The information on this page provides a generic overview of reporting to OVIC on information security matters.

Reporting deliverables and timeframes

What is required this year?

For tailored guidance on what is required this year, select from the options below.

Victorian public sector stakeholder

Class B cemetery trust stakeholder

Committee of Management of Crown Land Reserves stakeholder

Protective Data Security Plan

What is a Protective Data Security Plan (PDSP)?

A PDSP serves several purposes. It is designed to:

• help an agency or body assess its information security capability,
• summarise the organisation’s progress towards implementation of the Victorian Protective Data Security Standards (VPDSS or Standards) and elements, and
• provide assurance to OVIC that the agency or body is making progress to improving information security.

Agencies or bodies subject to Part 4 of the PDP Act must submit a PDSP to OVIC every two years, or sooner in the event of significant change.

Attestation

Each year, Victorian public sector (VPS) organisations are required to submit an Attestation to OVIC, in which they attest to the continuation of information security activities outlined in their previous Protective Data Security Plan (PDSP).

Significant change

Section 89(4) of the PDP Act requires VPS agencies and bodies to submit an out-of-cycle PDSP to OVIC if it has undergone, or expects to undergo, a ‘significant change’ to its operating environment or its security risks.

In the event of significant change, contact the Information Security Unit (ISU) OVIC to discuss your reporting options.

Read more about significant change.

Newly established organisations

If your organisation is newly formed, please contact the ISU to receive an overview of the VPDSS and discuss your obligations.

Information Security Incident Notification Scheme

Under VPDSS Element E9.010, VPS agencies and bodies should notify OVIC of any compromise of public sector information that may cause ‘limited’ (BIL 2) or higher harm/damage to government operations, organisations, or individuals.

This includes, but is not limited to, information with a protective marking of OFFICIAL: Sensitive, PROTECTED, Cabinet-In-Confidence or SECRET.

Notifying OVIC of an Information Security Incident

What happens after OVIC is notified of an incident?

OVIC will acknowledge receipt of the notification and provide a reference number in case of any follow up communication regarding the notification.

In most cases, there will be nothing further required.

However, OVIC may contact you in the following circumstances:

• if your notification did not provide enough detail about the incident, we may request more information from you;
• if your notification points to a potentially serious or systemic breach of the Privacy and Data Protection Act 2014 (Vic) (PDP Act), we may contact you to make enquiries in accordance with OVIC’s Regulatory Action Policy ; or (https://ovic.vic.gov.au/regulatory-approach/regulatory-action-policy/)
• if your notification indicates a risk of harm to the people whose personal information was involved, we may contact you to provide guidance about managing the privacy impacts of the data breach.

Go to our page on the OVIC Information Security Incident Notification Scheme to read more about the scheme.

Information Security resources

This section contains a suite of resources to assist in understanding and implementing the Victorian Protective Data Security Framework (VPDSF) and the Victorian Protective Data Security Standards (VPDSS).

Contact us

If you need help, please contact us on 1300 006 842 (1300 00 OVIC) between 9:30am to 4:30pm, Monday to Friday, or email us security@ovic.vic.gov.au

Last updated: 7 January 2026

__PRESENT

__PRESENT

__PRESENT

__PRESENT

__PRESENT__PRESENT__PRESENT__PRESENT__PRESENT__PRESENT

__PRESENT

__PRESENT

__PRESENT