Skip to Content
From Monday 12 September 2020, OVIC's website will no longer be supported in Internet Explorer (IE).
We recommend installing Microsoft Edge, Google Chrome, Safari, Firefox, or Opera to visit the site.

Significant Change Notification Process

Overview

An agency or body subject to Part 4 of the Privacy and Data Protection Act 2014 (Vic) (PDP Act) must undertake a Security Risk Profile Assessment (SRPA) and develop a Protective Data Security Plan (PDSP).

Section 89 of the PDP Act states that within 2 years after the issue of protective data security standards applying to an agency or body, a public sector body Head:

  • must ensure a protective data security plan is developed for the agency or body that addresses the [Victorian] protective data security standards applicable to that agency/body
  • must ensure the plan addresses compliance by any contracted service provider where they hold, use, manage, disclose or transfer public sector data for the agency/body, and
  • reviews the protective data security plan if there is a significant change in the operating environment or the security risks relevant to the agency or body or otherwise every 2 years.

The PDP Act also states that the public sector body Head for the agency or body must ensure that a copy of the protective data security plan is given to the Information Commissioner.

What constitutes a significant change

While there is no statutory definition of significant change, the PDP Act does state that if there is a significant change in the operating environment or the security risks relevant to the agency/body, then it must review its PDSP.

When trying to determine what may constitute a significant change, the agency/body should consider:

  • the type of change
  • any information security risks relating to the change, and
  • its operating context.

 

Significant changes may result from:

  • Machinery of Government (MoG) changes
  • altered staffing/resourcing arrangements
  • new or amended legislation
  • adjustments to work functions or business operations
  • altered operating environment (e.g., a large scale move to remote working)
  • new or altered information systems (including where a third-party provider manages this system on behalf of the organisation)
  • altered service provider arrangements, where the provider accesses, uses or manages information or information systems on the organisation’s behalf (e.g., CenITex to manage the organisation’s ICT network).

Ongoing information security reporting to OVIC

For more information regarding ongoing information security reporting, please visit the Information Security Reporting page.

 

Updated: 23 March 2026

Download

Guide-and-form-Notification-of-Significant-Change-1.docx

Guide and form - Notification of Significant Change V2.0 - DOCX
Size 461.64 KB

Download

Contents

Back to Index
Back to top
Back to Top