We recommend installing Microsoft Edge, Google Chrome, Safari, Firefox, or Opera to visit the site.
Regulatory action
OVIC regulates the Victorian Government and advises the community about how the public sector collects, protects, uses and shares information.
Latest updates
Investigation into the use of ChatGPT by a Child Protection worker has been published Updated 22/11/2024
Investigation into Datatime Services Pty Ltd data breach has been published Updated 08/05/2024
Audit report – Standard 10 of the Victorian Protective Data Security Standards (Personnel Security) has been published Updated 02/04/2024
Information Commissioner finds VicForests conducted unlawful surveillance has been published Updated 10/08/2023
Information Commissioner finds department responsible for failing to protect citizens' data during COVID-19 pandemic has been published Updated 25/07/2023
Our Regulatory Approach
OVIC's regulatory approach is independent, collaborative, targeted and proportional, transparent and consistent.
Our Regulatory Action Policy explains how we use our powers when taking regulatory action.
Witness Welfare Management Policy
This policy describes how OVIC supports the welfare of witnesses and other people involved in OVIC regulatory action.
OVIC’s regulatory priorities focus on significant issues impacting the information rights of Victorians.
OVIC participates in national and international regulatory networks to discuss common challenges and priorities.
Investigations
OVIC has regulatory powers to undertake investigations and issue a Compliance Notice if there is a serious breach of legislation.
Examinations
OVIC has regulatory powers to undertake examinations to investigate a potential breach, or as a proactive assurance tool.
Investigation into the use of ChatGPT by a Child Protection worker
OVIC conducted an investigation in response to a privacy incident reported by the Department of Families, Fairness and Housing regarding a Child Protection worker who had used ChatGPT when drafting a Protection Application Report.
Investigation into Datatime Services Pty Ltd data breach
OVIC conducted an investigation in response to a data breach experienced by Datatime Services Pty Ltd, a contracted service provider to government organisations. The investigation considered Datatime’s information security measures and disposal and retention practices.
Investigation into allegations of surveillance of members of the public by VicForests
OVIC conducted an investigation into VicForests’ surveillance on several members of the public to determine if this surveillance complies with the Privacy and Data Protection Act 2014 (Vic) and Information Privacy Principles 1.1 and 1.2.
Misuse of Department of Health information by third party employees during pandemic response
OVIC conducted an investigation into how the Department of Health managed the access of third-party call centre staff to personal information as the Department responded to the COVID-19 pandemic.
Process versus Outcome: Investigation into VicForests' handling of a series of FOI requests
OVIC conducted an investigation into VicForests' handling of a series of FOI requests to determine if it acted consistently with obligations under the FOI Act.
Investigation into impediments to timely freedom of information
OVIC conducted an own motion investigation into the timeliness of FOI decisions at five Victorian government agencies to identify the factors contributing to delay.
Impediments to timely FOI and information release: twelve months on
This report outlines the progress of agencies in implementing recommendations twelve months on from the own motion investigation.
Investigation into unauthorised access to client information held in the CRISSP database
OVIC conducted an investigation into a data breach involving the former Department of Health and Human Services and issued a compliance notice.
Investigation into the disclosure of myki travel information
OVIC conducted an investigation into a data breach involving myki users' privacy by Public Transport Victoria and issued a compliance notice.
Examination into privacy and information handling training at Victoria Police
The objective was to examine whether the training provided to Victoria Police personnel meets the requirements of Information Privacy Principle 4.1.
Examination of Victorian universities' privacy and security policies
OVIC conducted an examination into the protection of personal information in Victorian universities to ensure compliance with the Information Privacy Principles.
OVIC conducted an examintion into the use of digital learning tools in Victorian government primary schools and how privacy issues are managed.
Examination of Local Government Privacy Policies
OVIC conducted an examination of local government privacy policies to measure compliance with the Information Privacy Principles.
Audits
OVIC has regulatory powers to monitor and assure compliance with the Victorian Protective Data Security Framework.
Global Privacy Enforcement Network
Each year privacy regulators from around the world coordinate a global analysis of privacy practices.
Audit of Standard 10 of the Victorian Protective Data Security Standards
This audit focused on four Victorian public sectororganisations’ adherence to Standard 10 of the Victorian Protective Data Security Standards.
Audit of Standard 2 of the Victorian Protective Data Security Standards
This audit focused on four Victorian public sector organisations' adherence to Standard 2 of the Victorian Protective Data Security Standards.
Audit of Standard 8 of the Victorian Protective Data Security Standards
This audit focused on four Victorian public sector organisations' adherence to Standard 8 of the Victorian Protective Data Security Standards.
Reports published by predecessor agencies
Review of information governance in the Department of Health and Human Services
This report was published by the Commissioner for Privacy and Data Protection in January 2017.
Review of the Victoria Police Security Incident Management Framework and Practices
This report was published by the Commissioner for Privacy and Data Protection in January 2017.