Skip to Content
From Monday 12 September 2020, OVIC's website will no longer be supported in Internet Explorer (IE).
We recommend installing Microsoft Edge, Google Chrome, Safari, Firefox, or Opera to visit the site.

Victorian public sector stakeholders

Victorian public sector (VPS) agencies and bodies subject to Part 4 of the Privacy and Data Protection Act 2014 (Vic) (PDP Act) are responsible for protecting the information they generate, hold and manage and ensuring the right people have access to the right information at the right time. This includes securing systems that hold or transmit this information.

Part 4 PDP Act

Requirements

A VPS agency or body subject to Part 4 of the PDP Act must ensure that:

  • it does not do an act or engage in a practice that contravenes a [Victorian] protective data security standard (VPDSS or Standard), in respect of public sector data collected, held, managed, used, disclosed or transferred by it and public sector data systems kept by it.
  • a contracted service provider [third party] of the agency or body does not do an act or engage in a practice that contravenes a protective data security standard in respect of public sector data collected, held, used, managed, disclosed or transferred by the contracted service provider for the agency or body.
  • a security risk profile assessment is undertaken for it, including an assessment of any contracted service provider of the agency or body to the extent that the provider collects, holds, uses, manages, discloses or transfers public sector data for the agency or body.
  • a protective data security plan (PDSP) is:
    • developed that addresses the Standards applicable to that agency or body.
    • developed that also addresses compliance by any contracted service provider of the agency or body with the protective data security standards, to the extent that the provider collects, holds, uses, manages, discloses or transfers public sector data for the agency or body.
    • reviewed if there is a significant change in the operating environment or the security risks relevant to the agency or body.
  • a copy of the PDSP is given to the Information Commissioner.

For the full list of requirements, see section 88 and 89 of the PDP Act.

Further VPS organisations:

  • provide an annual attestation to OVIC, and
  • should notify OVIC of information security incidents.

Applicability

Refer to OVIC’s guide Does the Victorian Protective Data Security Framework apply to your organisation to see if your agency or body is subject to Part 4 of the PDP Act.

If unsure or you require further assistance, speak to OVIC’s Information Security Unit (ISU).

What’s required in 2026?

Protective Data Security Plan

In 2026, VPS agencies and bodies are required to submit a copy of their Protective Data Security Plan (PDSP) to OVIC, which includes an Attestation signed by the public sector body Head.

This PDSP documents the development of an information security program that addresses the protection of public sector information.

What does the 2026 PDSP submission cover?

When completing a 2026 PDSP, VPS organisations should consider information security activities that are currently planned, underway or implemented.

How to access a copy of the 2026 PDSP form

  • Single organisation PDSP form – (coming soon)
  • Multi-organisation PDSP form – (coming soon). Email the Information Security Unit to request a meeting to discuss.

When is the 2026 PDSP submission due to OVIC?

VPS agencies and bodies must submit a copy of its PDSP to OVIC between 1 July 2026 and no later than 31 August 2026.

OVIC are unable to offer extensions.

How to submit a copy of the 2026 PDSP form

For information on the submission process, read the 2026 How-to Guide: Completing the Protective Data Security Plan (PDSP).

What to do if your organisation experiences significant change

If your organisation has undergone, or expects to undergo, a ‘significant change’ to its operating environment or its information security risks, you may be required to submit an out-of-cycle PDSP.

OVIC acknowledges that some VPS agencies and bodies will experience a significant change following the release of the Victorian Government’s response to the Independent Review of the Victorian Public Service.

If you are unsure whether your organisation has undergone a ‘significant change’, reach out to OVIC’s ISU to discuss.

Read more about significant change.

Incident notification

Organisations should notify OVIC of incidents with a business impact level (BIL) of 2 (limited) or higher that have an adverse impact on the confidentiality, integrity, or availability of public sector information.

Any organisation that is subject to the PDP Act should use this form to report incidents to OVIC.

Visit OVIC’s webpage, Information Security Incident Notification Scheme for more information.

If your organisation experiences an information security incident and you wish to discuss with ISU, email incidents@ovic.vic.gov.au

Contact OVIC

Please call 1300 006 842 (1300 00 OVIC) or email security@ovic.vic.gov.au

Contents

Back to Index
Back to top
Back to Top