Management of personal information: Qantas Frequent Flyer

Part 1: Executive summary

1.1 This report outlines the findings of an assessment of the Qantas Frequent Flyer (QFF) program undertaken by the Office of the Australian Information Commissioner (OAIC).

1.2 The scope of this assessment was limited to the consideration of QFF’s handling of personal information under Australian Privacy Principle (APP) 1 (open and transparent management of personal information) and APP 5 (notification of collection of personal information).

1.3 The assessment found that QFF has taken steps to foster a culture of privacy awareness that treats personal information as a valuable business asset. QFF has robust and effective privacy practices, procedures and systems, including:

• collaborative privacy and security risk assessment processes
• a culture that promotes privacy awareness
• regular mandatory privacy training for all staff that is supported by ongoing privacy awareness initiatives
• comprehensive and tested risk management and crisis management processes, including a data breach response process
• clear knowledge of information assets held and a range of ICT security measures in place to safeguard these.

1.4 Additionally, QFF’s APP 1 privacy policy adequately describes how the company manages personal information. Its current APP 5 collection notification practices appear reasonable and adequate.

1.5 The OAIC identified two medium risks regarding QFF’s privacy governance and evaluation of the continued effectiveness and appropriateness of its privacy practices, procedures and systems, and made two recommendations to address the risks identified. The OAIC recommended that QFF:

• develops and implements a privacy management plan that considers privacy goals and targets, and how to meet them
• continues to build the profile of privacy across the Group by:
  • continuing with the implementation of the Qantas Group network of privacy champions to assist with the coordination of privacy matters across business units and reporting of these issues to senior management
  • formalising its current cyber security governance material to incorporate privacy.

Part 2: Introduction

Background

2.1 Loyalty programs are popular with consumers and businesses alike, with one Australian consumer research study reporting that 87 percent of Australians aged 18 and older were members of a loyalty program in 2017.[1] These programs reward individuals for their purchases and engagement via points, credit and other benefits. As part of the membership to the program, the entity operating the loyalty program can collect data about members and their purchasing activities. Through the application of data analytic techniques, entities can then use this data for a variety of purposes including profiling for targeted advertising and marketing.

2.2 When entities undertake data analytics that involve personal information, they must comply with the requirements of the Privacy Act 1988. Further, members of loyalty programs and the community at large would expect entities to safeguard the personal information that they have been entrusted with.

2.3 In the 2014/2015 financial year, the OAIC assessed two leading loyalty programs in Australia.[2] Building on these assessments, the OAIC decided to assess other popular loyalty schemes in Australia. As QFF is a popular loyalty program with a large member base, the OAIC conducted a privacy assessment of QFF in 2017. The observations and information contained in this report reflect the circumstances as at the date of the assessment (June 2017).

Part 3: Overview of Qantas Frequent Flyer

3.1 QFF was established in 1987, and had over 11.4 million members in June 2016.[3] QFF is run by Qantas Loyalty, a business unit within Qantas Airways Limited (Qantas). Qantas and its related bodies corporate are referred to as Qantas Group in this report.

3.2 QFF is a points-based rewards program and members may earn Qantas Points by purchasing products and services from Qantas or any of its program partners.[4] Qantas Points may then be redeemed for products or services.

3.3 Member registration is conducted online, either directly through the QFF website or through a link on a program partner website. Members may also call the customer care centre and centre staff will register the member.

3.4 Registration involves collecting a variety of personal information from individuals, including:

• name
• date of birth
• age
• gender
• contact details (postal address, mobile number and email address)
• country of residence.

3.5 Following registration, members receive a membership number, confirmation email, and a membership pack including a QFF card. The card is posted to the member’s nominated postal address.

3.6 Members may choose to provide further information in relation to product preferences to receive targeted emails from QFF or its affiliates (e.g. Qantas EpiQure,[5] Qantas Money, etc). These emails are provided on an opt-out basis, so members can change or cancel the different types of marketing materials that they receive from QFF.

3.7 Members’ personal information continues to be collected at various points throughout their membership, including when they earn and redeem Qantas Points and Status Credits,[6] and when they interact with QFF marketing campaigns.

3.8 QFF stores data in a separate, partitioned section of the Qantas Group IT Environment. Access to QFF data requires specific authorisation. General Qantas Group IT users cannot access data in QFF systems unless they have QFF authorisation.

3.9 QFF is governed by and subject to Qantas Group policies.

Part 4: Findings

Our approach

4.1 This part of the report sets out the OAIC’s observations, the privacy risks arising from these observations, followed by suggestions or recommendations to address those risks.

4.2 The key findings of the QFF assessment are set out below under the following headings:

• APP 1.2 — implementing practices, procedures and systems
• APP 1 — privacy policy
• APP 5 — collection notices.

4.3 The OAIC has applied its guide, Privacy management framework: enabling compliance and encouraging good practice, to its consideration of the reasonable steps that QFF has taken to address the requirements of APP 1.2.

4.4 The OAIC also considered its APP Guidelines, which outline the mandatory requirements of the APPs, how the OAIC will interpret the APPs and matters the OAIC may take into account when exercising functions and powers under the Privacy Act, in the privacy analysis below.

APP 1.2 — internal practices, procedures and systems

4.5 APP 1.2 requires an entity to take reasonable steps to implement practices, procedures and systems that will:

• ensure that the entity complies with the APPs; and
• enable the entity to deal with privacy related inquiries or complaints from individuals.

Internal policies and procedures

Observations

4.6 Qantas Group has a number of group-wide policy documents that are applicable to all of its business units, including QFF. These include the Qantas privacy statement (APP 1 privacy policy) and risk management policies, which are discussed separately later in this report. Additionally, QFF has developed a number of business unit specific policies and documents, including the QFF APP 5 collection notice, various QFF training materials and documents, and the QFF terms and conditions.

4.7 A Qantas Group policy registry is kept by the Company Secretariat for all Qantas Group policies. Core Qantas Group policies are reviewed annually, and if any changes are made, they require approval of the Qantas Board (the Board). The policy is dated to reflect when it was last reviewed.

4.8 Policies are also reviewed when major legislative changes occur, such as the significant amendments to the Privacy Act that commenced in 2014. QFF anticipated that the next such large-scale change would occur in 2018 to reflect the commencement of both the Notifiable Data Breaches Scheme[7] and the European Union General Data Protection Regulation (GDPR).[8] It is the responsibility of individual business units within Qantas to keep abreast of the legislative requirements that relate to their core business functions.

4.9 The OAIC noted that one document contained references to the National Privacy Principles (NPPs), which were replaced by the APPs in March 2014.

4.10 Whilst all QFF personal information is stored in Australia, QFF use several offshore customer service centres. To safeguard members’ personal information, QFF have implemented measures, such as overseas contract staff background checks and provisions in employment contracts related to the handling of personal information.

4.11 QFF complaints are received centrally through the Qantas customer care centre by phone or online and are directed to the relevant customer care teams. The customer care section is comprised of three main teams: disruption, experience and corporate liaison. Privacy complaints and compliance issues are handled by the corporate liaison team, who receive regular privacy training. If a privacy complaint must be escalated, the corporate liaison manager reports the complaint to the Customer Care Manager who then reports it to Group Legal. This process is documented in a Qantas privacy procedure document, which is a high-level internal document that sets out broad privacy obligations. Specific complaints handling processes are embedded in the complaints handling system.

4.12 All customer complaints, including QFF privacy complaints, are managed through a case management system, which enables staff to monitor all complaints received and their status. The case management lists are checked daily by management to ensure their timely resolution. The Qantas Group online Privacy Statement includes a link to a feedback form that is pre-populated to classify the matter as privacy related. Where privacy complaints are received outside of this process (including by phone or by mail), a file/record is created in the complaints handling system. Complaints files are assigned priorities, which determine team allocation and due date for response.

4.13 Qantas has target timeframes for response due dates, including for privacy complaints. The time taken to resolve complaints depends on their complexity. There have been a very small number of privacy-related complaints in the past three years. Some complaints were caused by operator error, for example, passing on details to the wrong recipient.

4.14 Requests to access personal information and privacy queries are also handled through the Customer Care Centre. Members are required to undergo a telephone identity check and staff follow a security procedure and checklist to guide them through the process. Staff are encouraged to clarify the member’s exact needs before proceeding with an access request. If a query relates to a QFF membership, then the call is referred to the QFF specific customer care team. Queries and access requests are managed on Resolve and are checked daily by customer care managers. Complex privacy queries and requests are also referred to Group Legal in the same manner as complaints.

4.15 The majority of corrections to personal information are completed by members themselves using the self-service facilities online, however, corrections may also be processed by telephone via an interactive voice system (where the member keys in their PIN) or manually via the QFF Service Centre (QFFSC) staff. QFFSC staff verify a customer’s identity before assisting the member with their query, including making any corrections.

Analysis

4.16 The OAIC noted a strong awareness of privacy and information security issues through its review of relevant QFF policy and procedure documents and interviews with staff.

4.17 The OAIC noted that one of the documents contained outdated references to the NPPs that was based on an older OAIC document that was updated in 2014. Relying on this document to guide a privacy impact assessment (PIA) may result in some personal information being mishandled or privacy risks not being adequately captured by a PIA. However, given that only one document was affected and that QFF staff demonstrated a strong understanding of Qantas’ information handling and management practices, including thorough PIA processes that do not heavily rely on this document (see Privacy impact assessments and security impact assessments below), the OAIC regards this as a low privacy risk for QFF.

4.18 Good privacy management requires the development and implementation of robust and effective internal policies, practices, procedures and systems that ensure the handling of personal information is in line with QFF’s privacy obligations. This includes the development and implementation of a privacy management plan (PMP).

4.19 A PMP assists with embedding a culture of privacy that enables privacy compliance. It identifies specific, measurable privacy goals and targets and sets out how an entity will implement the four steps outlined in the OAIC’s Privacy management framework and meet its goals for managing privacy.

4.20 At the time of the assessment, QFF did not have an overall policy document for meeting its goals for managing privacy. As part of meeting its obligations under APP 1.2, QFF should develop and implement a PMP, to be reviewed annually, that sets out specific goals and objectives for its privacy management with consideration of the specific issues that apply to its operations. Such a plan could be linked to, or incorporated into, Qantas’ existing cyber security and privacy processes and policies.

4.21 The OAIC has developed a PMP template that should assist QFF in the development of a PMP.

Governance and culture

Observations

4.22 QFF staff have a good awareness of privacy issues. QFF regards personal information as its chief business asset and has invested multiple resources to safeguard it.

4.23 QFF Legal has primary responsibility for advising QFF on privacy compliance matters. QFF Legal reports to the Qantas Group General Counsel, who has ultimate responsibility for all privacy compliance matters in the Qantas Group. The General Counsel receives weekly briefings on key issues (including privacy matters) from QFF and on an ad hoc basis as needed.

4.24 Qantas Group General Counsel reports to the Qantas Group Chief Executive Officer (CEO). Both the General Counsel and CEO sit on the Group Management Committee (GMC), with the General Counsel reporting to the GMC on privacy. The GMC reports to the Board.

4.25 Qantas cyber security governance is the responsibility of the Group Cyber Security Committee (GCSC), who monitors, reviews and ensures the effectiveness of cyber risk strategy, systems, policies and procedures. The GCSC also monitors, reviews and enhances the compliance of all cyber risk management systems, policies and procedures, protocols and controls with all relevant laws and regulations. GCSC members are from a wide range of areas across the Group, including IT Security, Information Security, Legal/Privacy, the newly formed Business and Integrity Compliance Team, and other senior management staff. Several members of Legal/Privacy are members of the GCSC to ensure that privacy is managed alongside cyber security.

4.26 Additionally, QFF has entrusted specific teams with responsibility for various governance and privacy management functions, namely QFF Information Security, headed by the Data and Information Security Officer (DISO), and the Insights team, headed by the General Manager of QFF Insights.

4.27 In addition to the formal structures, the head of each business unit within QFF is responsible for privacy and risk identification within their unit and raising these issues with QFF Legal and the DISO. This is discussed later in this report in the section titled ‘risk management’.

4.28 Business units obtain advice and assessments of privacy related matters from the Legal team via formal PIAs, written email advice and oral advice given in pre-arranged meetings. Privacy related matters will also be raised during short stand-up meetings, where staff consult each other or offer suggestions on different matters and projects. The legal team confirms any material advice given as part of these hallway discussions via email.

4.29 At the time of this assessment, neither QFF nor Qantas Group had a dedicated privacy officer, although there were plans to create such a role. QFF has since advised the OAIC that a Group Privacy Officer was appointed in late July 2017 and one of the primary responsibilities of this Privacy Officer, on appointment, would be to set up and co-ordinate a network of privacy champions across the Qantas Group.

4.30 At the time of the assessment, the Qantas Group was investigating whether it would be required to appoint a data protection officer under the upcoming GDPR requirements. If so, it was expected that a nominated senior member of Legal would serve this role.

Analysis

4.31 Compliance with APP 1.2 is fundamentally about good privacy governance. Underpinning the policies and procedures should be strong leadership from senior management, with governance arrangements that support effective privacy practices.

4.32 Whilst QFF has numerous governance mechanisms and structures in place to facilitate privacy management, the OAIC notes that there are no specific, dedicated privacy roles within Qantas or QFF (with the exception of the recently appointed Group Privacy Officer). The OAIC also notes that Qantas Group intends to create a network of privacy champions, co-ordinated through the Group Privacy Officer. However, based on practices at the time of the assessment, there is a medium risk that privacy issues from the various business units will not be communicated effectively through the existing channels.

4.33 A network of privacy champions across business units within the Qantas Group, including a dedicated QFF privacy champion, would help to identify and communicate privacy risks, as well as good privacy practices, across the Group. QFF, as a business unit, would have the opportunity to share its learnings, as well as to learn from the experiences of other business units. The OAIC recommends QFF works with Qantas to continue with the Group-wide implementation of a network of privacy champions, including a dedicated champion within QFF. This privacy champions network will result in Qantas training staff to perform this key privacy role in each business unit to coordinate privacy matters across the different business units and report these issues to senior management.

4.34 The OAIC notes that the charter document for the GCSC primarily focuses on cyber risks and their management and does not specifically refer to privacy. While membership of the GCSC includes representatives from Legal/Privacy, and a reference to the Privacy Commissioner, the objectives and responsibilities of the Committee outlined in the charter document focus on cyber risks and do not specifically call out privacy issues. At the time of the assessment, the staff on the GCSC were raising privacy issues. However, without this practice being reflected in the documentation underpinning the GCSC, there is a medium risk that the Qantas Group and QFF may not discuss or consider privacy issues, especially where there is a change of personnel sitting on the GCSC. The OAIC is of the view that the clarification and formalisation of the existing cybersecurity arrangements to explicitly include privacy would adequately provide good privacy governance. Therefore, the OAIC recommends that QFF, along with Qantas, formalises the current cyber security governance material, such as the GCSC charter documents, to specifically encompass privacy. Additionally, after the assessment fieldwork, QFF informed the OAIC that GCSC has since been renamed the ‘Cyber Security and Privacy Committee’.

4.35 Additionally, QFF should regularly evaluate its governance mechanisms to ensure their continued effectiveness. This correlates to the need for a PMP (discussed earlier at 4.18-4.21), which would include the establishment of these privacy governance arrangements as part of its privacy goals as well as their ongoing evaluation.

Risk management

Observations

4.36 QFF follows the Qantas Group risk management practices, policies and procedures. The Group Business Resilience Management System (GBRMS) is an integrated response and recovery system across Qantas Group’s strategic, operational and tactical environments, and is subject to a variety of airline and safety standards and regulations. The GBRMS relies on a number of subsidiary documents including the airline’s risk management framework, known as Qantas Group Risk Assessment Guide (QRAG), the Group crisis management plan, and other documents, including business unit specific documents such as the QFF risk and resilience framework.

4.37 QFF risks are locally identified, assessed and resolved using the QRAG, and reported at a Group Level, following the Qantas Group risk reporting process, which includes coverage of privacy risks. Furthermore, it is the responsibility of each business unit to identify and report risks.

4.38 The QRAG contains the risk assessment and management frameworks for the Qantas Group. QFF utilises this document in conjunction with a number of its own risk management documents and strategies. For example, the QFF cyber security strategy includes a breakdown of cyber risk, which utilises the QRAG to assess cyber risks and consider their mitigation strategies. The OAIC understands that data privacy and security is marked as one of the top three risks in this document.

4.39 The QFF CEO is ultimately responsible for business risks (including privacy risks), and the QFF finance manager has responsibility for the QFF risk profile. Cyber security risk is, at the practical level, the responsibility of the QFF DISO. The DISO regularly briefs both the CEO and Chief Information Officer (CIO), formally and informally. Qantas Group also holds monthly ‘direct reporting’ meetings, and risk is a regular agenda item.

Analysis

4.40 The implementation of privacy risk management processes is integral to establishing robust and effective privacy practices, procedures and systems. These risk management processes allow an entity to identify, assess, treat and monitor privacy risks related to its activities. Good privacy risk management informs and triggers changes to practices, procedures and systems to better manage privacy risks.

4.41 Qantas Group and by extension, QFF, have comprehensive risk management processes which adequately encompass the identification, recording, reporting and mitigation of privacy risks within QFF.

4.42 However, in view of the complexity of Qantas’ current risk management structure and framework, the OAIC suggests that QFF:

• regularly evaluate its privacy risk management policies and practices to ensure their continued effectiveness. Additionally, where new practices evolve, the OAIC suggests that these practices, and the reasons behind them, are appropriately documented.

Data breach response plan

Observations

4.43 The Qantas Group has a co-ordinated Group-wide approach to crisis management, which includes a crisis management plan. This plan encompasses all business units of the Qantas Group, including QFF, and is co-ordinated by the Group Crisis Management Team.

4.44 The Group-wide crisis management plan is comprised of a series of procedures that enable staff to respond to the various kinds of crises that may arise across the Group. Crisis response is heavily reinforced in staff training and practice exercises, and involves staff at all levels, including the executive. A data breach will trigger a crisis response, the extent of which depends on the nature and severity of the breach.

4.45 The crisis management plan encompasses identification and notification, assessment and response. Furthermore, crises are reviewed after resolution to determine the cause of the incident and whether it was preventable. Past crises are often used in staff training. Within this Group-wide plan, there are business unit specific plans, which are owned by key senior staff in each group. The DISO owns the QFF cyber security incident response plan, and QFF staff are issued with role-specific crisis management resources.

4.46 The QFF cyber security incident response plan is updated at least annually. It may also be updated on an ad hoc basis as needed, for example, following key personnel changes.

4.47 QFF maintains a cyber incident register, which includes data breaches and online fraud. Incident notifications may come from a variety of channels. Once notified, incidents are escalated as appropriate.

4.48 The response triggered by an incident notification will depend on the nature and severity of the incident. QFF and the Qantas Group work to produce a co-ordinated response.

4.49 QFF liaises with internal and Group staff, external stakeholders and regulators (such as the OAIC) as needed throughout the process.

4.50 The OAIC was informed that, at the time of the assessment in June 2017, the Qantas Crisis Management Team processes were last externally audited in September 2016.

Analysis

4.51 The Qantas crisis management plan and its various supporting documents serve as a data breach response plan. Together, they fulfil an important requirement of APP 1.2 to implement practices, procedures and systems that ensure compliance with the APPs, as recommended in the OAIC’s Privacy management framework.

4.52 The OAIC encourages Qantas to continue its current practices for testing and reviewing its crisis management plan in the context of a data breach.

Privacy impact assessments and security impact assessments

Observations

4.53 Formal PIAs are generally only undertaken for major projects. QFF sometimes utilises independent third parties to conduct external PIAs, however, the majority are conducted informally and in-house, and are built into its project management processes. The OAIC was informed that all new marketing and data analytics projects are subject to a robust in-house vetting process that involves an assessment of both cyber security and privacy risks.

4.54 All new projects require a security impact assessment (SIA), and staff have access to the relevant form on the Qantas Intranet. Security impact assessments explain and compare the value of the project in conjunction with any associated security risks, including privacy risks. Staff are required to undertake a SIA at the beginning of a new project to identity any privacy and security risks. Once a SIA is formally underway, its progress is generally informal and collaborative, and may involve the project owner, the DISO, Legal, and any other relevant business units. The DISO assesses the security implications of the project and considers mitigation strategies for cyber security risks. The DISO may also determine that a more comprehensive security review or a formal PIA is needed.

4.55 If the project uses or is likely to use personal information, QFF Legal will also consult with the project owner and any relevant staff. Legal generally relies on deductive reasoning rather than a formal document or checklist to identify any privacy issues.

4.56 The findings of a SIA may determine whether or not a new project will go ahead. All SIAs are recorded in the system and can be recalled or examined as needed. Project managers are reminded periodically to undertake SIAs for all new initiatives.

4.57 New projects may also be subject to meetings known as ‘shark tanks’. This involves the project owners explaining to an executive panel, including the Group CEO and CFO, the risks of the project, including privacy and data risks, and justifying the need to accept those risks, as well as presenting mitigation strategies. Some projects may be subjected to this process multiple times. The shark tank proceedings are not recorded.

4.58 For smaller projects, the assessment process is conducted throughout the evolution of the project. All projects require sign-off by Legal and staff are encouraged to approach them early in the process. Both QFF Legal and the CIO have veto power over any and all projects.

Analysis

4.59 QFF’s current approach to PIAs and other privacy assessments is collaborative and thorough. However, the OAIC notes that it is heavily dependent on key staff involved and is not recorded unless it forms part of the SIA or includes written advice from Legal. This may lead to the loss of vital information regarding identified privacy risks.

4.60 The OAIC suggests that all informal privacy and other risk assessments be recorded in some form, such as email or file notes, and stored in an accessible location for relevant staff to access. The OAIC also suggests, due to the varied and complex nature of such assessments, that QFF regularly revisit and revaluate their privacy assessment mechanisms.

4.61 The OAIC has published the Guide to undertaking privacy impact assessments, which may be of assistance to QFF in considering future PIAs. Additionally, the OAIC has recently released an online PIA learning tool which aims to better equip organisations with the knowledge to conduct an in-house assessment.

Training

Observations

4.62 Qantas privacy training underwent a large-scale review in 2013–2014 due to the major changes made to the Privacy Act, and at the time of the assessment, was being revised to include the Notifiable Data Breaches scheme.

4.63 Staff are required to undertake a thirty-minute online privacy training course, which summarises the law and includes a series of randomly generated series of test questions. Staff must complete the test with a 100% pass rate.

4.64 Privacy training is compulsory for all staff with access to personal information, which includes Qantas call-centre staff, reservations staff and the entirety of QFF. Staff complete the training at induction and then every three years. Qantas Legal developed this privacy training.

4.65 Training is conducted through an internal online training database. Automated reminders are sent to staff who have not completed their mandated refresher or induction training, and to their managers. If the staff member attempts the training but does not receive a 100% pass rate, training is not marked as completed and the online training system will continue to remind the staff member to complete the training.

4.66 As a part of Qantas’ financial and corporate governance reporting requirements, the Group Audit Team regularly checks the QFF training logs, which are managed by the Qantas Human Resources Department. The Head of Human Resources is required to sign-off on the completion of all required training in a report to the QFF CEO.

4.67 QFF staff are also required to undertake mandatory risk management and cyber security training. Legal also provides more tailored face-to-face privacy training to various QFF units on an ad hoc basis.

4.68 To further raise awareness of cyber security and privacy issues, staff are sent a weekly ‘Friday Flyer’ email, which often contains information about how to avoid phishing scams and current privacy threats. Additionally, the DISO sends a monthly cyber update email to QFF staff to reiterate the importance of good privacy practices and current threats.

4.69 At the time of the assessment, QFF had recently undertaken a test exercise, where IT sent false phishing emails to selected QFF staff email accounts. If staff clicked the enclosed link, they were redirected to a notification page informing them that they had failed a phishing test.

Analysis

4.70 The OAIC considers QFF to have an adequate and effective privacy training regime and suggests that it regularly reviews its training to ensure that it remains effective and appropriate.

ICT and access security

Observations

4.71 During the assessment, the OAIC was advised of the security controls applied to QFF’s systems. Due to this assessment’s scope, the OAIC did not consider most of these controls in detail. These controls include:

• A clean desk policy, and non-permanent seating arrangements, necessitating that all personal and confidential items be stored in secure staff lockers.
• ICT protections, such as firewalls for segregated zones, malware detection software, whitelisting, application patching, encryption of data in transit and regular penetration testing. Additionally, QFF works to internationally certified standards, including ISO and ISF.
• Strict role-based user access controls and physical protections to restrict access to QFF personal information and the systems it is housed in. Each member’s profile is assigned an anonymous identification number that is unrelated to their membership number. This anonymous identification number is used for most internal transactions relating to the member’s account to limit the number of staff with access to personal information. Only a small number of QFF staff can match the anonymous identification number back to a QFF member’s individual member profile. Remote access is restricted to a needs-only basis. All user access is logged and monitored, with the logs regularly audited by the platform owners. There are less than ten users with administrative access privileges, and these accounts are also logged, as are any data changes in the data warehouse.
• Maintaining a regularly updated directory of all of the information assets (including personal information) held by QFF, and where these are stored. This is known as the ‘crown jewels’ directory, and is owned by the QFF DISO. Access to this list is heavily restricted to a needs-only basis.
• Checking of all contractors and third parties (such as vendors), including security maturity testing, prior to selection and engagement. QFF also has contractual rights to audit the third party and the QFF information they hold throughout the course of the relationship.
• Multi-factor authentication of member accounts. QFF requires two-factor authentication for making changes to member accounts. Additionally, at the time of the assessment, QFF was conducting a multi-factor authentication pilot with selected members. QFF advised that this trial was being expanded and QFF would eventually roll out multi-factor authentication to all members.

Analysis

4.72 Overall, QFF has established robust ICT and user access policies, procedures and practices governing the security of personal information. The OAIC has not identified any privacy risks based on the assessment scope and the above-mentioned observations.

4.73 The OAIC particularly welcomes the use of multi-factor authentication and encourages QFF to continue its expansion. In addition, QFF’s information security controls should continue to be regularly reviewed and revisited in order to meet constantly evolving ICT risks related to personal information. The OAIC’s Guide to Securing Personal Information may be of assistance in considering reasonable steps to protect personal information.

Marketing and data analytics

Observations

4.74 Qantas Frequent Flyer applies data analytic techniques, and then uses this data for targeted advertising and marketing.

4.75 At registration, QFF collects members’ personal information as well as other voluntary information about preferences for food and drink, finance and other products or services that a member is interested in. Qantas Frequent Flyer then uses this and other information collected at various points throughout their membership, including when members earn and redeem Qantas Points and their interactions with marketing campaigns, to analyse member behaviours and identify target members for marketing campaigns. Member accounts are also bundled into segments based on these preferences, which dictates the type of marketing material QFF will send to them. Qantas Frequent Flyer uses targeted marketing communications (primarily by email) to promote products and offers which may be of interest to members.

4.76 In relation to the use of personal information for marketing and analytics purposes, QFF’s APP 1 privacy policy and collection notice state that members’ personal information may be used to:

• provide and operate competitions, promotions and events
• distribute newsletters and other communications either directly or through a third party
• facilitate participation in Qantas and program partner loyalty programs
• conduct marketing activities for Qantas or third party products and services (the collection notice states that this is one of the primary purposes of QFF)
• conduct market and other research to improve Qantas products, services and marketing activities
• generate consumer insights, which may include combining personal information from third parties or public sources (for example, Census data).

4.77 Potentially sensitive information gathered by the airline, such as meal preferences and medical conditions, is not used by, or accessible to, the QFF marketing and analytics teams.

4.78 As stated above, QFF holds all personal information in data warehouses, with highly restricted access. A select team within QFF have sole access to QFF member information (e.g. name, email address, phone number). All analytic insights work is run in a de-identified environment by a separate team using the anonymous identification number discussed above at 4.71, which enables analysts to examine behaviours and answer questions without referring to personal information. All activity is fully logged and audited.

4.79 Most marketing communications sent by QFF are customised. Marketing campaigns are sent to different member lists. These lists are derived from mailing lists that members subscribe to in the “my profile” section of their QFF account and those that are designed and created using de-identified information linked to the anonymous identification number. The communications are then matched to member personal information by a separate team.

4.80 Qantas Frequent Flyer does not permit access to, or disclosure of, member’s personal information to any of its program partners and is solely responsible for all communication with its members in relation to program partner products and benefits. However, one current exception is QFF’s partnership with Woolworths, as Woolworths Everyday Rewards (WER) members may opt-in to earn Qantas Points as their reward under the WER program, automatically converting WER points they earn when shopping at Woolworths into Qantas Points. To do this, they must give Woolworths their QFF membership number so that Woolworths can arrange for the Qantas Points to be awarded. However, each of WER and QFF remain solely responsible for communicating with their own members.

4.81 Program partners are tested for security, IT, and compliance requirements before QFF will agree to a partnership. Additionally, there are contractual terms in place, which stipulate that only QFF may contact its members in relation to a program partner.

4.82 Third parties may sometimes be used for undertaking data analytic activities (such as providing aggregated insights). However, they are only provided with de-identified data, and strong contractual protections are put in place against re-identification or use of data other than as stipulated.

4.83 All new marketing and analytics data uses are subject to the SIA process described above at 4.54, which includes assessment of privacy risks and a flag to complete a PIA. Furthermore, marketing and analytics staff are in constant consultation with QFF Legal in relation to changes or new ideas. These are documented in email form and stored on a shared drive.

Analysis

4.84 Data analytics involves amassing, aggregating and analysing large amounts of data.[9] Where data analytics involves personal information, entities must ensure they are complying with the requirements of the Privacy Act.

4.85 For this assessment, the OAIC considered that QFF’s APP 1 privacy policy and APP 5 collection notice adequately describe how a member’s personal information may be used for marketing and data analytics purposes.

4.86 The OAIC suggests that QFF continues to regularly review its APP 1 privacy policy and APP 5 collection notice to ensure they adequately explain the use of a member’s personal information, especially if the nature and scale of QFF’s marketing and data analytics activities changes.

4.87 Based on the OAIC’s review of documents and interviews with QFF staff, there appears to be effective privacy safeguards in place for QFF’s marketing and data analytics activities. Due to this assessment’s scope, the OAIC did not consider most of these safeguards in detail. However, the OAIC suggests that QFF continues to regularly review its use of personal information in its marketing and data analytics activities to ensure its processes and policies remain effective and appropriate.

4.88 Additionally, given the amount of personal information that QFF handles and the extent of its use in marketing and data analytics projects (whether in identified or de-identified forms), the OAIC also suggests that QFF continue to monitor and assess the risks of these projects as they progress, including any risk surrounding re-identification or the creation of new data sets.

4.89 The OAIC and CSIRO’s Data61 have published a De-identification Decision-Making Framework, which may provide QFF with further practical guidance to effectively de-identify information that is used for data analytics purposes.

4.90 For more information about relevant key concepts when considering data analytics and privacy, and how the APPs apply to data analytics, see the OAIC’s Guide to Data Analytics and the Australian Privacy Principles.

APP 1 — privacy policy

Observations

4.91 The purpose of APP 1 is to ensure that ‘APP entities manage personal information in an open and transparent way’ (APP 1.1). This enhances the accountability of APP entities in relation to their personal information handling practices.

4.92 Under APP 1.3, APP entities must have a clearly expressed and up to date APP privacy policy that explains the entity’s handling of personal information.

4.93 QFF uses the Qantas Group-wide privacy policy, also referred to as the Group ‘privacy statement’.

4.94 The OAIC reviewed this privacy policy against the requirements of APP 1. As part of this review, the OAIC applied a Flesch-Kincaid test to provide a general indication of the complexity and readability of the policy.[10]

Analysis

4.95 APP 1.4 contains a prescriptive list of information that an APP entity must include in its privacy policy,[11] as well as a list of other information that could be included, depending on the circumstances of the entity, to describe how the entity manages personal information.[12]

4.96 In our review, the OAIC found that the Qantas privacy policy meets the prescriptive requirements of APP 1.4. However, the OAIC noted that the policy was complex, and the Flesch-Kincaid test indicated that it would be easily understood by people with an approximate reading age over 25. This means that the policy may be too complex for some readers, who are younger or who have a lower literacy level, to understand, and this could affect some QFF members.

4.97 Additionally, while the policy identifies that Qantas collects information about dietary requirements and health issues, this is not specifically identified as ‘sensitive information’. In order to provide greater transparency for customers, the OAIC suggests that the policy clearly identify this information as ‘sensitive information.’

4.98 The OAIC considers that there is room for improvement in the readability of the policy, and suggests that QFF works with the Qantas Group to review and, where possible, simplify the language of the policy. Qantas Frequent Flyer and Qantas could also consider using graphics, videos and other digital formats as a way of clearly communicating to its members how it handles personal information.

APP 5 — collection notices

Observations

4.99 APP 5 requires APP entities that collect personal information about an individual to take reasonable steps either to notify the individual of certain matters (listed in APP 5.2) or to ensure the individual is aware of those matters.

4.100 The OAIC reviewed QFF’s online notice relating to the collection of information from individuals against the requirements of APP 5 in order to ensure its compliance. This notice is located at the bottom of the QFF online registration form, just before members are asked to accept the terms and conditions and provide payment information. The notice refers members to the Qantas privacy policy for further information.

Analysis

4.101 The OAIC found that the QFF collection notice meets the requirements of APP 5, and that it refers readers to the Qantas privacy policy for further information. However, as with the privacy policy, the language used in the notice is complex, and may be difficult for some readers, who are younger or with a lower literacy level, to understand. Additionally, the OAIC noted that the notice is labelled ‘important information’, which does not indicate what the notice is, or its purpose. There is also no specific reference to the unique arrangement with Woolworths in the marketing section.

4.102 The OAIC suggests that QFF:

• simplifies the notice to enhance readability
  • changes the title from “important information” to something that indicates to potential members that the notice relates to the collection of their personal information
  • highlights the QFF/Woolworths relationship.

Part 5: Recommendations and response

Recommendation 1

OAIC recommendation

5.1 The OAIC recommends that QFF develops and implements a Privacy Management Plan that sets out specific goals and objectives for its privacy management with consideration of the specific issues that apply to its operations.

Qantas Frequent Flyer response

5.2 QFF sincerely appreciates the OAIC assessment finding that it has robust and effective privacy practices, and QFF acknowledges that an ongoing compliance commitment is required to protect the privacy and maintain the security of the personal information it holds.

5.3 QFF is working with Qantas to develop a Privacy Management Plan to augment its well-established privacy policies and procedures. In addition to appointing a Group Privacy Officer, Qantas is also establishing a dedicated Data Privacy team to bring together its privacy experts under one team and implement a coordinated enterprise-wide strategy and framework, including further investment in resources and technology that will support the Qantas Group to effectively address the intensifying global privacy regulatory requirements.

Recommendation 2

OAIC recommendation

5.4 The OAIC recommends that QFF continues to build the profile of privacy across the Group by:

• continuing with the implementation of the Qantas Group network of privacy champions to assist with the coordination of privacy matters across business units and reporting of these issues to senior management
• formalising its current cyber security governance material to incorporate privacy.

Qantas Frequent Flyer response

5.5 QFF will continue to support the expanded reach, effectiveness and reporting of the Qantas Group’s new, dedicated Data Privacy team through the introduction of a network of “privacy champions” across all Group business units.

5.6 Prior to the OAIC assessment in May/June 2017, the Qantas Group was already expanding its cyber security governance processes and materials to include increased focus on privacy. All relevant materials have been updated and the Qantas Group continues to manage both the data privacy and data security risks in a coordinated way.

Part 6: Description of assessment

Objective and scope of the assessment

6.1 This assessment was conducted under s 33C(1)(a) of the Privacy Act, which allows the OAIC to assess whether an entity maintains and handles the personal information it holds in accordance with the APPs.

6.2 The objective of the assessment was to examine whether personal information collected by QFF is handled in accordance with the Privacy Act.

6.3 The scope of this assessment was limited to the consideration of QFF’s handling of personal information against the requirements of APP 1 (open and transparent management of personal information) and APP 5 (notification of collection of personal information). Specifically, the assessment examined whether:

• the policies and procedures of QFF were reasonable in the circumstances to ensure that personal information is managed in an open and transparent manner (APP 1)
• QFF provides reasonable and adequate notifications to users of its services (QFF members) when collecting personal information (APP 5).

Privacy risks

6.4 Where the OAIC identified privacy risks and considered those risks to be high or medium risks, according to OAIC guidance, the OAIC made recommendations to QFF about how to address those risks. These recommendations are set out in Part 5 of this report.

6.5 OAIC assessments are conducted as a ‘point in time’ exercise. That is, our observations and opinions are only applicable to the time period during which the assessment was undertaken.

6.6 For more information about privacy risk ratings, refer to the OAIC’s ‘Risk based assessments – privacy risk guidance’ in Appendix A. Further detail on this approach is provided in Chapter 7 of the OAIC’s Guide to privacy regulatory action.

Timing, location and assessment techniques

6.7 The OAIC conducted a risk-based assessment of QFF and focused on identifying privacy risks to the effective handling of personal information in accordance with privacy legislation.

6.8 The assessment involved the following:

• review of relevant policies and procedures provided by QFF
• an analysis of QFF’s APP 1 privacy policy
• fieldwork, which included interviewing key members of staff and reviewing further documentation, at the QFF offices in Mascot on 25 May and 1 June 2017.

Reporting

6.9 The OAIC publishes final assessment reports in full, or in an abridged version, on its website. All or part of an assessment report may be withheld from publication due to statutory secrecy provisions, privacy, confidentiality, security or privilege. This report has been published in full.