On this page
Back to IndexThe information on this page provides a generic overview of reporting to OVIC on information security matters. To find information relevant for your organisation, please visit:
Victorian Public Sector stakeholders
Class B Cemetery Trust stakeholders
Part 4 PDP Act requirements
Part 4 of the Privacy and Data Protection Act requires VPS organisations to:
- adhere to the Victorian Protective Data Security Standards (VPDSS or the Standards);
- undertake a Security Risk Profile Assessment (SRPA);
- develop, implement, and maintain a Protective Data Security Plan (PDSP);
- submit a current copy of the PDSP to OVIC;
- provide OVIC free and full access to public sector information and information systems, when requested, including participating in any monitoring and assurance activities conducted by OVIC; and
- ensure that a Contracted Service Provider (CSP) of a VPS organisation, does not do an act or engage in a practice that contravenes the Standards, regarding public sector information collected, held, used, managed, disclosed, or transferred by the provider for the VPS organisation.
Further, the Standards require VPS organisations to:
- provide an annual attestation to OVIC; and
- notify OVIC of information security incidents.
Reporting deliverables and timeframes
| wdt_ID | Deliverable | Timeframe |
|---|---|---|
| 2 | Provide OVIC with an Attestation by the public sector body Head. | Annual |
| 3 | Submit a PDSP (including an Attestation) by the public sector body Head. | Biennial (every 2 years) |
| 4 | Submit an updated PDSP to OVIC, if there is significant change to the:
|
In consultation with OVIC |
| 5 | Notify OVIC of any information security incidents that compromise the confidentiality, integrity, or availability of public sector information, with a ‘limited’ business impact or higher, on government operations, organisations or individuals. | As required |
Please note: Victorian public sector (VPS) organisations are not required to submit an Attestation to OVIC in 2025. Refer to the VPS organisation reporting page for more information.
Organisations submitting an ‘out of cycle’ PDSP must continue to adhere to the regular reporting cycle as outlined in Section 8 of the Victorian Protective Data Security Framework (VPDSF).
What is required of my organisation this year?
For tailored guidance on what is required this year, select from the options below.
Attestation
Each year, Victorian public sector (VPS) organisations are required to submit an Attestation to OVIC, in which they attest to the continuation of information security activities outlined in their previous Protective Data Security Plan (PDSP).
Please note: Victorian public sector (VPS) organisations are not required to submit an Attestation to OVIC in 2025. Refer to the VPS organisation reporting page for more information.
Protective Data Security Plan
What is a Protective Data Security Plan (PDSP)?
A PDSP serves several purposes. It is designed to:
- help an organisation assess its information security capability;
- summarise the organisation’s progress towards implementation of the Victorian Protective Data Security Standards (VPDSS or Standards) and elements; and
- provide assurance to OVIC that the organisation is making progress to improving information security.
VPS organisations must submit a PDSP to OVIC every two years, or sooner in the event of significant change.
Significant change
Overview
Section 89(4) of the PDP Act requires VPS organisations to submit an out-of-cycle PDSP to OVIC if it has undergone, or expects to undergo, a ‘significant change’ to its operating environment or its security risks.
In the event of significant change, contact the Information Security Unit (ISU) OVIC to discuss your reporting options.
Read more about significant change.
Information Security Incident Notification Scheme
Overview
Under VPDSS Element E9.010, VPS organisations notify OVIC of any compromise of public sector information that may cause ‘limited’ (BIL 2) or higher harm/damage to government operations, organisations, or individuals.
This includes, but is not limited to, information with a protective marking of OFFICIAL: Sensitive, PROTECTED, Cabinet-In-Confidence or SECRET.
Notifying OVIC of an Information Security Incident
| wdt_ID | Notification options | How to access |
|---|---|---|
| 2 | Web form (preferred method) | https://incident-notifications.ovic.vic.gov.au/ |
| 3 | Download form | https://ovic.vic.gov.au/privacy/resources-for-organisations/information-security-and-privacy-incident-notification-form/ |
| 4 | Emailing your completed incident notification form to incidents@ovic.vic.gov.au | |
| 5 | Phone (during business hours) | 1300 00 OVIC (1300 006 842) and request to speak to a member of the Information Security Unit |
Go to our page on the OVIC Information Security Incident Notification Scheme to read more about the scheme
Information security resources
This section contains a suite of resources to assist in understanding and implementing the Victorian Protective Data Security Framework (VPDSF) and the Victorian Protective Data Security Standards (VPDSS).
Newly established organisations
If your organisation is newly formed, please contact the Information Security Unit via security@ovic.vic.gov.au to receive an overview of the VPDSS and discuss your obligations.
Contact us
If you need help, please contact us on 1300 006 842 (1300 00 OVIC) between 9am and 5pm, Monday to Friday, or email us security@ovic.vic.gov.au