Victorian Current Acts Victorian Current Acts(1) Within 2 years after the issue of protective data security standards applying to an agency or body to which this Part applies, the public sector body Head must ensure that—
(a) a security risk profile assessment is undertaken for the agency or body; and
(b) a protective data security plan is developed for the agency or body that addresses the protective data security standards applicable to that agency or body.
(2) A security risk profile assessment of an agency or body must include an assessment of any contracted service provider of the agency or body to the extent that the provider collects, holds, uses, manages, discloses or transfers public sector data for the agency or body.
(3) A protective data security plan developed for an agency or body must address compliance by any contracted service provider of the agency or body with the protective data security standards applicable to that agency or body to the extent that the provider collects, holds, uses, manages, discloses or transfers public sector data for the agency or body.
(4) A public sector body Head must ensure that the protective data security plan prepared under this section is reviewed—
(a) if there is a significant change in the operating environment or the security risks relevant to the agency or body; or
(b) otherwise, every 2 years.
S. 89(5) amended by No. 20/2017 s. 106(5).
(5) A public sector body Head for the agency or body must ensure that a copy of the protective data security plan is given to the Information Commissioner.
S. 90 amended by No. 31/2024 s. 59.