HomeWebinarCard
Log in

Victorian Privacy Network Meeting – March

March 10, 2026|Time not specified (likely AEST)|Past event

Victorian public agencies face a July-August 2026 deadline for Protective Data Security Plan submissions as privacy complaints to OVIC rose 53% and security incidents climbed 50% in the past year.

Key takeaways

  • OVIC is expanding its Victorian Privacy Network gatherings to three per year from 2026 after attendance hit 363 at the March 2025 session, driven by surging demand amid AI adoption and outsourcing complexities in the public sector.
  • Twelve Victorian Public Service bodies received non-compliance warnings in January 2025 for missing the prior PDSP deadline under the Privacy and Data Protection Act, with two organisations still unresolved as the 2026 cycle begins.
  • Government responses to the Integrity and Oversight Committee's FOI inquiry in March 2025 and the workplace surveillance report in November 2025 have left PDP Act amendments for mandatory breach notification and positive compliance obligations under review, highlighting tensions between transparency, monitoring and data security.

Privacy Pressures Mount

Victoria's public sector manages immense volumes of sensitive personal information—from health records and child protection files to electoral data—under the Privacy and Data Protection Act 2014. In 2024-25 privacy complaints to the Office of the Victorian Information Commissioner increased 52.8% to 162 while recorded information security incidents rose 50%, reflecting the challenges of digital transformation and generative AI tools entering government workflows.

A July 2024 ransomware attack on a community service organisation exposed names, contact details, identities, financial and health information of clients. An OVIC investigation in September 2024 into a Department of Families, Fairness and Housing worker feeding case notes into ChatGPT found breaches of information privacy principles on accuracy and unauthorised disclosure, prompting a compliance notice to block such tools.

The biennial Protective Data Security Plan requirement under Part 4 of the PDP Act demands submissions between 1 July and 31 August 2026, supported by an updated how-to guide released in January 2026. The previous cycle saw OVIC issue non-compliance letters in January 2025 to 12 organisations; eight eventually submitted plans, two were deemed exempt, and two remained outstanding with one slated for 2026 delivery.

Reform momentum adds urgency. The Integrity and Oversight Committee's September 2024 report labelled the Freedom of Information Act 1982 unfit for the digital age and proposed 101 changes focused on proactive release; the Victorian Government's March 2025 response committed to further examination. The November 2025 response to the workplace surveillance inquiry supported in principle most recommendations, including PDP Act changes for mandatory incident notification and a positive duty to comply with information privacy principles, though these remain under consultation to assess administrative burdens.

Non-obvious trade-offs complicate the picture. Agencies must balance demands for greater FOI transparency and public accountability with stricter data safeguards, especially when outsourcing functions or using AI systems that may inadvertently disclose personal information. Federal introduction of a statutory tort for serious invasions of privacy in June 2025 extends potential civil liability, while Victorian entities navigate unique obligations around sensitive contexts such as Stolen Generations reparations and public-sector employee monitoring.

Sources

You might also like

We use cookies to measure site usage. Privacy Policy