Information Security

7. Annual reporting requirements

Centrally attested schools must provide reports to the department demonstrating overall progress on compliance to the Victorian Protective Data Security Standards (VPDSS), published by the Office of the Victorian Information Commissioner (OVIC).

Reporting scope

• Centrally attested schools must report annually on the controls they are expected to operate as part of the department’s central VPDSS attestation process.
• The department will attest on the remaining controls the department operates on behalf of centrally attested schools. The department is able to report on these controls based on the department-provided ICT systems and services that the schools have adopted, as well as information the school has provided as part of other compliance activities.
• Schools that are not yet centrally attested must continue to follow the VPDSS as outlined in this policy, however they are not required to report to OVIC until they become a centrally attested school.
• School principals will be notified when their school qualifies as a centrally attested school for the next reporting period:
  • from 2024 to 2028, the department is implementing a stepped approach to onboard schools into the central VPDSS attestation process
  • by 2028, all schools will be centrally attested for the purposes of VPDSS reporting.
• The requirement that all schools become centrally attested aligns with the timeline for transitioning schools to department-provided ICT services and systems by 2028, as required by the Technologies and ICT Services policy.

VPDSS attestation process

Detailed instructions will be provided to schools regarding the attestation process, including how to respond to the school VPDSS school questionnaire and complete the Protective Data Security Plan at the time of the attestation.