Incidents Notification Form

  1. 1
    Introduction
  2. 2
    Information about
    the incident
  3. 3
    Privacy
    incidents
  4. 4
    Incident notification
    scheme
  5. 5
    Thank you

Information security and privacy incident notification form

What you should know before using this form

Organisations that are subject to the Victorian Protective Data Security Standards (VPDSS) under Part 4 of the Privacy and Data Protection Act 2014 (Vic) (PDP Act) must notify OVIC of certain information security incidents.

In addition, organisations that are subject to Part 3 of the PDP Act are encouraged to notify OVIC of incidents involving personal information that could cause harm to affected individuals.

Any organisation that is subject to the PDP Act can use this form to report incidents to OVIC, whether voluntarily or by obligation.

How will the information I provide be used?

We use the information you provide to help us manage information security and privacy incident notifications. This includes confirming that we received your notification and contacting you to discuss the incident if we need to.

We may also send your information to the Victorian Government Cyber Incident Response Service, if you want us to.

Information you enter onto this form is stored locally, in your browser, until you submit it. If you do not submit the form, the information you enter will stay stored locally in your browser until you clear the browser cache or delete any information you entered onto the form.

You may also clear the form and start again by using the "reset this form" button.

This form will take 15 - 30 minutes to complete.

You will be emailed a copy of your submission.

Need help?

Contact us by phone on 1300 006 842 or email at security@ovic.vic.gov.au.

More information?

You can find more information about OVIC's incident notification process on our website.

Information about
the incident

This form should not be used by members of the public to report incidents, data breaches or alleged wrongdoing by VPS employees or organisations to OVIC. Individuals wishing to do so, should instead use OVIC's Privacy Complaint Form.

  1. Organisation details

    This is the VPS organisation or contracted service provider you work for that is reporting an Incident to OVIC under element 9.010.
  2. 100 characters left
  3. This is the person OVIC will contact and liaise with in relation to the incident

    100 characters left
  4. Please be aware that a PDF copy of the form will automatically be sent to this email address upon submitting the form.
    Please ensure that the coordinating officer is aware, and care is taken to enter their email address correctly

  5. Incident details

  6. 10,000 characters left
  7. 2,000 characters left
  8. 2,000 characters left
  9. For example:

    • Who and/or what caused it?
    • Was it malicious or accidental?
    • Who accessed information in an unauthorised manner?
    • Please be as specific as possible. E.g. if referring to third party, please provide the name of the third party or describe the nature of the third party.
    2,000 characters left
  10. 2,000 characters left
  11. 2,000 characters left

Privacy
incidents

  1. If the incident you are notifying us about involves personal information, please fill in the following fields.

    Under the PDP Act, personal information is information that could reasonably identify an individual. This could include names, contact details, financial details, signatures and more.

    For more information on personal information see the Guidelines to the Information Privacy Principles.

    If the incident you are notifying us about did not involve personal information, you may leave this section blank.

    2,000 characters left

    What type of harm? How serious? How likely?

    2,000 characters left

    If not, why? If so, how? What was the reactions?

    2,000 characters left

    Visit our website for more information on managing the privacy impacts of a data breach.

Incident notification
scheme

  1. If the affected organisation is subject to the VPDSS, please fill in the following fields.

    If the organisation is not subject to the VPDSS, you may leave this section blank.

    Visit our website for further more information on the information security incident notification scheme.

    OVIC has entered a Memorandum of Understanding (MOU) with the Cyber Incident Response Service (CIRS) to exchange incident information, to reduce the reporting burden on organisations. If you require incident response assistance and would like OVIC to send the incident details to CIRS on your behalf, please check the following box:

  2. If you require privacy assistance, please check the box below:

  3. What type of information was affected? (you may select more that one choice)

  4. What is the assessed Business Impact Level (BIL) of the affected information?

    Refer to your organisation’s BIL table or the VPDSF BIL table to assess the potential business impact level.

  5. What was the information format?

  6. What security attributes were affected?

  7. Was the incident primarily caused by people, process and/or technology control(s)?

  8. Who caused the incident?

  9. What was the threat type?

  10. Is the incident closed?

  11. Is the incident recorded in the organisation’s incident register?

Thank you

Thank you for notifying OVIC of this incident.

You will now receive an email with a copy of your incident for your own records.

To find out what you can expect next from OVIC’s incident notification process, please see what happens after OVIC is notified of an incident.

OVIC Logo
Australian Aboriginal Flag