Committees of Management of Crown Land Reserves
In Victoria there are over 1,500 Crown land reserves (also referred to as public land reserves) managed by approximately 1,125 voluntary committees of management (CoMs) appointed as land managers under the Crown Land (Reserves) Management Act 1978 (Vic) (CLRA).
CoMs regulated under Part 4 PDP Act
It is OVIC’s position that CoMs under the CLRA are considered to be public entities for the purposes of the Public Administration Act 2004 (Vic) and therefore are subject to Part 4 of the Privacy and Data Protection Act 2014 (Vic) (PDP Act). OVIC refers to these as CoMs regulated under Part 4.
CoMs not regulated under Part 4 PDP Act
CoMs that are Incorporated Associations or Companies Limited by Guarantee are not subject to Part 4 of the PDP Act. These are otherwise considered CoMs that are not regulated for the purposes of Part 4 of the PDP Act. OVIC will continue to assess this applicability on a case-by-case basis and may be subject to change.
OVIC’s Information Security Unit (ISU) engaged Department of Energy, Environment and Climate Action (DEECA) to discuss a regulatory approach for CoMs regulated by Part 4 of the PDP Act. It is clear from these discussions that volunteers are passionate about protecting committee information including hard copy and soft copy (digital / electronic) information, and verbal discussions.
To address the unique governance arrangements and challenges that volunteer CoMs face, OVIC has drafted bespoke reporting requirements specifically for CoMs. We understand that some of these requirements may be unfamiliar, and we encourage you to review the resources on this page, and if further support is needed you can speak with a member of the ISU.
What obligations do CoMs regulated under Part 4 PDP Act have?
To review the full list of obligations for CoMs regulated by Part 4 of the PDP Act click here.
What’s required in 2026?
Protective Data Security Plan
In 2026, CoMs regulated under Part 4 are expected to submit a Protective Data Security Plan (PDSP) to OVIC, which includes an Attestation signed by the Chairperson or an authorised representative. This PDSP documents the development of an information security program that addresses the protection of CoM information.
What do we mean when we refer to ‘Information Security’?
Information security is a risk management process that protects public sector information and systems, including committee of management records, from unauthorised access, disclosure and use. This aims to ensure the right people have access to the right information at the right time.
What does the 2026 PDSP submission cover?
When completing a 2026 PDSP, a CoM should consider information security activities that are currently planned, underway or implemented.
When is the 2026 PDSP submission due to OVIC?
A CoM regulated under Part 4 must submit a copy of its PDSP to OVIC between 1 July 2026 and no later than 31 August 2026.
How to access a copy of the 2026 PDSP form for CoMs regulated under Part 4
A copy of the 2026 | Committee of management of Crown land reserves PDSP is now available for download as a Word document or PDF document.
To request a hard copy in the mail, please contact OVIC’s ISU.
How to submit a copy of the 2026 PDSP form
PDSP submissions can be made to OVIC by email (electronic) or mail (paper). For more information on how to submit a PDSP, please read the 2026 | How-to Guide: Protective Data Security Plan (PDSP) for Committees of management of Crown land reserves as a Word document or PDF document.
Incident notification
CoMs regulated under Part 4 should contact OVIC at its earliest convenience if it becomes aware of any issues impacting the security of its information.
The confidentiality, integrity and/or availability of this material must be maintained to ensure the continued security of committee information. If you are unsure whether you have experienced an incident, or if you are unsure of how to notify OVIC, please contact the ISU.
An example of an information security incident may be where:
- a committee member mistakenly discloses sensitive information (confidentiality)
- committee records have been altered to misrepresent land boundaries (integrity)
- an asset register goes missing (lack of availability)
Resources for CoM regulated under Part 4 PDP Act
Committee of management: Information Asset Register
As outlined in the PDSP, committees should develop and maintain an Information Asset Register (IAR) to ensure to help identify the different information in manages. An IAR helps a CoM develop a comprehensive list of the types of information the committee generates, holds and manages. Developing and maintaining an IAR will help the committee keep a consistent record of its information for current and future members.
OVIC has developed an IAR template specifically for CoMs with an accompanying How-to Guide.
Information Asset Register template:
- Word document (best for creating a digital copy) – Click here to download
- PDF document (best for printing a hard copy) – Click here to download
Guide: How to build an Information Asset Register
- Word document – Click here to download
- PDF document – Click here to download
CoMs are not required to provide a copy of their IAR to OVIC unless requested. For more information, please contact OVIC.
Committees of management: Considering third-party providers
A third-party provider can be any person or organisation outside the CoM that may store or manage any / all committee information on its behalf.
The below information sheet offers some considerations for CoMs in this instance.
- Word document – coming soon
- PDF document – coming soon
Contact OVIC
Please call 1300 006 842 (1300 00 OVIC) or email security@ovic.vic.gov.au
Department of Energy, Environment and Climate Action
Visit DEECA’s Committees of management page for more guidance.
Last updated:19 December 2025
