5.2 QFF sincerely appreciates the OAIC assessment finding that it has robust and effective privacy practices, and QFF acknowledges that an ongoing compliance commitment is required to protect the privacy and maintain the security of the personal information it holds. The recent increase in oil prices has been a threat for the aviation sector's success. At the time of the assessment, the staff on the GCSC were raising privacy issues. 4.68 To further raise awareness of cyber security and privacy issues, staff are sent a weekly Friday Flyer email, which often contains information about how to avoid phishing scams and current privacy threats. Additionally, after the assessment fieldwork, QFF informed the OAIC that GCSC has since been renamed the Cyber Security and Privacy Committee. 3.6 Members may choose to provide further information in relation to product preferences to receive targeted emails from QFF or its affiliates (e.g. 4.94 The OAIC reviewed this privacy policy against the requirements of APP 1. Qantas plans to improve fuel efficiency by 1.5% annually and to reduce water consumption by 20% and electricity by 35% by 2020. Crisis response is heavily reinforced in staff training and practice exercises, and involves staff at all levels, including the executive. 4.42 However, in view of the complexity of Qantas current risk management structure and framework, the OAIC suggests that QFF: 4.43 The Qantas Group has a co-ordinated Group-wide approach to crisis management, which includes a crisis management plan. This process is documented in a Qantas privacy procedure document, which is a high-level internal document that sets out broad privacy obligations. IT Security Specialist, Security Supervisor, Information Security Analyst and more on Indeed.com Cadetship, Cyber Security Jobs in Sydney NSW (with Salaries) 2022 | Indeed.com Australia All employees receive security, privacy, and compliance training the moment they start. The CHESS has responsibility for strategy, policy, systems oversight, monitoring and corporate governance over operational risks of the Qantas Group. 4.99 APP 5 requires APP entities that collect personal information about an individual to take reasonable steps either to notify the individual of certain matters (listed in APP 5.2) or to ensure the individual is aware of those matters. Location: Mascot, Australia. Complaints files are assigned priorities, which determine team allocation and due date for response. The Group Policies apply to Qantas Group entities and employees in line with the Groups Corporate Governance Framework. However, one current exception is QFFs partnership with Woolworths, as Woolworths Everyday Rewards (WER) members may opt-in to earn Qantas Points as their reward under the WER program, automatically converting WER points they earn when shopping at Woolworths into Qantas Points. -Adam Kinsella, Product Owner for Network, Network Security, Qantas. These are documented in email form and stored on a shared drive. 3.3 Member registration is conducted online, either directly through the QFF website or through a link on a program partner website. All relevant materials have been updated and the Qantas Group continues to manage both the data privacy and data security risks in a coordinated way. The card is posted to the members nominated postal address. 4.66 As a part of Qantas financial and corporate governance reporting requirements, the Group Audit Team regularly checks the QFF training logs, which are managed by the Qantas Human Resources Department. All relevant materials have been updated and the Qantas Group continues to manage both the data privacy and data security risks in a coordinated way. Please refer to Qantas Group Policies available on the Qantas Intranet or from your manager or people representative for details. The Group has a structured employee wellbeing and mental health program which has the dual focus of understanding and protecting our people from wellbeing and mental health-related risks, along with amplifying the opportunities for our work to positively impact on our wellbeing and mental health. 4.74 Qantas Frequent Flyer applies data analytic techniques, and then uses this data for targeted advertising and marketing. The policy is dated to reflect when it was last reviewed. Qantas Group declared at its recent investor day that it had made a significant investment in cyber security systems and capability. Coles flybuys and Woolworths Rewards: what is the price of loyalty? New Restaurants In Perrysburg Ohio, 6.3 The scope of this assessment was limited to the consideration of QFFs handling of personal information against the requirements of APP 1 (open and transparent management of personal information) and APP 5 (notification of collection of personal information). Cyber Security Consultant at Qantas Group Greater Melbourne Area 500+ connections. Qantas keeps relationship with various regional carriers. The ability to respond seamlessly to events that impact the Group is fundamentally important in ensuring continued Group operations in the event of a discontinuity of service, mitigating risks and minimising disruptions to our customers. [2] See - Coles flybuys and Woolworths Rewards: what is the price of loyalty? Qantas Frequent Flyer then uses this and other information collected at various points throughout their membership, including when members earn and redeem Qantas Points and their interactions with marketing campaigns, to analyse member behaviours and identify target members for marketing campaigns. To report security or privacy issues affecting The Emirates Group products or web servers, you can contact security@emirates.com. ICT protections, such as firewalls for segregated zones, malware detection software, whitelisting, application patching, encryption of data in transit and regular penetration testing. CHESS also has oversight of risks associated with regulatory compliance. See the quantity and duration of malware infections, along with other factors influence the overall assessment of an organizations IP Reputation. [10], 4.95 APP 1.4 contains a prescriptive list of information that an APP entity must include in its privacy policy,[11] as well as a list of other information that could be included, depending on the circumstances of the entity, to describe how the entity manages personal information.[12]. Transparent Group Terms and Conditions. The Cyber Cooperation Program and Singapores Ministry of Transport has partnered with the Association of Asia-Pacific Airlines, Qantas Group and EY to support the Aviation Cyber Resilience Project, a series of workshops aimed at building cyber capacity in the aviation industry throughout the Asia-Pacific. 4.18 Good privacy management requires the development and implementation of robust and effective internal policies, practices, procedures and systems that ensure the handling of personal information is in line with QFFs privacy obligations. Vit, collaborative privacy and security risk assessment processes, a culture that promotes privacy awareness, regular mandatory privacy training for all staff that is supported by ongoing privacy awareness initiatives, comprehensive and tested risk management and crisis management processes, including a data breach response process. Doniz has spent the last three years as head of IT and cyber security at Australia's national airline, including affiliates QantasLink, Qantas Loyalty and Theres The CHESS has responsibility for strategy, policy, systems oversight, monitoring and corporate governance over operational risks of the Qantas Group. We take active, quality measures to help you keep safe online and we also encourage our members to do what's possible to protect their account and personal information. The safety and wellbeing of our customers and people is our highest priority. Who has issued the policy and who is responsible for its . Furthermore, crises are reviewed after resolution to determine the cause of the incident and whether it was preventable. Several members of Legal/Privacy are members of the GCSC to ensure that privacy is managed alongside cyber security. Was lucky enough to work for the Qantas Group for almost 5 years. 4.80 Qantas Frequent Flyer does not permit access to, or disclosure of, members personal information to any of its program partners and is solely responsible for all communication with its members in relation to program partner products and benefits. Risk Management Policy; 9. If a privacy complaint must be escalated, the corporate liaison manager reports the complaint to the Customer Care Manager who then reports it to Group Legal. 4.13 Qantas has target timeframes for response due dates, including for privacy complaints. Information Technology Specialist, 2022 Cloud Graduate Program, Locator and more on Indeed.com Socio-cultural. How can I be sure my Frequent Flyer account details are secure? [1] These programs reward individuals for their purchases and engagement via points, credit and other benefits. QFFSC staff verify a customers identity before assisting the member with their query, including making any corrections. 4.98 The OAIC considers that there is room for improvement in the readability of the policy, and suggests that QFF works with the Qantas Group to review and, where possible, simplify the language of the policy. 4.25 Qantas cyber security governance is the responsibility of the Group Cyber Security Committee (GCSC), who monitors, reviews and ensures the effectiveness of cyber risk strategy, systems, policies and procedures. simplifies the notice to enhance readability, changes the title from important information to something that indicates to potential members that the notice relates to the collection of their personal information. 4.8 Policies are also reviewed when major legislative changes occur, such as the significant amendments to the Privacy Act that commenced in 2014. [3] QFF is run by Qantas Loyalty, a business unit within Qantas Airways Limited (Qantas). Cyber risk ratings influence business activity from the loading dock to the board room. Cyber security risk assessments Negar Salek. 4.47 QFF maintains a cyber incident register, which includes data breaches and online fraud. Privacy complaints and compliance issues are handled by the corporate liaison team, who receive regular privacy training. The program covers both work-related and non-work-related conditions. These controls include: 4.72 Overall, QFF has established robust ICT and user access policies, procedures and practices governing the security of personal information. develops and implements a privacy management plan that considers privacy goals and targets, and how to meet them. An automated voice-activated call from our telephone alert system, from 1300 754 566. 4.46 The QFF cyber security incident response plan is updated at least annually. When a members accumulated Status Credits reach a designated level, their membership tier level increases (for example from Silver to Gold) and they can receive additional membership benefits, including earning higher rates of Qantas Points. Due to the investments made in resilience, the capability continues to be strengthened through the successful integration of external stakeholders ensuring the Group continues to possess a sophisticated holistic response and recovery system. 4.73 The OAIC particularly welcomes the use of multi-factor authentication and encourages QFF to continue its expansion. Threat prevention may be hard to compute, but Forrester Consulting has done the work or you. The Group Business Resilience Management System (GBRMS) is an integrated response and recovery system across Qantas Groups strategic, operational and tactical environments, and is subject to a variety of airline and safety standards and regulations. 4.14 Requests to access personal information and privacy queries are also handled through the Customer Care Centre. These include the Qantas privacy statement (APP 1 privacy policy) and risk management policies, which are discussed separately later in this report. A Qantas 747-438(ER) VH-OEH departs runway 16 at YMML bound for the Antarctic (Victor Pody) Qantas has pushed back its plan to restart international flying from 31 October to late December 2021 following the news that borders are unlikely to open until mid-2022. 4.30 At the time of the assessment, the Qantas Group was investigating whether it would be required to appoint a data protection officer under the upcoming GDPR requirements. Login. Section 1 - Summary. Qantas Domestic has a growing margin advantage over competitors, with a brand, network and product offering targeted at business and premium leisure customers who value Qantas has joined other sectors in asking the government to at least partially cover the cost of complying with proposed laws aimed at better defending the countrys critical infrastructure networks and systems from cyber attacks. We pay our respects to the people, the cultures and the elders past, present and emerging. Joint advisory released for Managed Service Providers and Customers to mitigate cybersecurity risks The Australian Cyber Security Centre (ACSC) has today joined with international cyber security agency partners, to warn Managed Service Providers (MSP) of pressing cyber risks and provide guidance on suitable mitigations for them and their customers. 6.5 OAIC assessments are conducted as a point in time exercise. Our approach covers three main areas: operational safety, people safety and operational security. However, the OAIC suggests that QFF continues to regularly review its use of personal information in its marketing and data analytics activities to ensure its processes and policies remain effective and appropriate. 4.1 This part of the report sets out the OAICs observations, the privacy risks arising from these observations, followed by suggestions or recommendations to address those risks. The Qantas Group online Privacy Statement includes a link to a feedback form that is pre-populated to classify the matter as privacy related. 4.37 QFF risks are locally identified, assessed and resolved using the QRAG, and reported at a Group Level, following the Qantas Group risk reporting process, which includes coverage of privacy risks. Further, members of loyalty programs and the community at large would expect entities to safeguard the personal information that they have been entrusted with. Staff complete the training at induction and then every three years. All SIAs are recorded in the system and can be recalled or examined as needed. Protection from these attacks and the Renewed security awareness training for all employees and contractors, Renewed freight security training for all freight employees and contractors, Enhancing the relationship between the Group and Australian Federal Police (AFP) Air Security Officers, Collaborating with overseas regulators and airport authorities to enable the resumption of international operations, Participating in the governments review of the Australian security regulatory framework. QFF, as a business unit, would have the opportunity to share its learnings, as well as to learn from the experiences of other business units. This role reports into the Head of Group Cyber Security Centre (GCSC), providing a group-wide service of cyber security operational incident response, containment and support. This means that the policy may be too complex for some readers, who are younger or who have a lower literacy level, to understand, and this could affect some QFF members. Furthermore, marketing and analytics staff are in constant consultation with QFF Legal in relation to changes or new ideas. Qantas EpiQure,[5] Qantas Money, etc). All or part of an assessment report may be withheld from publication due to statutory secrecy provisions, privacy, confidentiality, security or privilege. We acknowledge our responsibility to protect and maintain the privacy rights of individuals, and to maintain the security and the value of their personal information. The cyber safety of Qantas Frequent Flyers is a priority for us. 5.6 Prior to the OAIC assessment in May/June 2017, the Qantas Group was already expanding its cyber security governance processes and materials to include increased focus on privacy. Your use of these systems may be monitored and investigated to ensure compliance with the law and Qantas Policies. Enhanced security measures for the smaller regional (domestic) cargo shipments in accordance with new Australian requirements. As part of meeting its obligations under APP 1.2, QFF should develop and implement a PMP, to be reviewed annually, that sets out specific goals and objectives for its privacy management with consideration of the specific issues that apply to its operations. Design, develop, deliver and measure ongoing risk aligned Group (Qantas, Jetstar and Loyalty) Cyber Safety Awareness Campaigns to raise Qantas Group employees' cyber awareness, uplift their cyber capability and embed a Cyber Safety culture throughout the Qantas Group, incorporating . continues to build the profile of privacy across the Group by: continuing with the implementation of the Qantas Group network of privacy champions to assist with the coordination of privacy matters across business units and reporting of these issues to senior management. We ensure the safety and welfare of our people, the protection of our reputation and the maintenance of critical services. The economic contribution of the Qantas Group to Australia in FY 2017. We take active, quality measures to help our members keep safe online and also encourage our members to do what's possible to protect their account and personal Cann Group chief executive Peter Crock says the group has not been able to recover $3.6 million in payments after a cyber fraud. The DISO may also determine that a more comprehensive security review or a formal PIA is needed. At the time, the airline said its new cyber security chief would identify and lead programs to "monitor the emergence of new threats and vulnerabilities, assess business impacts, and drive rapid responses to cyber security events." The Group is committed to raising awareness of our privacy compliance obligations and to manage our privacy risk by implementing a culture that considers privacy by design as a default position when handling personal information.