OVIC Logo

Incidents Notification Form

  1. 1
    Introduction
  2. 2
    Information about
    the incident
  3. 3
    Privacy
    incidents
  4. 4
    Incident notification
    scheme
  5. 5
    Thank you

Information security and privacy incident notification form

What you should know before using this form

Any organisation that is subject to the Privacy and Data Protection Act 2014 (Vic) (PDP Act) can use this form to report incidents to OVIC, whether voluntarily or by obligation.

  • This form should not be used by members of the public to report incidents, data breaches or alleged wrongdoing by VPS employees or organisations to OVIC.
  • Individuals wishing to do so, should instead use OVIC's Privacy Complaint Form.

Organisations that are subject to:

  • Part 4 of the PDP Act and the Victorian Protective Data Security Standards (VPDSS) should notify OVIC of certain information security incidents, and
  • Part 3 of the PDP Act are encouraged to notify OVIC of incidents involving personal information that could cause harm to affected individuals.

How will the information I provide be used?

We use the information you provide to help us manage information security and privacy incident notifications. This includes confirming that we received your notification and contacting you to discuss the incident if we need to.

We may also send your information to the Victorian Government Cyber Incident Response Service, if you want us to.

Collection of personal information

The incident notification form collects personal information including:

  • your name
  • position title
  • organisation
  • contact number, and
  • email address for the purpose of follow up, research projects or activities set out in OVIC’s Regulatory Action Policy.

Where you provide personal information, OVIC may use it to provide you with return confirmation of receipt of your form, seek clarification on the contents of your form or report on any trends. If you do not provide the information requested in this form, it may limit OVIC’s ability to follow up with you. When submitting your form via email, we may be able to identify you from your email address.

OVIC will not disclose your personal information without your consent (e.g. where you request assistance from the Victorian Government Cyber Incident Response Service), except where required or authorised to do so by law. OVIC does publish de-identified information (or aggregated data) in our monitoring and assurance reports. OVIC does publish de-identified information (or aggregated data) in our monitoring and assurance reports.

You may contact OVIC to request access to any personal information you have provided to us by emailing enquiries@ovic.vic.gov.au.

For further information on how OVIC handles personal information, please review our privacy policy.

Important! Do not include the personal information of any employees or individuals involved in, or impacted by, the incident. The only personal information requested is that of the organisation’s nominated contact representative which should be noted in the designated fields on this form.

Information you enter onto this form is stored locally, in your browser, until you submit it. If you do not submit the form, the information you enter will stay stored locally in your browser until you clear the browser cache or delete any information you entered onto the form.

You may also clear the form and start again by using the "reset this form" button.

This form will take 15 - 30 minutes to complete.

You will be emailed a copy of your submission.

Need help?

Contact us by phone on 1300 006 842 or email at security@ovic.vic.gov.au.

More information?

You can find more information about OVIC's incident notification process on our website.

Information about
the incident

This form should not be used by members of the public to report incidents, data breaches or alleged wrongdoing by VPS employees or organisations to OVIC. Individuals wishing to do so, should instead use OVIC's Privacy Complaint Form.

  1. Organisation details

    This is the VPS organisation or contracted service provider you work for that is reporting an Incident to OVIC under element 9.010.
  2. 100 characters left

  3. This is the person OVIC will contact and liaise with in relation to the incident

    100 characters left

  5. Please be aware that a PDF copy of the form will automatically be sent to this email address upon submitting the form.
    Please ensure that the coordinating officer is aware, and care is taken to enter their email address correctly

  6. Incident details

  7. 10,000 characters left
  8. 2,000 characters left
  9. 2,000 characters left

  10. For example:

    • Who and/or what caused it?
    • Was it malicious or accidental?
    • Who accessed information in an unauthorised manner?
    • Please be as specific as possible. E.g. if referring to third party, please provide the name of the third party or describe the nature of the third party.
    2,000 characters left
  11. 2,000 characters left
  12. 2,000 characters left

Privacy
incidents

  1. If the incident you are notifying us about involves personal information, please fill in the following fields.

    Under the PDP Act, personal information is information that could reasonably identify an individual. This could include names, contact details, financial details, signatures and more.

    For more information on personal information see the Guidelines to the Information Privacy Principles.

    If the incident you are notifying us about did not involve personal information, you may leave this section blank.

    2,000 characters left

    What type of harm? How serious? How likely?

    2,000 characters left

    If not, why? If so, how? What was the reactions?

    2,000 characters left

    Visit our website for more information on managing the privacy impacts of a data breach.

Incident notification
scheme

  1. If the affected organisation is subject to the VPDSS, please fill in the following fields.

    If the organisation is not subject to the VPDSS, you may leave this section blank.

    Visit our website for further more information on the information security incident notification scheme.

    OVIC has entered a Memorandum of Understanding (MOU) with the Cyber Incident Response Service (CIRS) to exchange incident information, to reduce the reporting burden on organisations. If you require incident response assistance and would like OVIC to send the incident details to CIRS on your behalf, please check the following box:

  2. If you require privacy assistance, please check the box below:

  3. What type of information was affected? (you may select more that one choice)

  4. What is the assessed Business Impact Level (BIL) of the affected information?

    Refer to your organisation’s BIL table or the VPDSF BIL table to assess the potential business impact level.

  5. What was the information format?

  6. What security attributes were affected?

  7. Was the incident primarily caused by people, process and/or technology control(s)?

  8. Who caused the incident?

  9. What was the threat type?

  10. Is the incident closed?

  11. Is the incident recorded in the organisation’s incident register?

Thank you

Thank you for notifying OVIC of this incident.

You will now receive an email with a copy of your incident for your own records.

To find out what you can expect next from OVIC's incident notification process, please see what happens after OVIC is notified of an incident.

OVIC Logo
Australian Aboriginal Flag

We acknowledge the Wurundjeri people of the Kulin Nation as the Traditional Owners of the land on which OVIC operates. We pay our respects to their Elders, past, present and emerging.