Preparing you for the 2026 Protective Data Security Plan – Class B Cemetery Trusts & Committees of Management

Cemetery Data Security Deadline

Victoria's more than 400 Class B cemetery trusts manage local burial grounds with records that double as legal proof of interment rights, genealogical archives and repositories of personal family details. These small public entities, typically governed by committees of three to 11 volunteers, now confront a binding deadline under Part 4 of the Privacy and Data Protection Act 2014 to submit Protective Data Security Plans to the Office of the Victorian Information Commissioner.

The requirement, with submissions due between 1 July and 31 August 2026 and signed attestation by the chairperson, enforces compliance with the Victorian Protective Data Security Standards. A dedicated template distils broader public-sector obligations into 14 practical requirements tailored to cemetery operations, covering risk assessments, access controls, incident notification and preservation of both paper and digital holdings.

What changed is the shift to detailed, forward-looking plans rather than checkbox attestations. Resources for Class B trusts were first customised around 2022 following engagement with the Department of Health; the 2026 version incorporates updated fields reflecting evolving risks and was released in December 2025.

The real-world stakes are concrete. A lost or compromised interment register can invalidate burial rights, spark family disputes or erase historical evidence. Volunteer committees, often in regional areas with modest fee income, must document current practices and planned improvements with completion dates. Implementation may require basic upgrades such as secure storage, backup procedures or staff training, costs that compete with grounds maintenance.

Non-obvious tensions arise from the structure of the sector. Many trusts receive administrative help from local councils, which are themselves exempt from the framework yet legally responsible for the public entities they oversee. This creates blurred accountability lines. At the same time, the push for modern information security clashes with longstanding practices of handing physical ledgers between generations of volunteers, where knowledge loss through retirement or death is a documented risk alongside physical threats such as fire and flood.

Broader public-sector cyber pressures in Australia add urgency. While no major Class B breaches have surfaced publicly, the framework anticipates the same vulnerabilities affecting larger agencies: unauthorised access, data alteration or simple unavailability when families need records. OVIC uses the submissions for aggregated reporting to government, including the Victorian Chief Information Security Officer, turning individual compliance into sector-wide visibility.