Incidents Notification Form

  1. 1
  2. 2
    Information about
    the incident
  3. 3
  4. 4
    Incident notification
  5. 5
    Thank you

Information security and privacy incident notification form

What you should know before using this form

Organisations that are subject to the Victorian Protective Data Security Standards (VPDSS) under Part 4 of the Privacy and Data Protection Act 2014 (Vic) (PDP Act) must notify OVIC of certain information security incidents.

In addition, organisations that are subject to Part 3 of the PDP Act are encouraged to notify OVIC of incidents involving personal information that could cause harm to affected individuals.

Any organisation that is subject to the PDP Act can use this form to report incidents to OVIC, whether voluntarily or by obligation.

How will the information I provide be used?

We use the information you provide to help us manage information security and privacy incident notifications. This includes confirming that we received your notification and contacting you to discuss the incident if we need to.

We may also send your information to the Victorian Government Cyber Incident Response Service, if you want us to.

Information you enter onto this form is stored locally, in your browser, until you submit it. If you do not submit the form, the information you enter will stay stored locally in your browser until you clear the browser cache or delete any information you entered onto the form.

This form will take 15 - 30 minutes to complete.

You will be emailed a copy of your submission.

Need help?

Contact us by phone on 1300 006 842 or email at

More information?

You can find more information about OVIC's incident notification process on our website.

Information about
the incident

  1. Organisation details

  2. 100 characters left
  3. 100 characters left
  4. Incident details

  5. 10,000 characters left
  6. 2,000 characters left
  7. 2,000 characters left
  8. For example:

    • Who and/or what caused it?
    • Was it malicious or accidental?
    • Who accessed information in an unauthorised manner?
    • Please be as specific as possible. E.g. if referring to third party, please provide the name of the third party or describe the nature of the third party.
    2,000 characters left
  9. 2,000 characters left
  10. 2,000 characters left


  1. If the incident you are notifying us about involves personal information, please fill in the following fields.

    Under the PDP Act, personal information is information that could reasonably identify an individual. This could include names, contact details, financial details, signatures and more.

    For more information on personal information see the Guidelines to the Information Privacy Principles.

    If the incident you are notifying us about did not involve personal information, you may leave this section blank.

    2,000 characters left

    What type of harm? How serious? How likely?

    2,000 characters left

    If not, why? If so, how? What was the reactions?

    2,000 characters left

    Visit our website for more information on managing the privacy impacts of a data breach.

Incident notification

  1. If the affected organisation is subject to the VPDSS, please fill in the following fields.

    If the organisation is not subject to the VPDSS, you may leave this section blank.

    Visit our website for further more information on the information security incident notification scheme.

    OVIC has entered a Memorandum of Understanding (MOU) with the Cyber Incident Response Service (CIRS) to exchange incident information, to reduce the reporting burden on organisations. If you require incident response assistance and would like OVIC to send the incident details to CIRS on your behalf, please check the following box:

  2. What type of information was affected? (you may select more that one choice)

  3. What is the assessed Business Impact Level (BIL) of the affected information?

    Refer to your organisation’s BIL table or the VPDSF BIL table to assess the potential business impact level.

  4. What was the information format?

  5. What security attributes were affected?

  6. Was the incident primarily caused by people, process and/or technology control(s)?

  7. Who caused the incident?

  8. What was the threat type?

  9. Is the incident closed?

  10. Is the incident recorded in the organisation’s incident register?

Thank you

Thank you for notifying OVIC of this incident.

You will now receive an email with a copy of your incident for your own records.

To find out what you can expect next from OVIC’s incident notification process, please see what happens after OVIC is notified of an incident.

Australian Aboriginal Flag