Skip to Content
From Monday 12 September 2020, OVIC's website will no longer be supported in Internet Explorer (IE).
We recommend installing Microsoft Edge, Google Chrome, Safari, Firefox, or Opera to visit the site.
Agency Reporting Obligations

On this page

Back to Index

The information on this page provides a generic overview of reporting to OVIC on information security matters. To find information relevant for your organisation, please visit:

VPS organisation reporting page 

Class B Cemetery Trust reporting page

Part 4 PDP Act requirements

Part 4 of the Privacy and Data Protection Act requires VPS organisations to:

  • adhere to the Victorian Protective Data Security Standards (VPDSS or the Standards);
  • undertake a Security Risk Profile Assessment (SRPA);
  • develop, implement, and maintain a Protective Data Security Plan (PDSP);
  • submit a current copy of the PDSP to OVIC;
  • provide OVIC free and full access to public sector information and information systems, when requested, including participating in any monitoring and assurance activities conducted by OVIC; and
  • ensure that a Contracted Service Provider (CSP) of a VPS organisation, does not do an act or engage in a practice that contravenes the Standards, regarding public sector information collected, held, used, managed, disclosed, or transferred by the provider for the VPS organisation.

Further, the Standards require VPS organisations to:

  • provide an annual attestation to OVIC; and
  • notify OVIC of information security incidents.

Reporting deliverables and timeframes

wdt_ID Deliverable Timeframe
2 Provide OVIC with an Attestation by the public sector body Head. Annual
3 Submit a PDSP (including an Attestation) by the public sector body Head. Biennial (every 2 years)
4 Submit an updated PDSP to OVIC, if there is significant change to the:
  • operating environment of the VPS organisation;
  • or security risks relevant to the VPS organisation.
In consultation with OVIC
5 Notify OVIC of any information security incidents that compromise the confidentiality, integrity, or availability of public sector information, with a ‘limited’ business impact or higher, on government operations, organisations or individuals. As required

Please note: Organisations submitting an ‘out of cycle’ PDSP must continue to adhere to the regular reporting cycle as outlined in Section 8 of the Victorian Protective Data Security Framework (VPDSF).


Each year, Victorian public sector (VPS) organisations are required to submit an Attestation to OVIC, in which they attest to the continuation of information security activities outlined in their previous Protective Data Security Plan (PDSP).

Protective data security plan

What is a PDSP?


  • helps an organisation assess its information security capability;
  • summarises the organisation’s progress towards implementation of the Victorian Protective Data Security Standards (VPDSS or Standards) and elements; and
  • provides assurance to OVIC that the organisation is making progress to improving information security.

VPS organisations must submit a PDSP to OVIC every two years, or sooner in the event of significant change.

What is required of my organisation this year?

For tailored guidance on what is required this year, select from the options below.

Significant change


Section 89(4) of the PDP Act requires VPS organisations to submit an out-of-cycle PDSP to OVIC if it has undergone, or expects to undergo, a ‘significant change’ to its operating environment or its security risks.

In the event of significant change, contact the Information Security Unit (ISU) OVIC to discuss your reporting options.

Read more about significant change.


Information Security Incident Notification Scheme


Under VPDSS Element E9.010, VPS organisations notify OVIC of any compromise of public sector information that may cause ‘limited’ (BIL 2) or higher harm/damage to government operations, organisations, or individuals.

This includes, but is not limited to, information with a protective marking of OFFICIAL: Sensitive, PROTECTED, Cabinet-In-Confidence or SECRET.

Notifying OVIC of an Information Security Incident

wdt_ID Organisation type How to access
2 Web form (preferred method)
3 Download form
4 Email Emailing your completed incident notification form to
5 Phone (during business hours) 1300 00 OVIC (1300 006 842) and request to speak to a member of the Information Security Unit

Go to our page on the OVIC Information Security Incident Notification Scheme to read more about the scheme

Information security resources

This section contains a suite of resources to assist in understanding and implementing the Victorian Protective Data Security Framework (VPDSF) and the Victorian Protective Data Security Standards (VPDSS).

Newly established organisations

If your organisation is newly formed, please contact the Information Security Unit via to receive an overview of the VPDSS and discuss your obligations.

Contact us

If you need help, please contact us on 1300 006 842 (1300 00 OVIC) between 9am and 5pm, Monday to Friday, or email us


Back to Index
Back to top
Back to Top