Skip to Content
From Monday 12 September 2020, OVIC's website will no longer be supported in Internet Explorer (IE).
We recommend installing Microsoft Edge, Google Chrome, Safari, Firefox, or Opera to visit the site.

Victorian public sector stakeholders

Reporting 2025

In 2025, Victorian public sector (VPS) organisations are normally required to submit an Attestation signed by the public sector body Head.

Following significant deliberation and review by members of OVIC, VPS organisations now have deferred 2025 Attestation reporting obligations under the Victorian Protective Data Security Framework (‘the Framework’) and Standards (‘VPDSS’ or ‘the Standards’). All other reporting obligations to OVIC remain unchanged.

This deferral supports OVIC’s intention to review and uplift the VPDSS product suite, following feedback from stakeholders and responses from the 2024 Protective Data Security Plans (PDSPs). This project will focus on maintaining currency of the Standards and offering clarity to users and delivering efficiencies in this space.

OVIC will undertake formal consultation on the revised VPDSS, with more information on these engagements to come.

What do I do if I am a newly established organisation?

If your organisation is newly formed, please contact the Information Security Unit via security@ovic.vic.gov.au to discuss your reporting obligations.

Significant change

If your organisation has undergone, or expects to undergo, a ‘significant change’ to its operating environment or its security risks, you may be required to submit an out-of-cycle PDSP. This obligation remains unchanged in 2025.

In the event of significant change, contact the Information Security Unit (ISU) OVIC to discuss your reporting options.

Read more about significant change.

Incident notification

Organisations must notify OVIC of incidents with a business impact level (BIL) of 2 (limited) or higher that have an adverse impact on the confidentiality, integrity, or availability of public sector information.

Any organisation that is subject to the PDP Act should use this form to report incidents to OVIC, whether voluntarily or by obligation. This obligation remains unchanged in 2025.

Please refer to the online form to notify us of information security incidents.

If you’d prefer to download a document to print and fill out, please download the form in the sidebar and email it to incidents@ovic.vic.gov.au

Information security resources

This page contains a suite of resources to assist in understanding and implementing the Victorian Protective Data Security Framework (VPDSF) and the Victorian Protective Data Security Standards (VPDSS).

Contact us

If you need help, please contact us on 1300 006 842 (1300 00 OVIC), or email us security@ovic.vic.gov.au

Contents

Back to Index
Back to top
Back to Top