Requirement
The solution must demonstrate
compliance with the VIFM Act
1985.
The solution must demonstrate
compliance with The Coroners
Act
The solution must demonstrate
compliance with LC-3 NATA
Accreditation.
The Solution must comply with
the following Standard:
- Victorian Protective
Data Security Standards
(VPDSS)
The Solution must comply with
at least one of the following
Standards:
Attorney General’s department
Contract Compliance
No provision
No provision
No provision in relation
National Association of Testing
Authorities, Australia (NATA)
accreditation
No provision
Victorian Protective Data
Security Standards
Revision
35.2.6 To comply with the
Victorian Institute of Forensic
Medicine (VIFM) Act 1985 and
the Coroners Act 2008 when
dealing with forensic medical
and related scientific services
for Victoria.
35.2.7 To assure compliance
with LC-3 National Association
of Testing Authorities, Australia
(NATA) when required.
33.1.4 The Supplier is required
to comply with the 18 standards
of the Victorian Protective Data
Security Standards (VPDSS)
which together provides a set of
criteria for the consistent
application of risk-managed
security practices across
Victorian government
information. Supplier is
required to adhere to the
VPDSS in line with the
compliance requirements set
out in section 88 of the Privacy
and Data Protection Act 2014
(PDP) Act. The Supplier is also
required to comply with the 10
Information Privacy Principles
(IPPs) set out in Schedule 1 of
the PDP Act, which govern the
collection and use of personal
information by public service
bodies
33.1.4 The Supplier is required
to provide a framework to
protect and safeguard
information and systems from
cyber threats by applying
security controls. The supplier is
required to comply with either:
a) Information Security Manual
(ISM) issued by the Australian
Signals Directorate (ASD). The
 risk management framework
used by the ISM has six steps:
define the system, select
controls, implement controls,
assess controls, authorize the
system and monitor the system.

b) Department of Health and

Human Services 72
cybersecurity Controls for
Health Service Providers, deliver
mandatory training in data
security to all staff, align
password policies with
Australian Signals Directorate
guidelines, and conduct annual
user access reviews to ensure
that only relevant staff have
access to digital patient data.
- Information security No provision
manual (ISM) issued by
the Australian Signals
Directorate (ASD)
- Department of Health No provision
and Human Services 72
Controls for Health
Service Providers
The Solution must comply with
the following acts:

- Privacy and "Code of Practice" means a

Data Protection Act code of practice as defined in,
2014 (Vic) and approved under, the
Privacy and Data Protection Act
2014 (Vic)

"Information Privacy Principles"

means the information privacy
principles set out in the Privacy
and Data Protection Act 2014
(Vic)

"Protective Data Security

Standards" means the
standards issued under Part 4 of
the Privacy and Data Protection
Act 2014 (Vic);
 - Health Records 32.6 The Supplier agrees that it
Act 2001 (Vic); will:

32.6.1 be bound by the

Information Privacy Principles,
any applicable Codes of Practice
and the Health Records Act
2001 (Vic) ("Privacy
Obligations") with respect to
any act done in connection with
the provision of the Services in
the same way as the Purchaser
would have been bound had the
relevant act been done by the
Purchaser;
- Public Records 22.4 Without limiting the scope
Act 1973 (Vic); of clause 22.3, the Supplier shall
cooperate with and assist the
Purchaser to comply with any
obligations imposed by the
Public Records Act 1973 (Vic).

“Applicable Legislation”

a) Victorian Institute of Forensic Medicine (VIFM) Act 1985

b) Coroners Act 2008
c) Privacy and Data Protection Act 2014 (Vic)
d) Health Records Act 2001 (Vic)
e) Public Records Act 1973 (Vic)