The information on this page provides a generic overview of reporting to OVIC on information security matters. To find information relevant for your organisation, please visit:

Victorian Public Sector stakeholders

Class B Cemetery Trust stakeholders

Part 4 PDP Act requirements

Part 4 of the Privacy and Data Protection Act requires VPS organisations to:

• adhere to the Victorian Protective Data Security Standards (VPDSS or the Standards);
• undertake a Security Risk Profile Assessment (SRPA);
• develop, implement, and maintain a Protective Data Security Plan (PDSP);
• submit a current copy of the PDSP to OVIC;
• provide OVIC free and full access to public sector information and information systems, when requested, including participating in any monitoring and assurance activities conducted by OVIC; and
• ensure that a Contracted Service Provider (CSP) of a VPS organisation, does not do an act or engage in a practice that contravenes the Standards, regarding public sector information collected, held, used, managed, disclosed, or transferred by the provider for the VPS organisation.

Further, the Standards require VPS organisations to:

• provide an annual attestation to OVIC; and
• notify OVIC of information security incidents.

Reporting deliverables and timeframes

What is required of my organisation this year?

For tailored guidance on what is required this year, select from the options below.

Attestation

Each year, Victorian public sector (VPS) organisations are required to submit an Attestation to OVIC, in which they attest to the continuation of information security activities outlined in their previous Protective Data Security Plan (PDSP).

Protective Data Security Plan

What is a Protective Data Security Plan (PDSP)?

A PDSP serves several purposes. It is designed to:

• help an organisation assess its information security capability;
• summarise the organisation’s progress towards implementation of the Victorian Protective Data Security Standards (VPDSS or Standards) and elements; and
• provide assurance to OVIC that the organisation is making progress to improving information security.

VPS organisations must submit a PDSP to OVIC every two years, or sooner in the event of significant change.

Significant change

Overview

Section 89(4) of the PDP Act requires VPS organisations to submit an out-of-cycle PDSP to OVIC if it has undergone, or expects to undergo, a ‘significant change’ to its operating environment or its security risks.

In the event of significant change, contact the Information Security Unit (ISU) OVIC to discuss your reporting options.

Read more about significant change.

Information Security Incident Notification Scheme

Overview

Under VPDSS Element E9.010, VPS organisations notify OVIC of any compromise of public sector information that may cause ‘limited’ (BIL 2) or higher harm/damage to government operations, organisations, or individuals.

This includes, but is not limited to, information with a protective marking of OFFICIAL: Sensitive, PROTECTED, Cabinet-In-Confidence or SECRET.

Notifying OVIC of an Information Security Incident

Go to our page on the OVIC Information Security Incident Notification Scheme to read more about the scheme

Information security resources

This section contains a suite of resources to assist in understanding and implementing the Victorian Protective Data Security Framework (VPDSF) and the Victorian Protective Data Security Standards (VPDSS).

Newly established organisations

If your organisation is newly formed, please contact the Information Security Unit via security@ovic.vic.gov.au to receive an overview of the VPDSS and discuss your obligations.

Contact us

If you need help, please contact us on 1300 006 842 (1300 00 OVIC) between 9am and 5pm, Monday to Friday, or email us security@ovic.vic.gov.au