Quality of Victoria's Critical Data Assets
Review snapshot
Do Victorian Government agencies assure the quality of their critical data assets?
Why we did this review
Government's ability to make informed decisions is critical. Trusted, high-quality data provides a foundation for confident decision-making, informs policy development and supports service delivery.
The presence of unassured or low-quality data across government is a recurring theme in our performance engagements. We previously identified data quality issues in several critical datasets across Victorian government departments and Victoria Police (referred to as agencies in this report).
We conducted this review to better understand whether agencies assure the quality of their critical data assets.
To do this, we reviewed whether agencies meet the Data Quality Information Management Framework standard (Data Quality Standard) requirements.
Key background information
Source: VAGO.
What we concluded
Government agencies are not assuring the quality of their critical data assets in line with the Data Quality Standard.
This is because no audited agency meets the Data Quality Standard in full:
- Most agencies do not have clearly defined approaches for identifying their critical data assets.
- Data management governance arrangements in place do not clearly focus on maintaining and improving critical data assets’ quality.
- None of the agencies completed the required data quality management plan and data quality statement for each critical data asset.
Without a consistent approach to assuring critical data assets’ quality, agencies risk giving advice and making decisions based on unreliable information.
Critical data assets
Critical data assets are collections of data that would have a significant impact on an agency's or the community's social or economic wellbeing if they were unavailable, damaged or destroyed. Critical data assets can include service activity records, payroll information and payment system information.
1. Our findings
What we examined
For this review we had a single line of inquiry:
1. Do agencies meet the requirements of the Data Quality Information Management Framework standard (Data Quality Standard)?
To answer this question, we examined:
- Department of Education (DE)
- Department of Energy, Environment and Climate Action (DEECA)
- Department of Families, Fairness and Housing (DFFH)
- Department of Government Services (DGS)
- Department of Health (DH)
- Department of Justice and Community Safety (DJCS)
- Department of Jobs, Skills, Industry and Regions (DJSIR)
- Department of Premier and Cabinet (DPC)
- Department of Transport and Planning (DTP)
- Department of Treasury and Finance (DTF)
- Victoria Police.
Background information
Information management framework
Victoria's approach to information management is outlined in the Information Management Framework for the Victorian Public Service (the Framework). The Victorian Government issued version 1.0 of the Framework in 2016 for the period to 2020. This timeframe aligned to the vision statement in the Framework:
By 2020, the Victorian Government and its citizens will have access to trusted information that improves decision making, enables insight and supports the planning and delivery of good policy and better services to the public.
The Framework provides a high-level view of government's information management landscape and a shared direction for information management across agencies.
Although the Framework ostensibly lapsed in 2020, the requirements continue to provide a foundation for a consistent approach to measure, communicate and improve data quality across government.
The Data Quality Standard and its related Data Quality Guideline Information Management Framework (the Guideline) are part of the Framework.
Data Quality Standard
The Data Quality Standard requires all agencies to establish and maintain quality standards for critical data assets. Agencies need to define their own requirements and acceptable data quality levels according to:
- user needs
- how the data will be used
- the processes and purposes the data supports.
The Data Quality Standard sets 4 minimum requirements to be applied to all critical data assets.
Figure 1: Minimum requirements for critical data assets
Source: VAGO.
The Data Quality Standard requires a data quality management plan to be completed for each critical data asset. Data quality management plans are a key mechanism for agencies to assess and identify ways to improve data quality over time.
Agencies use these plans to report on quality issues and track improvement actions.
Data quality management plans should include initial data quality assessment results, set out areas for improvement and actions to address data quality issues. The data asset custodian should review and update the plan at least once a year.
Data asset custodian
A data asset custodian is the person responsible for a data asset's day-to-day management. Data custodians are usually subject matter experts and should have strong business knowledge of the asset.
The Data Quality Standard also requires a data quality statement for each critical data asset.
Data quality statements provide information about the asset, including issues that may affect the data asset's quality, and help agencies make decisions about the data's use.
The Guideline specifies that data quality statements need to include:
- an assessment against all 7 data quality dimensions, highlighting its strengths and weaknesses
- a disclaimer about the data asset's use.
Data quality statements help reduce the risk of data misuse by clearly identifying the asset's characteristics and limitations. Data custodians are responsible for completing data quality statements for all their critical data assets.
Implementing the Data Quality Standard
The Victorian Government issued the Guideline to support agencies implementing the Data Quality Standard.
The Guideline provides information about:
- the data quality dimensions
- roles and responsibilities for good data governance
- how to complete the required data quality management plan and data quality statement.
The Guideline says that agencies should identify and register critical data assets in an information asset register. This helps agencies efficiently identify key information and data assets. An agency’s information asset register should give an accurate and overall view of their data assets.
Information asset register
An information asset register is a tool agencies use to record the important information they hold. Agencies are expected to have information asset registers that list the agency’s critical data assets. Registers are usually accessible across the entire agency.
The Guideline also sets key responsibilities for data asset custodians.
Responsibilities include:
- assisting with developing data quality management plans and data quality statements
- making sure changes to plans and processes are documented
- making sure data quality statements are completed for all critical assets
- confirming the statement's status is recorded in the agency's information asset register
- making sure processes meet internal data quality standards, guidelines and policies.
What we found
This section focuses on our single key finding that none of the audited Victorian Government agencies meet the Data Quality Standard requirements in full.
Consultation with agencies
When reaching our conclusions, we consulted with the reviewed agencies and considered their views.
You can read their full responses in Appendix A.
Key finding: None of the audited agencies meet the Data Quality Standard requirements in full
None of the audited agencies can demonstrate that they are assuring their critical data assets quality in line with the Data Quality Standard.
Most audited agencies do not have clear, documented approaches for identifying and registering critical data assets
We found that only DH, DFFH, DEECA, DTP and Victoria Police have a clear and documented approach to assessing and identifying critical data assets in line with the Framework.
These 5 agencies showed evidence that either a data owner or custodian approved their critical data assets, or that they have a well-designed process for capturing that approval. Figure 2 shows that these agencies have different approaches to assess how critical their data assets are.
Some agencies use the Victorian Protective Data Security Framework Business Impact Levels (VPDSF BIL) table to measure the impact levels if their critical data assets became unavailable, damaged or destroyed. Business Impact Level (BIL) scores range from zero to 5, with zero being no impact and 5 being the most severe impact.
For this review, we considered BIL scores a viable way for agencies to determine if data assets are critical, provided agencies consistently followed a transparent and documented framework.
Figure 2: Approaches for identifying critical data assets
| Agency | Approach | Criteria for determining critical data assets |
|---|---|---|
DH, DFFH
| Defined set of core principles using the criticality definition set out in the Framework.
| Data assets are:
|
DEECA, DTP
| VPDSF BIL scores.
| BIL score of 3 (major impact) or higher, and a ‘protective’ marking.
|
Victoria Police
| Security, information and privacy assessment process in line with the Guideline.
| Criticality is informed by:
|
Note: This table only presents information for agencies that have a clear and documented method for identifying critical data assets.
Source: VAGO.
Of the 5 agencies that have documented processes for identifying critical data assets, DH, DFFH, DTP and Victoria Police clearly list them in their information asset registers.
DEECA registers BIL scores in line with Office of the Victorian Information Commissioner’s Sample Information Asset Register Template. DEECA updated its register in February 2025 to flag assets that meet their criticality criteria.
All other agencies assess information and data assets' security value using BIL assessments, in line with VPDSF BIL requirements.
But they do not have a clear and documented approach for using BIL scores to determine if a data asset is critical or non-critical.
Most audited agencies do not have formal governance arrangements to manage critical data assets
We found that most agencies have not developed specific data quality management policies for critical data assets. Only DFFH, DH and DTP showed evidence of comprehensive, agency-wide policies and procedures for improving critical data assets' quality.
Most agencies set out clear quality management responsibilities for data custodians. Seven of the 11 agencies defined custodian roles in the policies, frameworks or guidelines we reviewed. But only DH and DFFH set out specific responsibilities for managing critical data assets.
Without clear roles and management policies, there is a risk that agencies’ most important data assets will not be effectively managed.
None of the audited agencies complete a data quality management plan for all critical data assets
Generally, agencies do not complete data quality management plans for critical data assets. Only DH showed evidence that its data quality management plans align with Guideline requirements.
DH provided data quality management plans for 13 out of 30 critical data assets. Of the 13 provided, 4 plans were incomplete and did not set out areas for improvement or actions to address data quality issues.
No other agencies had up-to-date data quality management plans for their critical data assets.
This means there is a risk that critical data assets are not maintained consistently, with unresolved data quality issues and limited improvement progress.
None of the audited agencies complete a data quality statement for all critical data assets
Only one agency, DH, has data quality statements that meet requirements set out in the Guideline.
DH provided us with data quality statements for 13 out of 30 critical data assets. But our review found that 5 of the 13 data quality statements were incomplete and did not have data quality descriptions. This means that they do not provide insight into the data’s quality.
No other agencies have up-to-date data quality statements for individual critical data assets as set out in the Guideline.
Without these, agency staff may not be able to make informed decisions about using data to support their decision making or advice to government.
Addressing this finding
To address this finding, we made one recommendation to all agencies about implementing a risk-based approach to managing and maintaining critical data assets quality.
2. Our recommendations
We made one recommendation to address our findings. All audited agencies have accepted the recommendation.
| Recommendation | Agency response | |||
|---|---|---|---|---|
| Finding: None of the audited agencies meet the requirements of the Data Quality Information Management Framework standard in full | ||||
All audited agencies
| 1
| Implement a risk-based approach to managing and maintaining critical data asset quality. This includes:
| Accepted
| |
Appendix A: Submissions and comments
Download a PDF copy of Appendix A: Submissions and comments.
Download Appendix A: Submissions and comments
Appendix B: Abbreviations, acronyms and glossary
Download a PDF copy of Appendix B: Abbreviations, acronyms and glossary.
Download Appendix B: Abbreviations, acronyms and glossary
Appendix C: Review scope and method
Download a PDF copy of Appendix C: Review scope and method.
Download Appendix C: Review scope and method