the Privacy and
Data Protection Act (2014) applies.
This includes both hard and soft copy information, regardless of media or format!
Commissioner forPrivacy and Data Protection
Commissioner forPrivacy and Data Protection
Commissioner forPrivacy and Data Protection
ORANGE – PMS 1655UPBLUE – PMS 2756UPMUSEO SLAB – 100/700
Commissionerfor Privacy and Data Protection
Commissionerfor Privacy and Data Protection
Commissionerfor Privacy and Data Protection
ORANGE – PMS 1655UPBLUE – PMS 2756UPMUSEO SLAB – 100/700
12
Who’s involved?
VISN – What the VPDSF means for you…
CPDP - Office of the Commissioner for Privacy and Data Protection
Indirect obligations - Organisations with access to Victorian public sector data, have indirect protective data security obligations
Public sector body Head
Directly in scope - Applicable agencies or bodies set out under Part 4 of Privacy and Data Protection Act (PDPA) 2014
Commissioner forPrivacy and Data Protection
Commissioner forPrivacy and Data Protection
Commissioner forPrivacy and Data Protection
ORANGE – PMS 1655UPBLUE – PMS 2756UPMUSEO SLAB – 100/700
Commissionerfor Privacy and Data Protection
Commissionerfor Privacy and Data Protection
Commissionerfor Privacy and Data Protection
ORANGE – PMS 1655UPBLUE – PMS 2756UPMUSEO SLAB – 100/700
Indirect security obligations
IPP 4
13
Information Sharing Arrangements
Other legal & regulatory obligations
Contractual obligations
Health Privacy Principles (HPP4)
Information Privacy Principles (IPP4)
VISN – What the VPDSF means for you…
Commissioner forPrivacy and Data Protection
Commissioner forPrivacy and Data Protection
Commissioner forPrivacy and Data Protection
ORANGE – PMS 1655UPBLUE – PMS 2756UPMUSEO SLAB – 100/700
Commissionerfor Privacy and Data Protection
Commissionerfor Privacy and Data Protection
Commissionerfor Privacy and Data Protection
ORANGE – PMS 1655UPBLUE – PMS 2756UPMUSEO SLAB – 100/700
Why do we need to do this?
14VISN – What the VPDSF means for you…
Enable VPS organisations to achieve their business objectives in a secure way
Have confidence in the information you are using
Support secure information sharing practices (within and beyond government)
Ensure the right people have access to the right information at the right time…
Adhere to legislative requirements and offer a level of assurance around your organisations security practices
Commissioner forPrivacy and Data Protection
Commissioner forPrivacy and Data Protection
Commissioner forPrivacy and Data Protection
ORANGE – PMS 1655UPBLUE – PMS 2756UPMUSEO SLAB – 100/700
Commissionerfor Privacy and Data Protection
Commissionerfor Privacy and Data Protection
Commissionerfor Privacy and Data Protection
ORANGE – PMS 1655UPBLUE – PMS 2756UPMUSEO SLAB – 100/700
15
Applicable VPS organisations must ensure that any contractual arrangements or information sharing agreements (including Memorandum of Understandings) have the relevant protective
data security requirements embedded into the terms or conditions of the agreement.
Third party engagement
VISN – What the VPDSF means for you…
Commissioner forPrivacy and Data Protection
Commissioner forPrivacy and Data Protection
Commissioner forPrivacy and Data Protection
ORANGE – PMS 1655UPBLUE – PMS 2756UPMUSEO SLAB – 100/700
Commissionerfor Privacy and Data Protection
Commissionerfor Privacy and Data Protection
Commissionerfor Privacy and Data Protection
ORANGE – PMS 1655UPBLUE – PMS 2756UPMUSEO SLAB – 100/700
What does this mean for partner organisations?
IPP 4
16VISN – What the VPDSF means for you…
• Under the VPDSS partner organisations do not need to provide CPDP a -
• Security Risk Profile Assessment (SRPA), or
• Protective Data Security Plan (PDSP) • Given this, Standards 11 & 12 do not strictly apply to
partner organisations
Instead, VPS agencies who are in scope for the VPDSF will require partner organisations provide a level of assurance on their protective data security practices.
Responses from partner organisations will inform the SRPA and PDSP of the VPS agency.
How VPS agencies will seek this assurance form their partners will differ, depending on the value of the information and the type of engagement or arrangement.
Five Step Action Plan
Commissioner forPrivacy and Data Protection
Commissioner forPrivacy and Data Protection
Commissioner forPrivacy and Data Protection
ORANGE – PMS 1655UPBLUE – PMS 2756UPMUSEO SLAB – 100/700
Commissionerfor Privacy and Data Protection
Commissionerfor Privacy and Data Protection
Commissionerfor Privacy and Data Protection
ORANGE – PMS 1655UPBLUE – PMS 2756UPMUSEO SLAB – 100/700
Where to start?
17VISN – What the VPDSF means for you…
Identify your
information assets
Determine the 'value'
of this information
Identify any risks to this information
Apply security
measures to protect the information
Manage risks across
the information
lifecycle
By July 2018 each applicable organisation must provide CPDP with their
first round of reporting…
Compliance self-assessment
(including an attestation by
the organisations Public sector body Head of current implemented security
controls)
Protective Data Security Plan
(PDSP)
Security Risk Profile Assessment
(SRPA)
When?
Commissioner forPrivacy and Data Protection
Commissioner forPrivacy and Data Protection
Commissioner forPrivacy and Data Protection
ORANGE – PMS 1655UPBLUE – PMS 2756UPMUSEO SLAB – 100/700
Commissionerfor Privacy and Data Protection
Commissionerfor Privacy and Data Protection
Commissionerfor Privacy and Data Protection
ORANGE – PMS 1655UPBLUE – PMS 2756UPMUSEO SLAB – 100/700
18VISN – What the VPDSF means for you…
Commissioner forPrivacy and Data Protection
Commissioner forPrivacy and Data Protection
Commissioner forPrivacy and Data Protection
ORANGE – PMS 1655UPBLUE – PMS 2756UPMUSEO SLAB – 100/700
Commissionerfor Privacy and Data Protection
Commissionerfor Privacy and Data Protection
Commissionerfor Privacy and Data Protection
ORANGE – PMS 1655UPBLUE – PMS 2756UPMUSEO SLAB – 100/700
Tools to support you
19VISN – What the VPDSF means for you…
‘BIL’ Mobile App
Currently available for download on table devices (iPad and Android)
Simply search for ‘CPDP’ in the app store to download your own copy
CPDP Mobile App
Commissioner forPrivacy and Data Protection
Commissioner forPrivacy and Data Protection
Commissioner forPrivacy and Data Protection
ORANGE – PMS 1655UPBLUE – PMS 2756UPMUSEO SLAB – 100/700
Commissionerfor Privacy and Data Protection
Commissionerfor Privacy and Data Protection
Commissionerfor Privacy and Data Protection
ORANGE – PMS 1655UPBLUE – PMS 2756UPMUSEO SLAB – 100/700
20
Question & Answer session
VISN – What the VPDSF means for you…
Commissioner forPrivacy and Data Protection
Commissioner forPrivacy and Data Protection
Commissioner forPrivacy and Data Protection
ORANGE – PMS 1655UPBLUE – PMS 2756UPMUSEO SLAB – 100/700
Commissionerfor Privacy and Data Protection
Commissionerfor Privacy and Data Protection
Commissionerfor Privacy and Data Protection
ORANGE – PMS 1655UPBLUE – PMS 2756UPMUSEO SLAB – 100/700
21
For any other feedback or enquiries please direct your comments to the the [email protected] mailbox
Questions?
VISN – What the VPDSF means for you…
Opportunity for you to ask questions through Sli.do or to take questions from the floor…