On this page
Back to IndexThe information on this page provides a generic overview of reporting to OVIC on information security matters. To find information relevant for your organisation, please visit:
Victorian Public Sector stakeholders
Class B Cemetery Trust stakeholders
Part 4 PDP Act requirements
Part 4 of the Privacy and Data Protection Act requires VPS organisations to:
- adhere to the Victorian Protective Data Security Standards (VPDSS or the Standards);
- undertake a Security Risk Profile Assessment (SRPA);
- develop, implement, and maintain a Protective Data Security Plan (PDSP);
- submit a current copy of the PDSP to OVIC;
- provide OVIC free and full access to public sector information and information systems, when requested, including participating in any monitoring and assurance activities conducted by OVIC; and
- ensure that a Contracted Service Provider (CSP) of a VPS organisation, does not do an act or engage in a practice that contravenes the Standards, regarding public sector information collected, held, used, managed, disclosed, or transferred by the provider for the VPS organisation.
Further, the Standards require VPS organisations to:
- provide an annual attestation to OVIC; and
- notify OVIC of information security incidents.
Reporting deliverables and timeframes
| wdt_ID | Deliverable | Timeframe |
|---|---|---|
| 2 | Provide OVIC with an Attestation by the public sector body Head. | Annual |
| 3 | Submit a PDSP (including an Attestation) by the public sector body Head. | Biennial (every 2 years) |
| 4 | Submit an updated PDSP to OVIC, if there is significant change to the:
|
In consultation with OVIC |
| 5 | Notify OVIC of any information security incidents that compromise the confidentiality, integrity, or availability of public sector information, with a ‘limited’ business impact or higher, on government operations, organisations or individuals. | As required |
Please note: Victorian public sector (VPS) organisations are not required to submit an Attestation to OVIC in 2025. Refer to the VPS organisation reporting page for more information.
Organisations submitting an ‘out of cycle’ PDSP must continue to adhere to the regular reporting cycle as outlined in Section 8 of the Victorian Protective Data Security Framework (VPDSF).
What is required of my organisation this year?
For tailored guidance on what is required this year, select from the options below.
Attestation
Each year, Victorian public sector (VPS) organisations are required to submit an Attestation to OVIC, in which they attest to the continuation of information security activities outlined in their previous Protective Data Security Plan (PDSP).
Please note: Victorian public sector (VPS) organisations are not required to submit an Attestation to OVIC in 2025. Refer to the VPS organisation reporting page for more information.
Protective Data Security Plan
What is a Protective Data Security Plan (PDSP)?
A PDSP serves several purposes. It is designed to:
- help an organisation assess its information security capability;
- summarise the organisation’s progress towards implementation of the Victorian Protective Data Security Standards (VPDSS or Standards) and elements; and
- provide assurance to OVIC that the organisation is making progress to improving information security.
VPS organisations must submit a PDSP to OVIC every two years, or sooner in the event of significant change.
Significant change
Overview
Section 89(4) of the PDP Act requires VPS organisations to submit an out-of-cycle PDSP to OVIC if it has undergone, or expects to undergo, a ‘significant change’ to its operating environment or its security risks.
In the event of significant change, contact the Information Security Unit (ISU) OVIC to discuss your reporting options.
Read more about significant change.
Information Security Incident Notification Scheme
Overview
Under VPDSS Element E9.010, VPS organisations notify OVIC of any compromise of public sector information that may cause ‘limited’ (BIL 2) or higher harm/damage to government operations, organisations, or individuals.
This includes, but is not limited to, information with a protective marking of OFFICIAL: Sensitive, PROTECTED, Cabinet-In-Confidence or SECRET.
Notifying OVIC of an Information Security Incident
| wdt_ID | Notification options | How to access |
|---|---|---|
| 2 | Web form (preferred method) | https://incident-notifications.ovic.vic.gov.au/ |
| 3 | Download form | https://ovic.vic.gov.au/privacy/resources-for-organisations/information-security-and-privacy-incident-notification-form/ |
| 4 | Emailing your completed incident notification form to incidents@ovic.vic.gov.au | |
| 5 | Phone (during business hours) | 1300 00 OVIC (1300 006 842) and request to speak to a member of the Information Security Unit |
What happens after OVIC is notified of an incident?
OVIC will acknowledge receipt of the notification and provide a reference number in case of any follow up communication regarding the notification.
In most cases, there will be nothing further required.
However, OVIC may contact you in the following circumstances:
- if your notification did not provide enough detail about the incident, we may request more information from you;
- if your notification points to a potentially serious or systemic breach of the Privacy and Data Protection Act 2014 (Vic) (PDP Act), we may contact you to make enquiries in accordance with OVIC’s Regulatory Action Policy ; or (https://ovic.vic.gov.au/regulatory-approach/regulatory-action-policy/)
- if your notification indicates a risk of harm to the people whose personal information was involved, we may contact you to provide guidance about managing the privacy impacts of the data breach.
Go to our page on the OVIC Information Security Incident Notification Scheme to read more about the scheme
Information security resources
This section contains a suite of resources to assist in understanding and implementing the Victorian Protective Data Security Framework (VPDSF) and the Victorian Protective Data Security Standards (VPDSS).
Newly established organisations
If your organisation is newly formed, please contact the Information Security Unit via security@ovic.vic.gov.au to receive an overview of the VPDSS and discuss your obligations.
Contact us
If you need help, please contact us on 1300 006 842 (1300 00 OVIC) between 9am and 5pm, Monday to Friday, or email us security@ovic.vic.gov.au