Overview of the information security
incident notification scheme
The information security incident notification scheme requires Victorian government agencies or bodies to notify OVIC of incidents that compromise the confidentiality, integrity, or availability of public sector information with a ‘limited’ business impact or higher on government operations, organisations, or individuals.
What sort of incidents need to be notified to OVIC?
Organisations must notify OVIC of incidents that have an adverse impact on the confidentiality, integrity or availability of public sector information with a business impact level (BIL) of 2 (limited) or higher. Refer to your organisation’s BIL table or the VPDSF BIL table to assess the potential business impact level.
How can I seek assistance in managing an urgent and significant incident?
OVIC does not provide an incident response service. If you require immediate assistance for cyber incidents, please contact the Cyber Incident Response Service (CIRS) directly on 1300 278 842.
How do I notify OVIC?
Incident Notification Form
Download a copy of the Incident Notification Form.
Please fill in as many details on the form as possible. Submissions options vary, depending on the protective marking of the content on the Incident Notification Form. For:
- OFFICIAL or OFFICIAL: Sensitive, please email a copy of the form to firstname.lastname@example.org;
- PROTECTED or above, contact OVIC for further advice.
What happens after OVIC is notified of an incident?
OVIC will acknowledge receipt of the notification and provide a reference number in case of any follow up communication regarding the notification.
In most cases, there will be nothing further required.
However, OVIC may contact you in the following circumstances:
- if your notification did not provide enough detail about the incident, we may request more information from you;
- if your notification points to a potentially serious or systemic breach of the PDP Act, we may contact you to make enquiries in accordance with OVIC’s Regulatory Action Policy; or
- if your notification indicates a risk of harm to the people whose personal information was involved, we may contact you to provide guidance about managing the privacy impacts of the data breach.
How does OVIC use incident notifications?
Incident notifications assist OVIC to develop a comprehensive information security risk profile of the Victorian government. This can be used for trend analysis and understanding of the threat environment as it relates to the protection of public sector information.
OVIC publishes regular Incident Insights Reports about trends and themes observed through the notifications to enable Victorian government agencies and bodies to inform their own risk assessments. OVIC may also share de-identified outcomes of its incident analysis with the Cyber Incident Response Service (CIRS).
You can find more information about the scheme in our guide to the Information Security Incident Notification Scheme.
Collection of personal information
This form collects personal information in the way of contact details. This includes your name, position title, organisation, contact number and email address for the purpose of follow up, research projects or activities set out in OVIC’s Regulatory Action Policy.
Where you provide personal information, OVIC may use it to provide you with return confirmation of receipt of your form, seek clarification on the contents of your form or report on any trends.
We ask that you do not include personal information anywhere other than the designated fields on this form.
When submitting your form via email, we may be able to identify you from your email address.
OVIC will not disclose your personal information without your consent, except where required or authorised to do so by law. You may contact OVIC to request access to any personal information you have provided to us by emailing email@example.com.