Skip to content
State Government of Victoria logo
Service Agreement Information Kit for Funded Organisations

3.17.4 Security of personal and health information

Under Information Privacy Principle (IPP) 4.1 of the PDP Act and Health Privacy Principle (HPP) 4.1 of the HR Act, an organisation is required to take reasonable steps to protect the information it holds from misuse, loss, and unauthorised access, modification or disclosure.

An organisation needs to secure personal information from its creation (when the data is first recorded), through any transformation (such as from paper to electronic form), during its transmission (whether physically carried or sent digitally through a computer network), and while it is held (for example, text messages stored in a mobile phone) Organisations should refer to the Office of the Commissioner for Privacy and Data Protection’s website (external link, opens in a new window) for information in relation to data security.

An organisation’s obligations to protect and keep information secure under IPP 4.1 and HPP 4.1 will continue for as long as an organisation holds the information, and until the time the information is disposed of in accordance with IPP 4.2, HPP 4.2 and HPP 4.5 (as the context requires) and any other relevant laws, such as the Public Records Act 1973 (Vic) (external link, opens in new window).

In deciding what reasonable steps to take to protect personal information, the Office of the Victorian Commissioner for Privacy and Data Protection suggests that the following factors should be considered:

Some key areas to consider include physical security (including securing a building or equipment where information is housed), logical security (including controlling access to data), and communication security (including protecting data during transmission through, for example, facsimiles, emails and online)(Office of the Victorian Privacy Commissioner for Privacy and Data Protection (external link, opens in a new window), 2011, page 103) website and What is Protective Data Security webpage (external link, opens in a new window).

Part 4 of the PDP Act requires the Commissioner for Privacy and Data Protection to develop a Victorian Protective Data Security Framework for monitoring and assuring the security of public sector data. Part 4 of the Act also permits the Commissioner to issue Standards consistent with the Framework for the security, confidentiality and integrity of public sector data and access to public sector data. The Framework and Standards will be available once published from the Office of the Commissioner for Privacy and Data Protection's website (external link, opens in a new window).

Within two years after the issue of applicable Protective Data Security Standards by the Commissioner, the department is required to develop a Protective Data Security Plan that addresses the Standards applicable to the department. Among other things, any Protective Data Security Plan developed for the department must address compliance by the department’s contracted service providers with the relevant Standards that apply to the department, to the extent that those providers collect, hold, use, manage, disclose or transfer public sector data for the department.

Clause 17.2 of the Service Agreement provides that a funded organisation is bound by any applicable Protective Data Security Standards issued by the Commissioner for Privacy and Data Protection and any provision of a Protective Data Security Plan developed for the department that applies to the organisation.

Having an effective recordkeeping system (see clause 6 of the Service Agreement) is a necessary step in ensuring that data is secured. By implementing and maintaining an effective recordkeeping system, an organisation should be able to properly categorise and store records, and ensure appropriate access to records.

Funded organisations are to implement safeguards that are appropriate and proportionate to the likely risk of a security breach and the gravity of harm that may result. Information risk management should be incorporated into an organisation’s broader risk management approach.

Resources on information security

The department has developed guidelines on Information Security to support organisations to provide their staff with data security training and help protect information kept by organisations from misuse, loss, and unauthorised access, modification or disclosure.

The guidelines cover all aspects of information security including handling, sharing, storing, transporting and disposing of client information as well as incident response and contact details if organisations require further information.

The Office of the Commissioner for Privacy and Data Protection (external link, opens in a new window) website also has a range of guides on information security, including guides on the use of cloud computing, email disclaimers, and mobile phone usage see: