Reporting deliverables and timeframes

Attestation

In 2023, Victorian public sector organisations who have not undergone significant change are required to submit an Attestation form.

If your organisation has undergone significant change, please contact the Information Security Unit via security@ovic.vic.gov.au

Protective data security plan

The Privacy and Data Protection Act 2014 (Vic) (PDP Act) requires Victorian public sector (VPS) organisations to:

• adhere to the Victorian Protective Data Security Standards (VPDSS);
• undertake a security risk profile assessment (SRPA); and
• develop, implement and maintain a Protective Data Security Plan (PDSP).

VPS organisations must submit a PDSP to OVIC every two years, or sooner in the event of significant change.

If your organisation is newly formed in 2023, please contact the Information Security Unit via security@ovic.vic.gov.au to discuss your reporting obligations.

Significant change

Overview

This information sheet explains:

• what may constitute a significant change to an organisations’ operating environment or information security risks;
• what to do when an organisation identifies that there may be significant change; and
• when OVIC expects to be notified of significant change and receive a revised PDSP.

Under the PDP Act organisations must undertake a SRPA and develop a PDSP. A copy of this completed PDSP must be given to the Information Commissioner:

• within 2 years of the issue of the Victorian Protective Data Security Standards (VPDSS); or
• upon significant change to the operating environment or security risks to the organisation.

What constitutes a significant change?

It is difficult to define significant change. It depends on the type of change, information security risks relating to the change, and the organisation’s operating context.

Some examples of significant change could include situations where information security risks have changed due to one or more of the following:

• Machinery of Government (MoG) changes to the organisation’s structure or information assets or systems;
• high staff turnover or changes to staffing (e.g., major organisational restructures);
• changes resulting from new or amended legislation;
• changes to work functions or business operations;
• changes in the operating environment of the organisation (like a large scale move to remote working);
• changes to an information system, or the introduction of a new system (including where a third-party provider manages this system on behalf of the organisation); or
• changes to service provider arrangements where the provider accesses, uses or manages information or information systems on behalf of the organisation (e.g., CenITex as a shared service provider to manage the organisation’s ICT network).

When significant change occurs, organisations must assess the impact of the change and have an informed discussion with OVIC about their information security obligations.

What should my organisation do when it identifies a potential significant change?

When an organisation identifies a potential significant change, it should:

1. Contact OVIC’s Information Security Unit (ISU) within 30 days to discuss next steps;
2. Consult with any impacted parties, complete the Notification of Significant Change form and send the form to security@ovic.vic.gov.au;
3. Undertake a SRPA to capture new or changed information security risks, reflecting these changes in the organisation’s risk register;
4. Revise the organisation’s PDSP to capture new or changed information security risks, update the activities to address the VPDSS and update the implementation status for the activities; and
5. Submit a copy of the revised PDSP to the Information Commissioner.

Who notifies the Information Commissioner of a significant change?

The public sector body Head should submit the Notification of Significant Change form to the Information Commissioner.

Incident Notification

Overview of the information security incident notification scheme

The information security incident notification scheme requires Victorian government agencies or bodies to notify OVIC of incidents that compromise the confidentiality, integrity, or availability of public sector information with a ‘limited’ business impact or higher on government operations, organisations, or individuals.

What sort of incidents need to be notified to OVIC?

Organisations must notify OVIC of incidents that have an adverse impact on the confidentiality, integrity or availability of public sector information with a business impact level (BIL) of 2 (limited) or higher.

Refer to your organisation’s BIL table or the VPDSF BIL table to assess the potential business impact level.

How can I seek assistance in managing an urgent and significant incident?

OVIC does not provide an incident response service. If you require immediate assistance for cyber incidents, please contact the Cyber Incident Response Service (CIRS) directly on 1300 278 842.

What happens after OVIC is notified of an incident?

OVIC will acknowledge receipt of the notification and provide a reference number in case of any follow up communication regarding the notification.

In most cases there will be nothing further required.

However, OVIC may contact you in the following circumstances:

• if your notification did not provide enough detail about the incident, we may request more information from you;
• if your notification points to a potentially serious or systemic breach of the PDP Act, we may contact you to make enquiries in accordance with OVIC’s Regulatory Action Policy; or
• if your notification indicates a risk of harm to the people whose personal information was involved, we may contact you to provide guidance about managing the privacy impacts of the data breach.

How does OVIC use incident notifications?

Incident notifications assist OVIC to develop a comprehensive information security risk profile of the Victorian government. This can be used for trend analysis and understanding of the threat environment as it relates to the protection of public sector information.

OVIC publishes regular Incident Insights Reports about trends and themes observed through the notifications to enable Victorian government agencies and bodies to inform their own risk assessments. OVIC may also share de-identified outcomes of its incident analysis with the Cyber Incident Response Service.

Collection of personal information

This form collects personal information in the way of contact details. This includes your name, position title, organisation, contact number and email address for the purpose of follow up, research projects or activities set out in OVIC’s Regulatory Action Policy.

Where you provide personal information, OVIC may use it to provide you with return confirmation of receipt of your form, seek clarification on the contents of your form or report on any trends.

We ask that you do not include personal information anywhere other than the designated fields on this form.

When submitting your form via email, we may be able to identify you from your email address.

OVIC will not disclose your personal information without your consent, except where required or authorised to do so by law. You may contact OVIC to request access to any personal information you have provided to us by emailing enquiries@ovic.vic.gov.au.

For further information on how OVIC handles personal information, please review our Privacy Policy.

Information security resources

This section contains a suite of resources to assist in understanding and implementing the Victorian Protective Data Security Framework (VPDSF) and the Victorian Protective Data Security Standards (VPDSS).

Contact us

If you need help, please contact us on 1300 006 842 (1300 00 OVIC) between 9am and 5pm, Monday to Friday, or email us security@ovic.vic.gov.au