Victoria’s privacy watchdog has found third-party information security risks at four government agencies. 

All four Victorian government agencies in a recent probe were found to be only partially effective at ensuring third parties are securing the public sector information they receive. 

The findings come from an audit by the Office of the Victorian Information Commission (OVIC) into the compliance of the entities with standard eight of the protective data security standards (VPDSS) - the Department of Environment, Land, Water and Planning (DELWP), Department of Jobs, Precincts and Regions (DJPR), Transport Accident Commission (TAC) and WorkSafe Victoria.

“While the audit considered none of the organisations completely effective across all four audit criteria, there were a wide range of practices and procedures the organisations had implemented at varying levels of effectiveness,” commissioner Sven Bluemmel said.

OVIC said it is concerned that the agencies are only “partially effective” at identifying and responding to changes to information security risks with a third-party.

It found that both TAC and WorkSafe have “strong contractual clauses requiring a third-party to report information security incidents”, but not so much with DJPR and DELWP.

OVIC said it was “unable to determine” whether DJPR had “effective contractual controls requiring third parties to report incidents”.

More details are accessible here.