Skip to Content
From Monday 12 September 2020, OVIC's website will no longer be supported in Internet Explorer (IE).
We recommend installing Microsoft Edge, Google Chrome, Safari, Firefox, or Opera to visit the site.
Agency Reporting Obligations

On this page

Back to Index

The information on this page provides a generic overview of reporting to OVIC on information security matters. To find information relevant for your organisation, please visit:

Victorian Public Sector stakeholders

Class B Cemetery Trust stakeholders

Part 4 PDP Act requirements

Agencies and bodies subject to Part 4 of the Privacy and Data Protection Act 2014 (Vic) (PDP Act) are responsible for protecting the information they generate, hold and manage and ensuring the right people have access to the right information at the right time. This includes securing systems that hold or transmit this information.

An agency or body subject to Part 4 of the PDP Act must ensure that:

  • it does not do an act or engage in a practice that contravenes a [Victorian] protective data security standard (VPDSS or Standard), in respect of public sector data collected, held, managed, used, disclosed or transferred by it and public sector data systems kept by it.
  • a contracted service provider [third party] of the agency or body does not do an act or engage in a practice that contravenes a protective data security standard in respect of public sector data collected, held, used, managed, disclosed or transferred by the contracted service provider for the agency or body.
  • a security risk profile assessment is undertaken for it, including an assessment of any contracted service provider of the agency or body to the extent that the provider collects, holds, uses, manages, discloses or transfers public sector data for the agency or body.
  • a protective data security plan (PDSP) is:
    • developed that addresses the Standards applicable to that agency or body.
    • developed that also addresses compliance by any contracted service provider of the agency or body with the protective data security standards, to the extent that the provider collects, holds, uses, manages, discloses or transfers public sector data for the agency or body.
    • reviewed if there is a significant change in the operating environment or the security risks relevant to the agency or body.
  • a copy of the PDSP is given to the Information Commissioner.

For the full list of requirements, see section 88 and 89 of the PDP Act.

Further, the Standards require VPS organisations to:

  • provide an annual attestation to OVIC, and
  • notify OVIC of information security incidents.

Reporting deliverables and timeframes

wdt_ID Deliverable Timeframe
2 Provide OVIC with an Attestation by the public sector body Head. Annual
3 Submit a PDSP (including an Attestation) by the public sector body Head. Biennial (every 2 years)
4 Submit an updated PDSP to OVIC, if there is significant change to the:
  • operating environment of the VPS organisation;
  • or security risks relevant to the VPS organisation.
 In consultation with OVIC
5 Notify OVIC of any information security incidents that compromise the confidentiality, integrity, or availability of public sector information, with a ‘limited’ business impact or higher, on government operations, organisations or individuals. As required

Please note: Victorian public sector (VPS) organisations are not required to submit an Attestation to OVIC in 2025. Refer to the VPS organisation reporting page for more information.

Organisations submitting an ‘out of cycle’ PDSP must continue to adhere to the regular reporting cycle as outlined in Section 8 of the Victorian Protective Data Security Framework (VPDSF).

What is required of my organisation this year?

For tailored guidance on what is required this year, select from the options below.

Attestation

Each year, Victorian public sector (VPS) organisations are required to submit an Attestation to OVIC, in which they attest to the continuation of information security activities outlined in their previous Protective Data Security Plan (PDSP).

Please note: Victorian public sector (VPS) organisations are not required to submit an Attestation to OVIC in 2025. Refer to the VPS organisation reporting page for more information.

Protective Data Security Plan

What is a Protective Data Security Plan (PDSP)?

A PDSP serves several purposes. It is designed to:

  • help an organisation assess its information security capability;
  • summarise the organisation’s progress towards implementation of the Victorian Protective Data Security Standards (VPDSS or Standards) and elements; and
  • provide assurance to OVIC that the organisation is making progress to improving information security.

VPS organisations must submit a PDSP to OVIC every two years, or sooner in the event of significant change.

Significant change

Overview

Section 89(4) of the PDP Act requires VPS organisations to submit an out-of-cycle PDSP to OVIC if it has undergone, or expects to undergo, a ‘significant change’ to its operating environment or its security risks.

In the event of significant change, contact the Information Security Unit (ISU) OVIC to discuss your reporting options.

Read more about significant change.

 

Information Security Incident Notification Scheme

Overview

Under VPDSS Element E9.010, VPS organisations notify OVIC of any compromise of public sector information that may cause ‘limited’ (BIL 2) or higher harm/damage to government operations, organisations, or individuals.

This includes, but is not limited to, information with a protective marking of OFFICIAL: Sensitive, PROTECTED, Cabinet-In-Confidence or SECRET.

Notifying OVIC of an Information Security Incident

wdt_ID Notification options How to access
2 Web form (preferred method) https://incident-notifications.ovic.vic.gov.au/
3 Download form https://ovic.vic.gov.au/privacy/resources-for-organisations/information-security-and-privacy-incident-notification-form/
4 Email Emailing your completed incident notification form to incidents@ovic.vic.gov.au
5 Phone (during business hours) 1300 00 OVIC (1300 006 842) and request to speak to a member of the Information Security Unit

What happens after OVIC is notified of an incident?

OVIC will acknowledge receipt of the notification and provide a reference number in case of any follow up communication regarding the notification.

In most cases, there will be nothing further required.

However, OVIC may contact you in the following circumstances:

  • if your notification did not provide enough detail about the incident, we may request more information from you;
  • if your notification points to a potentially serious or systemic breach of the Privacy and Data Protection Act 2014 (Vic) (PDP Act), we may contact you to make enquiries in accordance with OVIC’s Regulatory Action Policy ; or (https://ovic.vic.gov.au/regulatory-approach/regulatory-action-policy/)
  • if your notification indicates a risk of harm to the people whose personal information was involved, we may contact you to provide guidance about managing the privacy impacts of the data breach.

Go to our page on the OVIC Information Security Incident Notification Scheme to read more about the scheme

Information security resources

This section contains a suite of resources to assist in understanding and implementing the Victorian Protective Data Security Framework (VPDSF) and the Victorian Protective Data Security Standards (VPDSS).

Newly established organisations

If your organisation is newly formed, please contact the Information Security Unit via security@ovic.vic.gov.au to receive an overview of the VPDSS and discuss your obligations.

Contact us

If you need help, please contact us on 1300 006 842 (1300 00 OVIC) between 9am and 5pm, Monday to Friday, or email us security@ovic.vic.gov.au

 

Contents

Back to Index
Back to top
Back to Top