Local Government Authorities
Information Security Considerations for Local Government Authorities
Local Government Authorities (LGAs) are excluded from Part 4 of the Privacy and Data Protection Act 2014 (Vic) (PDP Act) and are therefore not directly subject the Victorian Protective Data Security Framework and Standards. However, where an LGA is appointed to manage a regulated organisation, the LGA incurs Part 4 PDP Act obligations of that entity with respect to the information and systems they manage on its behalf.
Committees of Management
A Committee of Management (CoM) of Crown land reserves is a public entity within the definition of Section 5 of the Public Administration Act 2004 (Vic) (PAA). By this definition, CoMs must adhere to the requirements of public entities under Part 4 of the PDP Act.
An LGA can be appointed to manage a CoM of Crown land reserves whereby the public sector body Head of the LGA takes responsibility for the CoM. The appointed LGA that manages the CoM incurs the Part 4 PDP Act obligations of the CoM.
Class B Cemetery Trusts
It is OVIC’s position that Class B Cemetery Trusts (Class B CTs) are considered to be public entities for the purposes of the PAA and therefore are subject to Part 4 of the PDP Act.
Where an LGA is appointed as a trustee of a Class B CT, the LGA managing the Class B CT matters effectively incur Part 4 PDP Act obligations of the Class B CT.
2026 reporting options for Class B CTs and CoMs
Where an LGA is appointed to manage one or more regulated organisations, the LGA must develop and submit a Protective Data Security Plan (PDSP) capturing the information security program for those regulated bodies.
To address the unique governance arrangements and challenges of Class B CTs and CoMs, OVIC has published tailored 2026 PDSP templates (including bespoke requirements) for these bodies.
These 2026 PDSP templates are supported by customised resources, designed to assist Class B CTs and CoMs meet their reporting obligations.
LGAs appointed to manage a regulated organisation can choose to use the:
Option 1 – Tailored 2026 PDSP templates for Class B CTs or CoMs
- 2026 | Class B Cemetery Trust Protective Data Security Plan (Word document)
- 2026 | Committee of Management of Crown land reserves Protective Data Security Plan (Word document)
Option 2 – Standard VPS 2026 PDSP template
- 2026 | VPS single organisation Protective Data Security Plan V3.7 – (PDF document)
Reporting on behalf of multiple regulated organisations
Where each of the entities have equivalent reporting criteria, LGAs can meet the reporting obligations by utilising one or more of the submission options on the following reporting templates.
Option 1 – Reporting on behalf of multiple:
CoMs
Provided the multi-organisation reporting criteria are met, the responses for each CoM can be recorded on a single 2026 Committee of Management PDSP template.
The final page of the CoM PDSP must list all responding CoMs that are captured in the bundled PDSP submission.
Class B CTs
Provided the multi-organisation reporting criteria are met, the responses for each Class B CT can be recorded on a single 2026 Class B CT PDSP template.
The final page of the Class B CT PDSP must list all responding CTs that are captured in the bundled PDSP submission.
Option 2 – Reporting on behalf of both CoMs and Class B CTs
Provided the multi-organisation reporting criteria are met, and an LGA is looking to combine reporting for more than one CoM and/or Class B CT, these responses may be bundled into the one PDSP submission by requesting a tailored PDSP template from OVIC’s Information Security Unit.
For more information, read the appendix of the VPS How-To Guide: Completing the Protective Data Security Plan 2026.
Historically, LGAs have used this method of reporting.
Additional guidance for LGAs
For detailed guidance, read Local Government Authorities – Information Security Considerations.
Last updated: 24 March 2026
