Class B Cemetery Trust stakeholders
Cemetery trust information is important to the Victorian community as the material maintained by trusts commemorates the lives of citizens and provides important genealogical records that preserve a profound and personal history of Australia.
Class B cemetery trust members, many of whom are volunteers, spend countless hours ensuring records are accurate and complete. Fulfilling these obligations assist in fostering community confidence its information is accurate and available when needed.
What do we mean when we refer to ‘Information Security’?
Information security is a risk management process that protects public sector information and systems, including cemetery trust records, from unauthorised access, disclosure and use. This aims to ensure the right people have access to the right information at the right time.
What information security obligations do Class B Cemetery Trusts have?
Cemetery trusts are public bodies and the records they create must be managed in accordance with relevant legislation. This includes information security requirements set out under Part 4 of the Privacy and Data Protection Act 2014 (Vic) (PDP Act).
In 2020, the OVIC Information Security Unit (ISU) drafted bespoke requirements to reflect the unique governance arrangements and challenges that Class B Cemetery Trusts face. As such reporting requirements are different for Class A and Class B cemetery trusts.
We understand that some of these requirements may be unfamiliar, or simply confusing, and we encourage you to review the resources on this page or speak with a member of the OVIC ISU.
Legislative requirements
Under Part 4 of the PDP Act, cemetery trusts are required to:
- adhere to the Victorian Protective Data Security Standards (VPDSS)
- undertake a Security Risk Profile Assessment (SPRA)
- Department of Health has developed a risk register template that cemetery trusts can use to develop their SRPA (https://www.health.vic.gov.au/publications/sample-risk-register).
Cemetery trusts are not required to provide a copy of their SRPA to OVIC unless requested.
- Department of Health has developed a risk register template that cemetery trusts can use to develop their SRPA (https://www.health.vic.gov.au/publications/sample-risk-register).
- develop, implement and maintain a Protective Data Security Plan (PDSP)
- A custom PDSP template and ‘How-to’ guide has been specifically developed for Class B cemetery trusts, and a new version will be released and disseminated to the sector in 2026.
- provide OVIC a current copy of their PDSP
- provide OVIC free and full access to public sector information or information systems, when requested, including participating in any monitoring and assurance activities conducted by OVIC
- ensure that any third-party with access to cemetery trust information or systems, does not contravene the VPDSS when collecting, holding, using, managing, disclosing or transferring cemetery trust information.
Further, the VPDSS require cemetery trusts to:
- provide an annual attestation (if requested by OVIC) and
- notify OVIC of information security incidents
2025
In a typical reporting cycle, Cemetery Trusts are expected to submit PDSP to OVIC every two years, with the next projected year being 2026.
OVIC is currently reviewing the Victorian Protective Data Security Framework (VPDSF) and VPDSS and will be adjusting the PDSP reporting templates to reflect these changes.
Cemetery Trust reporting deliverables and timeframes remain unchanged in 2025, with further information regarding 2026 reporting to be released at a later date.
What do I do if I am from a newly established Class B Cemetery Trust?
If your Class B Cemetery Trust is newly formed, please contact the ISU via security@ovic.vic.gov.au to discuss your reporting obligations.
Significant change
If your Class B Cemetery Trust has undergone, or expects to undergo, a ‘significant change’ to its operating environment or its security risks, you may be required to submit an out-of-cycle PDSP.
This obligation remains unchanged. In the event of significant change, contact the ISU to discuss your options. Read more about significant change.
Incident notification
If a cemetery trust becomes aware of an information security incident involving sensitive information (for example, information is lost or there is an unauthorised disclosure of cemetery trust information), the incident should be reported by email to the Department of Health Privacy and Legal Compliance Team and the OVIC Information Security Team at the earliest opportunity.
Department of Health Privacy and Legal Compliance Team – privacy@health.vic.gov.au
OVIC Information Security Team – security@ovic.vic.gov.au
If you are unsure whether you have experienced an incident, or if you are unsure of how to notify OVIC, please contact us.
Resources for Class B Cemetery Trusts
Class B Cemetery Trusts have obligations under Part 4 of the Privacy and Data Protection Act 2014 (Vic) to ensure the right people have access to the right information at the right time.
This page contains guidance and materials developed specifically for Class B Cemetery Trusts to help protect cemetery trust information from being lost, destroyed, or compromised.
Class B Cemetery Trusts: Information Asset Register
An Information Asset Register (IAR) is a comprehensive list of the types of information cemetery trusts generate, hold and manage. Developing and maintaining an IAR will help your cemetery trust keep a consistent record of its information for future generations.
Cemetery trusts should develop and maintain an IAR as part of their PDSP.
OVIC has developed an IAR template for Class B cemetery trusts that includes detailed instructions. See the –
- Class-B-Cemetery-Trust-Information-Asset-Register-Guide-and-Template.docx and
- Class-B-Cemetery-Trust-Information-Asset-Register-Guide-and-Template.pdf.
Cemetery trusts are not required to provide a copy of their IAR to OVIC unless requested. For more information or to request a hard copy of the IAR, please contact OVIC.
Class B Cemetery Trusts: Considering third-party providers
A third-party provider can be any person or organisation outside your cemetery trust that may store or manage any / all cemetery trust information on your behalf.
The Information Sheet below offers some considerations for cemetery trusts in this instance. See the;
- Class B Cemetery Trust Third Party Provider Info Sheet.docx and
- Class B Cemetery Trust Third Party Provider Info Sheet.pdf.
Contact OVIC
Please call 1300 006 842 (1300 00 OVIC) or email security@ovic.vic.gov.au
Department of Health Cemetery Sector Governance Support
Visit the Department of Health Cemetery Sector Governance Support page.