Victoria's data security chief has warned vendors to brush up their security postures if they hope to ply trade with the State Government.
Commissioner for Law Enforcement Data Security David Watts will head the state's office of the Privacy and Data Protection Commissioner, a new agency to be formed this year from the merger of both the privacy and law enforcement data security offices.
Watts will be charged with improving security postures across the Victorian public sector in accordance with the Victorian Protective Security Policy Framework (VPSPF), a model based on the federal framework.
Watts said outsourced services that lacked adequate security were like "cars without airbags".
"If you want to do business in Victoria, then Victorians have a right to inspect that your information is secure," he said.
"I will look forward to auditing those outsource service providers to see that they comply [with Victorian law]."
Watts cited an example of an unnamed cloud provider which would fail the test due to its policy of storing customer data across the world but signing contracts inked in Singaporian law.
He said he was confident the increased demands would not scare off business.
Watts became commissioner in 2008 and was charged with ensuring the security of the state's police service and law enforcement data.
His first job heading the new agency will be to increase security and compliance across state government. This would be a slow and considered process, Watts told SC.
"We all know compliance won't happen overnight so let's be realistic. You need to build capacity and resilience within the Victorian public sector."
"One of the most important things to do is to give people very clear goals and targets. We're talking about developing a very clear set of standards that are consistent with the PSPF, tailored for Victoria."
State Governments across Australia have been reguarly grilled for lax security in government audit reports. Many had repeatedly failed to comply with basic standards and shown little improvement between reports.
Watts was a supporter of mandatory data breach reporting but said it must not be uniformly applied. While it would threaten service providers with "astonishing reputational damage", it could shake public confidence in the police service.
"I would be loathe to suggest that Victoria Police report every data breach because it could result in a potential loss of public confidence or could give people an idea of what Victoria Police's vulnerabilities are."