Victorian public sector stakeholders
In 2023, organisations are required to submit an Attestation in which they attest to the continuation of information security activities outlined in their previous Protective Data Security Plan (PDSP).
For those organisations that have not undergone a significant change, a single organisation Attestation form is now available.
Attestations should cover the reporting period of 1 July 2022 to 30 June 2023.
Organisations are expected to submit a copy of their Attestation to OVIC between 1 July 2023 and 31 August 2023.
The single organisation Attestation form should be used where an organisation submits a PDSP on its own behalf.
The multi-organisation Attestation form should be used where an organisation previously submitted a PDSP on its own behalf and on behalf of one or more additional organisations in 2022.
If you require a Multi-organisation Attestation form please contact us at email@example.com
However, if an organisation has undergone a significant change to their operating environment or information security risks (such as a restructure or Machinery of Government), they are required to notify OVIC and may be required to submit a full, out-of-cycle PDSP.
Protective Data Security Plan
Victorian public sector (VPS) organisations have a responsibility to effectively identify and manage information security risks across the information lifecycle.
The security risk profile assessment process is a foundational activity that needs to be undertaken prior to developing a PDSP.
To find out how to complete the Security Risk Profile Assessment (SRPA) process, refer to our Practitioner Guide on Information Security Risk Management.
If your organisation is newly formed in 2023, please contact the Information Security Unit via firstname.lastname@example.org to discuss your reporting obligations.
If you require a PDSP template, please contact the Information Security Unit via email@example.com
When organisations experience a significant change to their operations, the risks to their information assets and their protective data security obligations can change as a result.
Organisations must notify OVIC of incidents with a business impact level (BIL) of 2 (limited) or higher that have an adverse impact on the confidentiality, integrity or availability of public sector information.
Information security resources
This section contains a suite of resources to assist in understanding and implementing the Victorian Protective Data Security Framework (VPDSF) and the Victorian Protective Data Security Standards (VPDSS).
If you need help, please contact us on 1300 006 842 (1300 00 OVIC) between 9am and 5pm, Monday to Friday, or email us firstname.lastname@example.org