Significant Change Notification Process
This information sheet explains:
- what may constitute a significant change to an organisations operating environment or information security risks;
- what to do when an organisation identified that there may be significant change; and
- when OVIC expects to be notified of significant change and receive a revised Protective Data Security Plan (PDSP).
Under the Privacy and Data Protection Act 2014 (Vic) (PDP Act), organisations must undertake a Security Risk Profile Assessment (SRPA) and develop a PDSP. A copy of this completed PDSP must be given to the Information Commissioner:
- within 2 years of the issue of the Victorian Protective Data Security Standards (VPDSS); or
- upon significant change to the operating environment or security risks to the organisation.
What constitutes a significant change?
It is difficult to define significant change. It depends on the type of change, information security risks relating to the change, and the organisation’s operating context. Some examples of significant change could include situations where information security risks have changed due to one or more following:
- Machinery of Government (MoG) changes to the organisation’s structure or information assets / systems;
- high staff turnover or changes to staffing (e.g., major organisational restructures);
- changes resulting from new or amended legislation;
- changes to work functions or business operations;
- changes in the operating environment of the organisation (like a large scale move to remote working);
- changes to an information system, or the introduction of a new system (including where a third-party provider manages this system on behalf of the organisation); or
- changes to service provider arrangements, where the provider accesses, uses or manages information or information systems on behalf of the organisation (e.g., CenITex as a shared service provider to manage the organisation’s ICT network).
When significant change occurs, organisations must assess the impact of the change and have an informed discussion with OVIC about their information security obligations.
What should my organisation do when it identifies a potential significant change?
When an organisation identifies a potential significant change, it should:
- Contact the Information Security Unit (ISU) within 30 days to discuss next steps;
- Consult with any impacted parties, complete the Notification of Significant Change form and send the form to firstname.lastname@example.org;
- Undertake a SRPA to capture new or changed information security risks, reflecting these changes in the organisation’s risk register;
- Revise the organisation’s PDSP to capture new or changed information security risks, update the activities to address the VPDSS and update the implementation status for the activities; and
- Submit a copy of the revised PDSP to the Information Commissioner.
Who notifies the Information Commissioner of a significant change?
The public sector body Head should submit the Notification of Significant Change form to the Information Commissioner.
What are my organisation’s continuing reporting obligations?
|Undertake (and/or) update a SRPA for the organisation.
|Annual (at least)
|Provide OVIC with an Attestation by the public sector body Head.
|Submit a PDSP (including an Attestation) by the public sector body Head.
(every 2 years)
|Submit an updated PDSP to OVIC, if there is significant change to the:
|In consultation with OVIC
|Notify OVIC of any information security incidents that compromise the confidentiality, integrity, or availability of public sector information, with a ‘limited’ business impact or higher, on government operations, organisations or individuals.
Please note: Organisations submitting an ‘out of cycle’ PDSP, must continue to adhere to the regular reporting cycle as outlined in Section 8 of the VPDSF.