On this pageBack to Index
The information on this page provides a generic overview of reporting to OVIC on information security matters. To find information relevant for your organisation, please visit:
Part 4 PDP Act requirements
Part 4 of the Privacy and Data Protection Act requires VPS organisations to:
- adhere to the Victorian Protective Data Security Standards (VPDSS or the Standards);
- undertake a Security Risk Profile Assessment (SRPA);
- develop, implement, and maintain a Protective Data Security Plan (PDSP);
- submit a current copy of the PDSP to OVIC;
- provide OVIC free and full access to public sector information and information systems, when requested, including participating in any monitoring and assurance activities conducted by OVIC; and
- ensure that a Contracted Service Provider (CSP) of a VPS organisation, does not do an act or engage in a practice that contravenes the Standards, regarding public sector information collected, held, used, managed, disclosed, or transferred by the provider for the VPS organisation.
Further, the Standards require VPS organisations to:
- provide an annual attestation to OVIC; and
- notify OVIC of information security incidents.
Reporting deliverables and timeframes
|Provide OVIC with an Attestation by the public sector body Head.
|Submit a PDSP (including an Attestation) by the public sector body Head.
|Biennial (every 2 years)
|Submit an updated PDSP to OVIC, if there is significant change to the:
|In consultation with OVIC
|Notify OVIC of any information security incidents that compromise the confidentiality, integrity, or availability of public sector information, with a ‘limited’ business impact or higher, on government operations, organisations or individuals.
Please note: Organisations submitting an ‘out of cycle’ PDSP must continue to adhere to the regular reporting cycle as outlined in Section 8 of the Victorian Protective Data Security Framework (VPDSF).
Each year, Victorian public sector (VPS) organisations are required to submit an Attestation to OVIC, in which they attest to the continuation of information security activities outlined in their previous Protective Data Security Plan (PDSP).
Protective data security plan
What is a PDSP?
- helps an organisation assess its information security capability;
- summarises the organisation’s progress towards implementation of the Victorian Protective Data Security Standards (VPDSS or Standards) and elements; and
- provides assurance to OVIC that the organisation is making progress to improving information security.
VPS organisations must submit a PDSP to OVIC every two years, or sooner in the event of significant change.
What is required of my organisation this year?
For tailored guidance on what is required this year, select from the options below.
Section 89(4) of the PDP Act requires VPS organisations to submit an out-of-cycle PDSP to OVIC if it has undergone, or expects to undergo, a ‘significant change’ to its operating environment or its security risks.
In the event of significant change, contact the Information Security Unit (ISU) OVIC to discuss your reporting options.
Read more about significant change.
Information Security Incident Notification Scheme
Under VPDSS Element E9.010, VPS organisations notify OVIC of any compromise of public sector information that may cause ‘limited’ (BIL 2) or higher harm/damage to government operations, organisations, or individuals.
This includes, but is not limited to, information with a protective marking of OFFICIAL: Sensitive, PROTECTED, Cabinet-In-Confidence or SECRET.
Notifying OVIC of an Information Security Incident
|How to access
|Web form (preferred method)
|Emailing your completed incident notification form to firstname.lastname@example.org
|Phone (during business hours)
|1300 00 OVIC (1300 006 842) and request to speak to a member of the Information Security Unit
Go to our page on the OVIC Information Security Incident Notification Scheme to read more about the scheme
Information security resources
This section contains a suite of resources to assist in understanding and implementing the Victorian Protective Data Security Framework (VPDSF) and the Victorian Protective Data Security Standards (VPDSS).
Newly established organisations
If your organisation is newly formed, please contact the Information Security Unit via email@example.com to receive an overview of the VPDSS and discuss your obligations.
If you need help, please contact us on 1300 006 842 (1300 00 OVIC) between 9am and 5pm, Monday to Friday, or email us firstname.lastname@example.org