Skip to Content
From Monday 12 September 2020, OVIC's website will no longer be supported in Internet Explorer (IE).
We recommend installing Microsoft Edge, Google Chrome, Safari, Firefox, or Opera to visit the site.

Victorian public sector stakeholders

The 2024 Protective Data Security Plan (PDSP) form has recently been updated.

OVIC identified minor issues with version 3.4 of the PDSP form and has released a version 3.5 as a replacement.

If you have downloaded a copy of the PDSP form before 9th of April 2024, please ensure you download and use version 3.5 of the PDSP form.

To access a copy of version 3.5 of the 2024 PDSP form click here.


Reporting 2024

In 2024, Victorian public sector (VPS) organisations are required to submit a Protective Data Security Plan (PDSP), which includes an Attestation signed by the public sector body Head.

What reporting period does this PDSP cover?

2024 PDSP submissions should cover the reporting period of 1 July 2022 to 30 June 2024.

How can I access the 2024 PDSP forms?

The 2024 Protective Data Security Plan (PDSP) form has recently been updated.

OVIC has identified minor issues with version 3.4 of the PDSP form and has released a version 3.5 as a replacement.

If you have downloaded a copy of the PDSP form before 9th of April 2024, please ensure you download and use version 3.5 of the PDSP form.

What is the submission window for 2024?

Organisations are expected to submit a copy of their PDSP to OVIC between 1 July 2024 and 31 August 2024.

What do I do if I am a newly established organisation?

If your organisation is newly formed in 2024, please contact the Information Security Unit via security@ovic.vic.gov.au to discuss your reporting obligations.

The Privacy and Data Protection Act 2014 (Vic) (PDP Act) requires VPS organisations to:

  • adhere to the Victorian Protective Data Security Standards (VPDSS or the Standards);
  • undertake a Security Risk Profile Assessment (SRPA);
  • develop, implement, and maintain a PDSP;
  • submit a current copy of the PDSP to OVIC;
  • provide OVIC free and full access to public sector information and information systems, when requested, including participating in any monitoring and assurance activities conducted by OVIC; and
  • ensure that a Contracted Service Provider (CSP) of a VPS organisation, does not do an act or engage in a practice that contravenes the Standards, regarding public sector information collected, held, used, managed, disclosed, or transferred by the provider for the VPS organisation.

Further, the Standards require VPS organisations to:

  • provide an annual attestation to OVIC; and
  • notify OVIC of information security incidents.

To learn more, consider section 9.3 (Timeframes and deliverables in practice) of the Victorian Protective Data Security Framework


Protective Data Security Plan

What is a PDSP?

A PDSP serves several purposes. It is designed to:

  • help an organisation assess its information security capability;
  • summarise the organisation’s progress towards implementation of the Victorian Protective Data Security Standards (VPDSS or Standards) and elements; and
  • provide assurance to OVIC that the organisation is making progress to improving information security.

VPS organisations must submit a PDSP to OVIC every two years, or sooner in the event of significant change.


Significant change

If your organisation has undergone, or expects to undergo, a ‘significant change’ to its operating environment or its security risks, you may be required to submit an out-of-cycle PDSP.

In the event of significant change, contact the Information Security Unit (ISU) OVIC to discuss your reporting options.

Read more about significant change.


Incident notification

Organisations must notify OVIC of incidents with a business impact level (BIL) of 2 (limited) or higher that have an adverse impact on the confidentiality, integrity, or availability of public sector information.

Any organisation that is subject to the PDP Act should use this form to report incidents to OVIC, whether voluntarily or by obligation.

Please refer to the online form to notify us of information security incidents.

If you’d prefer to download a document to print and fill out, please download the form in the sidebar and email it to incidents@ovic.vic.gov.au


Information security resources

This page contains a suite of resources to assist in understanding and implementing the Victorian Protective Data Security Framework (VPDSF) and the Victorian Protective Data Security Standards (VPDSS).


Contact us

If you need help, please contact us on 1300 006 842 (1300 00 OVIC), or email us security@ovic.vic.gov.au

Download

2024-How-to-A-guide-to-completing-the-Protective-Data-Security-Plan-PDSP.pdf

2024-How-to-A-guide-to-completing-the-Protective-Data-Security-Plan-PDSP.pdf
Size 1.22 MB

Download
2024-OVIC-Single-Organisation-Protective-Data-Security-Plan-V3.5.pdf

2024 OVIC Single Organisation Protective Data Security Plan V3.5 - PDF
Size 9.48 MB

Download
2024-How-to-A-guide-to-the-Multi-Organisation-Protective-Data-Security-Plan-PDSP-Reporting-Model-and-Process-V1.4.pdf

2024 Multi Organisation Protective Data Security Plan PDSP Reporting Model and Process (V1.4) - PDF
Size 368.17 KB

Download

Contents

Back to Index
Back to top
Back to Top