During these partnerships, third party providers often access public sector information for the purpose of their engagment. As part of the engagement, the Department and third party providers must work together to protect the confidentitiality, integrity and availability of public sector information, by reducing cyber and privacy risks and avoiding related threats.
Read below to learn more about the responsibilities of DTP staff and businesses.
DTP staff responsibilities
DTP staff are responsible for working with third party providers to identify and manage security and privacy risks, inline with the Department’s Third Party Security Policy and other associated legal obligations.
Under this Policy, staff will:
- work with third party providers to understand their security and privacy practices across information, personnel, ICT and physical security.
- work with third party providers to ensure appropriate security measures are included in contractual agreements to reduce risks during the lifecycle of the contract.
- approve and provide access for businesses who need access to DTP information and systems and apply appropriate security controls around the access.
Third party provider reponsibilities
Third party providers are responsible for supporting the Department in managing information security and privacy risks during the contract lifecycle, in accordance with the terms of their contractual obligations and applicable legislations. Information handling practices must align with the requirements set out within Victoria’s Privacy and Data Protection Act 2014 (PDP Act) and its associated Information Privacy Principles (IPP) and Protective Data Security Standards (VPDSS).
Third party provider information security and privacy responsibilities include, but not limited to:
- securely collect, hold, manage, use, disclose, or transfer public sector information.
- collected and disclose personal information in accordance with contractual obligations and/or IPP 1 of the PDP Act.
- protect personal information from misuse, loss, and unauthorised access, modifications, and disclosure.
- immediately notify the Department once an incident or data breach has been identified that may adversely impact the confidentiality, integrity, or availability of DTP information. Third parties can follow our simple three-step cyber incident notification process.
- work with our internal incident response teams and keep them informed about efforts to contain and remediate the incident.
- conduct regular monitoring and assessment of systems used to handle public sector information.
For questions relating to DTP information security, please contact the Cyber Security branch.
For questions relating to DTP information privacy, please contact the Privacy branch.
Updated