What is the Victorian Protective Data Security Framework?
The Victorian Protective Data Security Framework (VPDSF) is the overall scheme for managing protective data security risks in Victoria’s public sector. Established under Part Four of the Privacy and Data Protection Act 2014 (PDP Act), the framework consists of the:
- Victorian Protective Data Security Standards (the Standards)
- the Assurance Model
- supplementary security guides and supporting resources.
The framework was developed by the Office of the Victorian Information Commissioner (OVIC). Information and resources are available from their website. At a Commonwealth level, an equivalent regime is operated by the Attorney Generals Department. This regime is known as the Protective Security Policy Framework (PSPF) and governs protective security for federal agencies and bodies. The PSPF sets out policy requirements under the protective security domains of Governance, Information, Personnel and Physical Security. The Information Security requirements of the PSPF heavily influence those of the VPDSF, as they both govern the protection of official information in their respective jurisdictions.
Why does the VPDSF align with the PSPF?
Some PSPF requirements have implications for Victorian Government agencies or bodies; in particular those accessing or using Commonwealth generated information.
To provide a solid foundation for secure information sharing practices, the VPDSF seeks to align where possible with the Commonwealth scheme, reducing the need for organisations to re-mark their material when sharing, or undertake additional training to understand what security measures are needed when handling the information.
This consistency application of information security measures, promotes confident engagements not only between Victorian Government agencies, but with counterparts in other State, Territory and Commonwealth bodies.
So what has recently changed?
In October 2018, the Attorney Generals released major reforms to the PSPF. These reforms included changes to the PSPF protective marking scheme and information assessment tools, resulting in:
- a reduction of the number of the ‘security label’s (classifications and dissemination limiting markers) available, and
- introducing optional markings called ‘Information Management Markers’ (IMMs).
With changes to the Commonwealth level, the VPDSF protective marking scheme has in turn been reviewed and updated. These updates generally reflect those of the PSPF, with a slight deviation to the marking for Victorian Cabinet information.
For more information on the new VPDSF protective markings, please refer to the OVIC website.
What is covered by the updated protective marking scheme?
The VPDSF protective marking scheme applies to all forms of official government information, or otherwise known as public sector data as defined in the Privacy and Data Protection Act 2014. This includes information obtained, generated, received or held by or for a Victorian public sector agency or body for an official purpose or supporting official activities.
‘Unofficial’ information (personal correspondence, such an email to a friend discussing a movie, or other non-work-related material) does not need to be assessed under the VPDSF protective marking scheme and does not require a formal ‘security label’.
This definition aligns with the Public Record Act 1973 definition of public record which is any record made or received by a public officer in the course of their duties and any record made or received by a court or person acting judicially in Victoria.
Organisations subject to the Privacy and Data Protection Act 2014 are required to apply the VPDSF. This includes public sector organisations, statutory bodies and local councils.
What are Protective Markings?
Protective markings are administrative security label assigned to official information.
This label is directly linked to the business impact level (BIL) signalling a potential compromise of the confidentiality of the information.
Protective markings also inform the minimum security requirements during use, storage, transmission, transfer and disposal. Protective markings include security classifications, dissemination limiting markers and caveats.
What are Information Management Markers (IMM)?
If applying a protective marking to information / records, an organisation may choose to also apply an Information Management Marker (IMM). They are optional designations which organisations may choose to "mark" records with or include in the metadata about the records.
IMMs help manage the security of and access to information / records by signalling the type of content they contain.
So this means –
- the protective marking signals the degree of harm which would result from the unintended access or disclosure of a record (information)
- the additional information management marker (IMM), which an organisation may choose to “mark” a record (information) with, signals the type of content.
The IMMs were developed by the National Archives of Australia for use by the Commonwealth government, in alignment with the Australian Government Recordkeeping Metadata Standard (AGRkMS). The AGRkMS metadata set is endorsed by PROV for agencies to use when creating and managing permanent value or long-term temporary records.
The Australian Government Recordkeeping Metadata Standard (AGRkMS) has a metadata property called Rights. The Rights metadata property sets out a number of terms which can be used to indicate the content of the record / information, including three which have been designated and can be selected as IMMs.
The three which have been designated as IMMs under the VPDSF and PROV are:
- Legal Privilege
- Restrictions on access to, or use of, information covered by legal professional provisions.
- Legislative Secrecy
- Restrictions on access to, or use of, information covered by legislative secrecy provisions.
- Personal Privacy
- Restrictions on access to, or use of, personal and/or health information collected for official purposes (Privacy and Data Protection Act 2014 or Health Records Act 2001).
More than one IMM can be applied to records / information, if the content warrants it. However, technical limitations generally mean only one IMM can be applied to an email, so the most relevant IMM should be chosen.
In emails, IMMs would generally be added as a suffix to the subject line or header. (Suffix rather than prefix, so that the email subject is still visible)
Remember – Information Management Markers are optional – use them if they will assist you in managing security and access.
How does this relate to access arrangements made when transferring permanent value records to PROV custody?
All records transferred to the custody of PROV are on open access to the public unless they are specifically closed under a section of the Public Records Act 1973. As part of the transfer process, access arrangements are negotiated between the agency responsible for the records and PROV.
Any protective markers or information management markers which have been applied to records do not determine or affect the access arrangements made when permanent value records are transferred to PROV. However they may assist by signalling that there were security concerns in relation to the records, at the point when they were in active use.
Any protective markers or information management markers which have been applied to the records should not be removed when transferring records to PROV – they will form part of the contextual information which explains how records were used.