Our Privacy Policy provides the overarching principles and policies that VANguard uses to manage its information.

The purpose of this policy is to:Padlock on keyboard

  • Communicate VANguard’s personal information handling practices.
  • Ensure that VANguard complies with all relevant privacy and related legislation.
  • Ensure that VANguard properly manages privacy that is consistent with regulatory requirements, its own business needs and outcomes, and community expectations as appropriate.

Related Documents

The VANguard Privacy Management Strategy specifies how VANguard will collect, use, disclose and store private information, and indicates how this Privacy Policy will be implemented. This document is available upon request.

VANguard and Personal Information

VANguard deals directly with government agencies, which in turn deal with end users and/or businesses. VANguard does not engage with businesses directly, and does not engage with individuals. However, this policy establishes a framework for the handling of Personal Information handled by VANguard on behalf of others.

Privacy Principles

The following principles apply to the management of all Personal Information handled by VANguard.

VANguard will uphold the Australian Privacy Principles (APPs) contained in the Privacy Amendment (Enhancing Privacy Protection) Act 2012 (Cth), as well as relevant privacy-related sections of the Public Service Act 1999, Archives Act 1983, and other relevant acts.

Specifically, under the APPs:

  •  VANguard will operate according to the Information Management and Records Policy when collecting, storing, using and disclosing information. This Policy is consistent with the National Archives of Australia requirements
  •  VANguard will collect, by lawful means, only that information needed to effectively perform its role and meet its obligations
  •  VANguard will use collected information only for the purpose for which it was collected, unless authorised to do so by the information provider, is authorised to do so by law, if it is necessary for law enforcement or the protection of public revenue, or if VANguard is otherwise permitted to do so
  •  VANguard will make reasonable efforts to ensure that, as appropriate, the information provider is informed of the purpose for which the information is required
  •  VANguard will take reasonable steps to ensure any Personal Information is kept secure with access restricted to authorised personnel only
  •  VANguard will not sell, or receive payment, for disclosing information
  •  Individuals may access any Personal Information about them that VANguard holds and ask to correct any information about them that may be inaccurate.

VANguard will comply with all relevant elements of the Use of the ICT Facilities Policy, including but not limited to ICT security, non-ICT security, information security, personnelsecurity, physical security and visitor security.


Information we collect and why we collect it

VANguard collects Personal Information about end users during the course of their transactions with Agencies which use VANguard services generally, and about staff within Agencies which use VANguard’s Self Service Administration (SSA) function. VANguard as a rule does not solicit Personal Information directly from any individual.

VANguard collects such Personal Information as:

  •  user name, given names, email address and business identifiers
  •  the ABN of organisations represented by a user
  •  the IP address of computers used to transact with Agencies or VANguard
  •  Agency staff member’s access control permissions for that Agency
  •  details associated with AUSKeys presented to VANguard for validation
  •  details associated with Certificate Revocation Lists including revocation dates and reason codes, and
  •  details associated with digital certificates presented to VANguard for validation.

VANguard collects this Personal Information for the purpose of validating it on behalf of agencies, and retains the information for only as long as is required to support Agencies’ authentication practices.

Personal Information collected by VANguard is used either for supporting Agencies’ authentication practices, or for monitoring transaction patterns for the purpose of performance optimisation and fraud minimisation. Performance and fraud reports generated by VANguard contain aggregated data and do not disclose any Personal Information.

Policy Implementation

This policy will be implemented through the VANguard Privacy Management Strategy.

Policy Revision

This policy, and associated VANguard Privacy Management Strategy, will be revised as a result of a legislative or other requirement, or following a Privacy Impact Assessment (PIA). A PIA will be conducted every two years, or whenever business or technical requirements
change, or as circumstances warrant, to identify issues that could impact on VANguard’s privacy management. Recommendations arising from any assessment will be adopted as appropriate.


The management of this Privacy Policy, and the related VANguard Privacy Management Strategy, is the responsibility of the VANguard Program. The VANguard Program is responsible for ensuring VANguard complies with the Privacy Policy, and ensuring that the VANguard Privacy Management Strategy is implemented and appropriately updated.

VANguard will ensure that all personnel involved with the VANguard services are aware of their obligations under the Privacy Act 1988. The VANguard Service Operations Section ensures that agencies only have access to electronic records of their own transactions.

Visit our Contact Us page to send us any queries about our Privacy Policy.