Skip to Content
From Monday 12 September 2020, OVIC's website will no longer be supported in Internet Explorer (IE).
We recommend installing Microsoft Edge, Google Chrome, Safari, Firefox, or Opera to visit the site.

Information security and privacy incident notification form

Organisations that are subject to the Victorian Protective Data Security Standards (VPDSS) must notify OVIC of certain information security incidents. In addition, organisations that are subject to Part 3 of the PDP Act are encouraged to notify OVIC of incidents involving personal information that could cause harm to affected individuals.

Any organisation that is subject to the PDP Act can therefore use this form to report incidents to OVIC, whether voluntarily or by obligation.

SECTION 1: General Details

For example: Who / what caused it? Malicious or accidental? Who accessed information in unauthorised manner? Please be as specific as possible. E.g. if referring to third party, name party or describe nature of party.


Fill in the following fields if your incident relates to personal information. Please visit our website for further information on managing the privacy impacts of a data breach.
What type of harm? How serious? How likely?
If not, why? If so, how? What reactions?


Fill in the following fields if the affected organisation is subject to the VPDSS. If the organisation is not subject to the VPDSS, you may leave this section blank.

Please visit our website for further information on the information security incident notification scheme.

OVIC has entered a Memorandum of Understanding (MOU) with the Cyber Incident Response Service (CIRS) to exchange incident information, to reduce the reporting burden on organisations. If you require incident response assistance and would like OVIC to send the incident details to CIRS on your behalf, please check the box below.
Check this box if you require incident response assistance and would like OVIC to send the incident details to CIRS on your behalf
What type of information was affected?
What is the assessed Business Impact Level (BIL) of the affected information?
Refer to your organisation’s BIL table or the VPDSF BIL table to assess the potential business impact level.
What was the information format?
What security attributes were affected?
Was the incident primarily caused by people, process and/or technology control(s)?
Who did it?
What was the threat type?
Is the incident closed?
Is the incident recorded in the organisation’s incident register?



Security and Privacy Incident Notification Form - DOCX
Size 35.81 KB



Back to top
Back to Top