We recommend installing Microsoft Edge, Google Chrome, Safari, Firefox, or Opera to visit the site.
Agency reporting obligations
This page outlines information on the reporting obligations of Victorian public sector organisations under the Privacy and Data Protection Act 2014.
Latest updates
Significant Change Notification Process has been updated Updated 20/01/2022
Form-Notification-to-the-Information-Commissioner-of-Significant-Change-V1.0 has been published Updated 06/09/2021
Attestations
Victorian public sector organisations must annually attest to the progress of activities identified in its Protective Data Security Plan (PDSP) to OVIC.
Protective Data Security Plans
Victorian public sector organisations must submit a PDSP to OVIC at least every two years, or upon significant change.
Incident Notification
Organisations must notify OVIC of incidents that have an adverse impact on the confidentiality, integrity or availability of public sector information with a business impact level (BIL) of 2 (limited) or higher.
Significant change
When organisations experience a significant change to their operations, the risks to their information assets and their protective data security obligations can change as a result.