Skip to Content
From Monday 12 September 2020, OVIC's website will no longer be supported in Internet Explorer (IE).
We recommend installing Microsoft Edge, Google Chrome, Safari, Firefox, or Opera to visit the site.

Victorian public sector stakeholders

The 2024 Protective Data Security Plan (PDSP) has recently been updated. If you have accessed this before 26 February 2024, please ensure you download and use version 3.4 of the PDSP form.

Reporting 2024

In 2024, Victorian public sector (VPS) organisations are required to submit a Protective Data Security Plan (PDSP), which includes an Attestation signed by the public sector body Head.

What reporting period does this PDSP cover?

2024 PDSP submissions should cover the reporting period of 1 July 2022 to 30 June 2024.

How can I access the 2024 PDSP forms?

The 2024 PDSP form is now available. This form has been updated for this reporting cycle. Previous years forms will not be accepted in 2024.

  • Single organisation PDSP form
    (Checksum: bac34689cc4d808986787049a6a48679632ba4b7843013f9b035db6f23997328)
  • Multi-organisation PDSP form – Email security@ovic.vic.gov.au to discuss your requirements

What is the submission window for 2024?

Organisations are expected to submit a copy of their PDSP to OVIC between 1 July 2024 and 31 August 2024.

What do I do if I am a newly established organisation?

If your organisation is newly formed in 2024, please contact the Information Security Unit via security@ovic.vic.gov.au to discuss your reporting obligations.

The Privacy and Data Protection Act 2014 (Vic) (PDP Act) requires VPS organisations to:

  • adhere to the Victorian Protective Data Security Standards (VPDSS or the Standards);
  • undertake a Security Risk Profile Assessment (SRPA);
  • develop, implement, and maintain a PDSP;
  • submit a current copy of the PDSP to OVIC;
  • provide OVIC free and full access to public sector information and information systems, when requested, including participating in any monitoring and assurance activities conducted by OVIC; and
  • ensure that a Contracted Service Provider (CSP) of a VPS organisation, does not do an act or engage in a practice that contravenes the Standards, regarding public sector information collected, held, used, managed, disclosed, or transferred by the provider for the VPS organisation.

Further, the Standards require VPS organisations to:

  • provide an annual attestation to OVIC; and
  • notify OVIC of information security incidents.

To learn more, consider section 9.3 (Timeframes and deliverables in practice) of the Victorian Protective Data Security Framework


Protective Data Security Plan

What is a PDSP?

A PDSP serves several purposes. It is designed to:

  • help an organisation assess its information security capability;
  • summarise the organisation’s progress towards implementation of the Victorian Protective Data Security Standards (VPDSS or Standards) and elements; and
  • provide assurance to OVIC that the organisation is making progress to improving information security.

VPS organisations must submit a PDSP to OVIC every two years, or sooner in the event of significant change.


Significant change

If your organisation has undergone, or expects to undergo, a ‘significant change’ to its operating environment or its security risks, you may be required to submit an out-of-cycle PDSP.

In the event of significant change, contact the Information Security Unit (ISU) OVIC to discuss your reporting options.

Read more about significant change.


Incident notification

Organisations must notify OVIC of incidents with a business impact level (BIL) of 2 (limited) or higher that have an adverse impact on the confidentiality, integrity, or availability of public sector information.

Any organisation that is subject to the PDP Act should use this form to report incidents to OVIC, whether voluntarily or by obligation.

Please refer to the online form to notify us of information security incidents.

If you’d prefer to download a document to print and fill out, please download the form in the sidebar and email it to incidents@ovic.vic.gov.au


Information security resources

This page contains a suite of resources to assist in understanding and implementing the Victorian Protective Data Security Framework (VPDSF) and the Victorian Protective Data Security Standards (VPDSS).


Contact us

If you need help, please contact us on 1300 006 842 (1300 00 OVIC), or email us security@ovic.vic.gov.au

Download

2024-How-to-A-guide-to-completing-the-Protective-Data-Security-Plan-PDSP.pdf

2024-How-to-A-guide-to-completing-the-Protective-Data-Security-Plan-PDSP.pdf
Size 1.22 MB

Download
2024-OVIC-Single-Organisation-Protective-Data-Security-Plan-V3.4.pdf

2024-OVIC-Single-Organisation-Protective-Data-Security-Plan-V3.4.pdf
Size 9.43 MB

Download
2024-Multi-Organisation-Protective-Data-Security-Plan-PDSP-Reporting-Model-and-Process.pdf

2024-Multi-Organisation-Protective-Data-Security-Plan-PDSP-Reporting-Model-and-Process.pdf
Size 366.27 KB

Download

Contents

Back to Index
Back to top
Back to Top