Management of personal information: Velocity Frequent Flyer

1.1 This report outlines the findings of an assessment of the Velocity Frequent Flyer (Velocity) loyalty program undertaken by the Office of the Australian Information Commissioner (OAIC).

1.2 The scope of this assessment was limited to the consideration of Velocity’s handling of personal information under Australian Privacy Principle (APP) 1 (open and transparent management of personal information) and APP 5 (notification of collection of personal information).

1.3 The assessment found that Velocity has taken steps to foster a culture of privacy awareness that treats personal information as a valuable business asset. Velocity has robust and effective privacy practices, procedures and systems, including:

• a privacy management plan
• a clear privacy governance structure
• a range of internal privacy and information security policies
• regular mandatory privacy training for all staff that is supported by ongoing privacy awareness initiatives
• privacy impact assessment (PIA) processes
• clearly documented information asset management registers and data flows.

1.4 There is also a general awareness of privacy issues, and ICT security controls around systems holding personal information.

1.5 Additionally, Velocity’s APP 1 privacy policy adequately describes how the company manages personal information. Its current APP 5 collection notification practices appear reasonable and adequate.

1.6 The OAIC did not identify any medium or high risks with Velocity’s privacy practices, procedures and systems, or with the privacy governance measures it has in place. As a result, the OAIC has not made any recommendations. The OAIC has included some suggestions in the body of this report to assist Velocity to further protect the personal information that it handles.

Part 2: Introduction

Background

2.1 Loyalty programs are popular with consumers and businesses alike, with one Australian consumer research study reporting that 87 percentof Australians aged 18 and older were members of a loyalty program in 2017.[1] These programs reward individuals for their purchases and in return, the entity operating the loyalty program can collect data about members and their purchasing activities. Through the application of data analytic techniques, entities can then use this data for a variety of purposes including profiling for targeted advertising and marketing.

2.2 When entities undertake data analytics that involve personal information, they must comply with the requirements of the Privacy Act 1988. Further, members of loyalty programs and the community at large would expect entities to safeguard the personal information that they have been entrusted with.

2.3 In the 2014/2015 financial year, the OAIC assessed two leading loyalty programs in Australia.[2] Building on these assessments, the OAIC decided to assess other popular loyalty schemes in Australia. As Velocity is a popular loyalty program with a large member base, the OAIC conducted a privacy assessment of Velocity in 2017.

Part 3: Overview of Velocity

3.1 Velocity is the loyalty program of Virgin Australia Airlines Pty Ltd (Virgin Australia). Velocity operates as a subsidiary of the Virgin Australia Group.[3]

3.2 The Velocity loyalty program was launched in 2005, and had approximately 7.5 million members at the time of the assessment.

3.3 Velocity is a points-based rewards program, and members earn and redeem points through many channels. These include purchasing flights with Virgin Australia or partner airlines, as well as a range of products and services available from approximately 80 program partners.[4]

3.4 Members may join Velocity as either a ‘lite’ or a ‘full’ member, depending on the joining channel. Members can join through the Velocity website, when booking a Virgin Australia flight, by using a membership join form on a co-branded partner program website, on the Virgin Australia mobile app, or through the Virgin Australia in-flight entertainment system. Most members join through the Velocity website.

3.5 The joining channel will determine the amount and type of personal information that is collected. Depending on whether someone has joined as a ‘full’ or ‘lite’ member, personal information that may be collected from an individual when they join Velocity may include:

• name
• date of birth
• age
• gender
• contact details (postal address, mobile number and email address)
• country of residence.

3.6 Members may then choose to provide further information about their interests by completing their member profile in their online Velocity account. This may subsequently inform the types of marketing material they receive from Velocity. Marketing is provided on an opt-out basis and members can manage their communication preferences by logging in to their Velocity Account or by contacting Velocity.

3.7 Members’ personal information continues to be collected at various points throughout their membership, including when they earn and redeem points and Status Credits,[5] and when they interact with Velocity marketing campaigns.

3.8 Velocity has documented how the personal information it collects moves through its IT systems. Once captured, most personal information flows through middleware[6] into Velocity’s primary database, though some supplementary details are stored in an additional Virgin Australia database. Velocity regards the primary database as the source of truth for the majority of member profile fields, and these are then replicated across some additional databases.

3.9 Membership information is fed from the Velocity databases into several Velocity and Virgin Australia data stores. These data stores are used for a variety of purposes, such as generating marketing campaigns or data analytics.

3.10 To assist with its marketing and data analytics work, Velocity acquired Torque Solutions (Australia) Pty Ltd (Torque) in 2015. Torque provides customer analytics and database management services to corporate clients, including Velocity, and therefore handles the personal information that the corporate client has collected from its own customers. The systems that Torque uses for its data analytics functions are separate to those of Velocity and Virgin Australia.

Part 4: Findings

Our approach

4.1 This part of the report sets out the OAIC’s observations, an analysis of the privacy risks arising from these observations, followed by suggestions to address those risks.

4.2 The key findings of the Velocity assessment are set out below under the following headings:

• APP 1.2 — implementing practices, procedures and systems
• APP 1 — privacy policy
• APP 5 — collection notices.

4.3 The OAIC has applied its guide, Privacy management framework: enabling compliance and encouraging good practice, to its consideration of the reasonable steps that Velocity has taken to address the requirements of APP 1.2.

4.4 The OAIC also considered its APP Guidelines, which outline the mandatory requirements of the APPs, how the OAIC will interpret the APPs and matters the OAIC may take into account when exercising functions and powers under the Privacy Act, in the privacy analysis below.

APP 1.2 — internal practices, procedures and systems

4.5 APP 1.2 requires an entity to take reasonable steps to implement practices, procedures and systems that will:

• ensure that the entity complies with the APPs; and
• enable the entity to deal with privacy related enquiries or complaints from individuals.

Internal policies and procedures

Observations

4.6 The OAIC noted a strong awareness of privacy and information security issues through its review of relevant Velocity policy and procedure documents and interviews with staff.

4.7 A variety of policies and procedures govern Velocity’s operations, some of which apply across the Virgin Australia Group, and others are specific to Velocity. Some of these documents, such as Velocity’s APP 1 privacy policy, risk management policies and training materials are discussed separately later in this report.

4.8 The OAIC reviewed Velocity’s privacy management plan (PMP), which is modelled on the guidance provided in the OAIC’s Privacy management framework, and presents an overview of the activities that Velocity has carried out, or will continue to carry out, to facilitate compliance with the requirements of APP 1.2. Many of the activities recorded in the PMP are discussed throughout this report.

4.9 The key internal privacy-related policies for general staff use are accessible from a dedicated privacy section of the Group intranet website. The OAIC was advised that policies are reviewed annually, though they may also be updated on an as-needed basis, for example to incorporate changes to legislation.

4.10 The PMP states that where responsibility for relevant policies and procedures sits outside the remit of the Head of Group Privacy, for example IT security and access policies, the Head of Group Privacy will prompt the responsible business area to review those policies on an annual basis. The role of the Head of Group Privacy is described in further detail in the ‘Governance and culture’ section of the report.

4.11 Staff have access to a range of resources on the privacy intranet page, including information about the Privacy Impact Assessment (PIA) process, how to handle a privacy complaint or enquiry, or how to respond to a data breach. Velocity’s approach to each of these issues is discussed in more detail later in this report.

4.12 In addition, the intranet page contains a link to the Virgin Australia Group’s overarching internal privacy management manual, which provides an overview for all staff of their obligations under the Privacy Act. It also details practical applications of the law to Virgin Australia and Velocity’s business and operations, including PIAs, direct marketing, security of personal information, retention and destruction of personal information, managing privacy complaints, and responding to data breaches.

4.13 As well as providing guidance information for staff through the intranet page, there are other relevant internal policies and procedures for the handling of personal information. They include documents that are used to manage the sharing of personal information between entities within the Group, including between Virgin Australia and Velocity, and Torque’s use of Velocity and Virgin Australia’s information for data analytics purposes.

4.14 The OAIC noted that the document that governs the sharing of information between Virgin Australia and Velocity contains terms that, the OAIC considers, may be narrower in meaning than the terminology used in the Privacy Act. In particular, the document uses the term ‘reasonably required’ to describe situations in which data may be shared between the two entities. It also uses the term ‘best endeavours’ to describe the steps that one entity must take to protect data it has received from the other entity.

4.15 In addition, the OAIC observed that two documents (the Personal Information Matrix and the Information Classification and Labelling Guide) refer to personally identifiable information (PII), rather than personal information (PI) as defined in s 6 of the Privacy Act.

4.16 Velocity servers are hosted in Australia, and the OAIC was advised that Velocity currently does not store any information offshore. However, Velocity does work with third parties that are based overseas. The OAIC was provided with standard contractual clauses that are used to ensure that Velocity can comply with its obligations under the Privacy Act and the APPs. For example, there are provisions that explicitly prohibit: the misuse of Velocity members’ personal information, handling personal information for any purpose other than for the purposes of the contract, or transferring or disclosing personal information outside of Australia.

4.17 The standard contractual terms also require the supplier to specify their location, including the relevant countries where offshore services are provided. These countries are listed in the Velocity privacy policy and privacy collection statements. Where the contract involves disclosure of information overseas, staff are asked to contact the Privacy Team for further input and to exercise due diligence to meet the obligations of APP 8 (overseas disclosure requirements).

4.18 Velocity privacy complaints and enquiries are handled in accordance with the Group privacy complaints manual. This document sets out the process for dealing with complaints or enquiries received through a dedicated privacy email inbox. During interviews with staff, the OAIC was advised that most privacy complaints and access or correction requests come through that inbox, as that email address is listed on both the Virgin Australia and Velocity privacy policies. Staff can also send privacy complaints or queries to the same inbox.

4.19 The Virgin Australia Privacy Specialist monitors the privacy inbox, and forwards any non-privacy complaints to the appropriate business area. All privacy-related complaints or enquiries are captured within a computer system and assigned to a lawyer for evaluation, with the assistance of the Virgin Australia or Velocity Privacy Specialist, if required. They are also recorded in an incident register. Access to privacy complaints is restricted to the legal team, including the Head of Group Privacy and the Privacy Specialists.

4.20 As with emails sent to the privacy inbox, telephone complaints and requests are sorted according to the nature of the complaint or query. Velocity Membership Contact Centre (MCC) staff may be able to deal with the complaint or request, or forward it onto another business area. Where a privacy issue has been raised, the MCC knowledge management system guides MCC staff to ask the member to send the complaint in writing to the privacy inbox, where it will be handled in the same way as an email complaint. If a member calls the MCC with an access or correction request, MCC staff can often handle the request. If not, or if a member complains to MCC staff about how such a request has been handled, then the MCC knowledge management system instructs staff to ask the customer to contact the privacy inbox.

4.21 Velocity staff advised that they aim to resolve privacy complaints and access or correction requests within 7-10 days of their receipt, but this depends on the complexity of the complaint or request. The timeframe stated in the complaints section of Velocity’s privacy policy is 10 working days.

Analysis

4.22 The OAIC noted that three documents (discussed above) contain outdated or incorrect terminology. The use of these terms, which are narrower than those in the Privacy Act, could lead to a failure to protect personal information where such information is not considered to be PII but would fit the definition of personal information in s 6 of the Privacy Act. However, given that only three out of approximately 70 documents that were provided to the OAIC have this problem, and in light of the other policies, procedures and systems in place at Velocity, the OAIC considers this to be a low risk. The OAIC suggests that Velocity review and consider revising these documents to reflect the language used in APP 1.2 and s 6 of the Privacy Act, as applicable.

4.23 Overall, the OAIC considers Velocity to have robust and effective internal policies and procedures, including for the handling of privacy complaints and access or correction requests.

4.24 The OAIC suggests that Velocity regularly review its policies and procedures, including those as detailed in the PMP, to ensure that they remain effective and appropriate.

Governance and culture

Observations

4.25 Velocity’s PMP summarises the governance measures in place to enable compliance with APP 1.2. There are several key staff responsible for privacy and they make up the Group privacy governance structure, which sits within the Virgin Australia Group Legal and Risk Division.

4.26 At the time of the assessment, a Privacy Specialist was employed within Velocity, and recruitment was progressing for a replacement Privacy Specialist for Virgin Australia. Key roles and responsibilities of the Privacy Specialists include:

• providing privacy compliance advice and guidance
• preparing and delivering privacy training
• keeping the Head of Group Privacy informed of key privacy matters and issues
• implementing the Virgin Australia and Velocity Privacy Management Plans
• regularly reviewing key privacy policies and procedures
• conducting PIAs
• acting as a point of escalation within Velocity and Virgin Australia for privacy related matters (and escalating to Head of Group Privacy where necessary)
• maintaining knowledge and awareness of developments in privacy and data protection law.

4.27 The Privacy Specialists report directly to the Head of Group Privacy, who is part of the in-house legal team and reports to the General Manager, Legal. The Privacy Team provides a weekly report to the Head of Group Privacy that outlines key privacy-related matters such as PIAs in progress and completed, enquiries received through the privacy inbox, any privacy complaints or incidents, and any notable risks identified. The Head of Group Privacy manages the Privacy Team and is responsible for overseeing and implementing the Group privacy management framework. The Head of Group Privacy is the point of escalation for privacy-related issues within the business.

4.28 The Chief Legal and Risk Officer (CLRO) has ultimate oversight and responsibility for the Group’s centralised privacy function. Each week, the Head of Group Privacy provides the CLRO with a summary of key risks and issues, including privacy risks. The CLRO is the main avenue for reporting privacy matters to the Group CEO.

4.29 Key privacy issues and risks are also formally reported to the Group Audit and Risk Management Committee (ARMC) every six months.

4.30 The Head of Group Privacy has nominated privacy contacts in each business area to act as privacy ‘champions’ within their respective business areas. Many of these also sit on the Group Privacy Council.

4.31 The Group Privacy Council comprises members of staff, predominantly senior managers, from various business areas across the Group. The Privacy Council has a standing agenda and terms of reference. It meets quarterly to provide strategic oversight of privacy issues that arise across the Group, as well as to discuss general items of interest relating to privacy. During fieldwork, the OAIC was advised that privacy issues that are raised during meetings become action items for the Velocity and Virgin Australia Privacy Specialists, and follow the same reporting lines as other privacy issues, including reporting to the Executive Committee if necessary.

Analysis

4.32 Velocity has a mature privacy culture and its staff have a good awareness of privacy issues. Velocity regards personal information as its chief business asset and has invested multiple resources to safeguard it.

4.33 The OAIC considers that Velocity has reasonable and effective privacy governance measures in place. The OAIC suggests that Velocity regularly review its privacy governance structure to ensure that it remains effective and appropriate for supporting a mature privacy culture within Velocity.

Risk management

Observations

4.34 The Virgin Australia Group’s risk management framework governs Velocity’s risk management processes. Separate risk registers are kept for the Group and for Velocity.

4.35 At a Group level, the Group Board of Directors oversees risks and approves the Group risk appetite statements. The ARMC assists the Board in discharging its corporate risk oversight responsibilities. The Virgin Australia Group’s risk policy and framework are reviewed annually and approved by the ARMC.

4.36 The Virgin Australia Group’s risk management framework and its supporting documentation are compatible with industry standards,[7] and are accessible to staff through the Group intranet.

4.37 Every division of the Virgin Australia Group has a risk profile that is used to monitor key risks, including compliance risks. The risk profile defines the risk, key controls and any treatment actions in place to mitigate the risk. Each risk is compared to the Virgin Australia Group’s risk appetite statements to determine whether the risk requires treatment.

4.38 Velocity’s risk profile identifies a privacy breach as a key risk. The Velocity Chief Executive Officer (CEO) is the nominated risk owner. Velocity has a separate Board and its own Audit and Risk Management Committee, which is kept informed of Velocity-specific privacy risks through the Velocity risk profile. Every quarter the Group Risk Management team commences a review of the Velocity risk profile and tracks treatment actions. This is reported to the Velocity ARMC.

4.39 Velocity’s most recent risk profile document identifies several controls that are in place to mitigate privacy risks within Velocity, including the governance structures set out above, the PMP, information-handling policies and procedures, staff training and awareness, ICT security, the complaints-handling processes, privacy and legal review of all contracts, as well as the PIA and vendor security assessment (VSA) processes that are explained in further detail below.

4.40 In addition, the Velocity risk profile document suggests a number of proposed treatment options for identified privacy risks. Several of these relate to the need to continually monitor internal policies and practices, as well as external sources such as changes to legislation, for emerging or changing risks. In addition, the profile document identifies two specific projects to minimise privacy risks within Velocity, including implementing an automated process for destroying and de-identifying personal information in accordance with Velocity’s data retention policy, and engaging an external provider to assist with Velocity’s privacy breach response capability.

Analysis

4.41 The implementation of privacy risk management processes is integral to establishing robust and effective privacy practices, procedures and systems. These risk management processes allow an entity to identify, assess, treat and monitor privacy risks related to its activities. Good privacy risk management informs and triggers changes to practices, procedures and systems to better manage privacy risks.

4.42 Velocity’s risk management processes and policies are comprehensive and adequately deal with the identification, recording, reporting and mitigation of privacy risks within Velocity. The OAIC suggests that Velocity continue with its planned implementation of the two specific projects outlined in its most recent Velocity risk profile document, being the automated destruction/de-identification project and the engagement of an external provider to assist with Velocity’s privacy breach response capability.

4.43 In view of the complexity of Velocity’s current risk management structure and framework, the OAIC suggests that Velocity continues to regularly evaluate its risk management policies and practices to ensure their continued effectiveness. Additionally, where new risk management practices evolve, the OAIC suggests that these practices, and the reasons behind them, are appropriately documented.

Data breach response plan

Observations

4.44 Velocity’s data breach response process is set out in a Group-wide data breach response policy and plan document. This document details what constitutes a data breach, and outlines the process for handling an actual or suspected data breach. The Group Chief Information Security Officer (CISO) is responsible for recording all data breaches in the Group Security Incident Management System. Ultimately, responsibility for determining the appropriate response rests with the Group CISO, the Chief Legal Officer and the Head of Group Privacy. Velocity advised that the data breach response document is reviewed annually, and after legislative changes, such as the forthcoming Notifiable Data Breaches scheme.[8]

4.45 A data breach information ‘cheat’ sheet, which is intended for general staff use and is accessible on the Group privacy intranet page, supplements the policy document. This contains a summarised version of the steps a staff member should follow in the event of an actual or suspected data breach. The data breach response process is also covered in staff training.

4.46 Under the Group data breach response plan, each business area, including Velocity, is responsible for implementing that area’s specific data breach response checklist, which sets out area-specific tasks, considerations and contacts.

4.47 The OAIC was informed that the Group business resilience team recently conducted a mock exercise that was designed to test the response of teams and senior management across the Group following a breach of Velocity member data. The test involved significant preparation and training across the Group.

4.48 Velocity noted that the test was a useful opportunity to reflect on performance and improve staff education and procedures.

4.49 The OAIC was also advised that there are plans to run a similar test event every 12 months to hone responses and ensure key staff understand their roles in the process.

Analysis

4.50 The OAIC considers Velocity to have an adequate and effective data breach response plan in place and suggests that it continue to practise and review this plan to ensure that it remains effective and appropriate.

Privacy impact assessments (PIAs) and vendor security assessments (VSA)

Observations

4.51 Velocity staff are required to undertake a PIA for all projects that deal with personal information. If a new program partner is selected and they will operate within the same parameters as an existing partner, then a PIA is not required, though a VSA will always be required. More information on the VSA process is set out below.

4.52 As well as undertaking PIAs for projects using personal information, Velocity advised that PIAs may be carried out even if a project will use de-identified information, such as for analytics purposes (discussed below).

4.53 To assist staff with the PIA process, resources are available through the privacy intranet page. These include a PIA guide and a template PIA form. The business area must complete the PIA form and send it to the relevant Privacy Specialist, who then carries out the PIA in consultation with the business area and the legal team where required. During fieldwork, the OAIC was advised that Velocity sometimes engages external lawyers to carry out PIAs for large projects.

4.54 The Velocity Privacy Specialist also maintains a PIA register to track the progress of PIAs, and whether any recommendations were made following the PIA. Velocity advised the OAIC that where recommendations have been made, the Privacy Specialist works with the business area to address them.

4.55 When engaging third parties that will use Virgin Australia or Velocity data or interact with Virgin Australia or Velocity systems, the third party must undergo a VSA. This requirement helps to identify possible information security risks of proposed program partners, vendors or technology service providers.

4.56 During fieldwork, the OAIC was informed that the VSA process also acts as a safeguard for identifying projects that need a PIA, as the CISO has oversight of the VSA process and will check that a PIA has been done if the project involving a third party will involve the use of personal information.

Analysis

4.57 The OAIC considers Velocity to have an adequate and effective system in place for conducting PIAs. Given the amount of personal information that Velocity handles, the OAIC suggests that Velocity continue conducting PIAs even where a project will use de-identified information (see ‘Marketing and data analytics’ section below). The OAIC suggests that Velocity regularly review its PIA and VSA processes to ensure that they remain effective and appropriate.

Training

Observations

4.58 Velocity staff receive comprehensive and regular privacy training, with a range of initiatives in place to ensure ongoing awareness of privacy and information security issues.

4.59 A brief overview of privacy obligations is included in induction training for all Group staff. All new Velocity staff, including senior executives, contractors and staff working at Torque must also complete an online privacy-specific training course at the commencement of their employment. Staff are required to complete online refresher training each year. Refresher training reminder emails are sent to staff, and the Velocity Privacy Specialist also monitors completion.

4.60 In addition to annual online training, the Privacy Team delivers face-to-face privacy training to staff across the Group. These are tailored to the needs of particular business areas, and are delivered at regular intervals. Training sessions are also delivered on an ad-hoc basis when either the privacy team or a business area identifies a need for additional training. Attendance is monitored and training sessions are recorded for those who are unable to attend in person.

4.61 As well as training, staff awareness of privacy issues is maintained through other initiatives such as privacy update emails and Velocity’s participation in the OAIC’s Privacy Awareness Week. Staff can also access key privacy-related policies and resources through the intranet.

4.62 In addition to privacy training and awareness, staff also receive face-to-face information security training from the CISO. The CISO also maintains awareness of information security issues through mock phishing email exercises and regular update emails.

Analysis

4.63 The OAIC considers Velocity to have an adequate and effective privacy training regime in place and suggests that Velocity regularly review its training scheme to ensure that it remains effective and appropriate.

ICT and access security

Observations

4.64 The Group CISO is currently responsible for Velocity’s information security, though the OAIC was advised during fieldwork that recruitment for a Velocity CISO was underway. The Group CISO sits at the Executive Committee level and reports directly to the Group CEO, with regular weekly meetings.

4.65 During the assessment, the OAIC was advised of Velocity’s security controls, and in particular for its primary database. Due to this assessment’s scope, the OAIC did not consider most of these controls in detail.

4.66 In relation to managing external threats, controls include:

• regular security scanning and threat detection
• intruder security measures
• endpoint security measures
• twice-yearly penetration testing
• monthly patching of software, with more frequent patching for critical vulnerabilities
• use of anti-virus and firewall protections.

4.67 There are also a range of measures in place to protect against internal threats, including:

• limited role-based access to Velocity’s primary database, and further limitations to the number of staff with the ability to make changes to the information contained in the database and to access the database remotely
• regular review and auditing of users with access to Velocity’s primary database
• a number of Group staff policies such as a clean desk policy, computer and mobile device usage policies, and a wireless access policy.

4.68 Physical security measures, such as swipe card access to buildings, are also in place to protect Velocity’s information from unauthorised external and internal access.

4.69 Velocity advised that two key projects were underway to further improve Velocity’s information security measures, being:

• a rollout of encryption for data at rest
• a rollout of multi-factor authentication for Velocity members when logging in to their accounts.

4.70 To ensure all personal information is appropriately secured throughout the information lifecycle, Velocity:

• keeps comprehensive records of its information assets, for example, by maintaining a document that outlines the systems on which various elements of personal information are stored and the categories of information that are exchanged with program partners and service providers
• uses the Group information classification and labelling policy and guide to outline its expectations regarding handling of information
• has a policy in place to ensure data is backed up frequently and randomly tests recovery from back-up
• retains, destroys and de-identifies data in accordance with a Group data retention protocol, the Velocity-specific retention and disposal schedule and computer usage policy.

Analysis

4.71 Noting the assessment’s scope, Velocity has, overall, established robust ICT and user access policies, procedures and practices governing the security of personal information. To ensure only authorised persons can access the personal information that Velocity holds, the OAIC suggests that Velocity carry out its planned implementation of encryption of data at rest, and its rollout of multifactor authentication for members to access their accounts online.

4.72 Velocity advised that when a member requests the closure of their account, their account is de-identified and personal information is deleted from Velocity’s main data store and local backups within 24 hours. However, archived backups cannot be altered, so personal information will be visible on such backups until they are deleted, which occurs after 7 years. Whilst the Group data retention protocol makes it clear that staff should not undertake to members that all personal information will be irretrievably destroyed following a deletion request, Velocity could consider including the above timeframes in the guidance given to staff and in the Velocity-specific retention and disposal schedule, so that if necessary, this information can be passed on to members.

4.73 Noting this assessment’s scope, the OAIC considers that the safeguards in place are currently adequate, however, these should be regularly reviewed and revisited in order to meet constantly evolving ICT risks related to personal information. The OAIC’s Guide to Securing Personal Information may be of assistance in considering reasonable steps to protect personal information.

Marketing and data analytics

Observations

4.74 Velocity applies data analytic techniques, and then uses this data for targeted advertising and marketing.

4.75 As described earlier in this report, Velocity collects members’ personal information from a variety of sources throughout their membership. As well as the personal information that a member provides when joining Velocity or updating their Velocity profile, Velocity also collects personal information from members when they interact with marketing campaigns and when they earn or redeem points or Status Credits.

4.76 In relation to the use of personal information for marketing and analytics purposes, Velocity’s APP 1 privacy policy and collection notice state that members’ personal information may be:

• used to identify products or services that may be of interest to members
• used to contact members about membership benefits and promotions that Velocity, its related entities, and program partners offer
• used to generate targeted online advertising and behavioural marketing
• disclosed to related entities or program partners for marketing of their products or services, based on membership details or transactions with Velocity, noting that Velocity or a third party, such as a marketing agency, will contact members, rather than the program partner directly
• used to generate insights about members, which will help identify products, services, membership benefits and rewards offered by Velocity, its related entities, program partners and third parties that may be of interest to that member.

4.77 Velocity advised the OAIC that any sensitive information it collects is not used for marketing purposes.

4.78 Velocity has documented the process by which the personal information it collects is used in its marketing activities. Generally, personal information that is collected and stored on several Velocity databases is loaded from those databases to a centralised data warehouse, and after undergoing a series of transformation processes, is uploaded to Velocity’s campaign management tool. While personal information is loaded into the campaign management tool, only a limited number of staff have access to the tool.

4.79 Data extraction from the campaign management tool is limited to Velocity’s Customer Relationship Management analysts. Five additional staff have administrative access and can extract data from the tool. Data is generally extracted for campaign reporting purposes, or for fulfilling bonus points promotions.

4.80 The OAIC was advised that privacy is factored into Velocity’s marketing process in a number of ways. These include targeted privacy training for all marketing staff, role-based access to systems to limit the number of people with access to personal information, and legal team clearance for all marketing campaigns.

4.81 Velocity also uses the personal information it collects to conduct data analytic activities through its wholly-owned subsidiary, Torque. A very limited number of analysts within Torque have access to the personal information held by Velocity and use this data to generate analytics insights.

4.82 The OAIC was advised that privacy has a high profile within Torque, which is evidenced in Torque’s data governance protocol. For example, the protocol requires a PIA to be conducted for any proposed activity or service that is outside of business-as-usual activities (which are pre-vetted for privacy compliance), and the OAIC was advised that PIAs will often be conducted even when only de-identified information will be used. Torque also has its own privacy policy that outlines how it handles the personal information it collects through its corporate customers such as Velocity.

4.83 Members are informed in both the privacy policy and in email marketing campaigns that they can opt-out of marketing materials using the “unsubscribe” link at the bottom of the email, by updating their account preferences online or by otherwise contacting Velocity.

Analysis

4.84 Data analytics involves amassing, aggregating and analysing large amounts of data.[9] Where data analytics involves personal information, entities must ensure they are complying with the requirements of the Privacy Act.

4.85 From this assessment, the OAIC considered that Velocity’s APP 1 privacy policy and APP 5 collection notices adequately describe how a member’s personal information may be used for marketing and data analytics purposes.

4.86 The OAIC suggests that Velocity regularly review its APP 1 privacy policy and APP 5 collection notices to ensure they adequately explain the use of a member’s personal information, especially if the nature and scale of Velocity’s marketing and data analytics activities changes.

4.87 Based on the information provided, the OAIC also considers that the privacy safeguards in place for Velocity’s marketing and data analytics are currently adequate. Due to this assessment’s scope, the OAIC did not consider most of these safeguards in detail. However, the OAIC suggests that Velocity regularly review its use of personal information in its marketing and data analytics activities to ensure its processes and policies remain effective and appropriate. The OAIC also suggests that Velocity continue with its current practice of undertaking PIAs even when using de-identified data, as this could help to identify risks of authorised or unauthorised re-identification, identify areas where Velocity may be generating new personal information about members from information it holds, and ensure appropriate protections are in place where projects change in size or scope.

4.88 In addition, given the amount of personal information that Velocity handles and the extent of its use in marketing and data analytics projects (whether in identified or de-identified forms), the OAIC also suggests that Velocity continue to monitor and assess the risks of these projects as they progress, including any risks of re-identification or where projects begin to generate new personal information about members, without collecting that information directly from members.

4.89 The OAIC and CSIRO’s Data61 have recently published a De-identification Decision-Making Framework, which may provide Velocity with further practical guidance to effectively de-identify information that is used for data analytics purposes.

4.90 For more information about relevant key concepts when considering data analytics and privacy, and how the APPs apply to data analytics, see the OAIC’s Guide to Data Analytics and the Australian Privacy Principles.

APP 1 — privacy policy

Observations

4.91 The purpose of APP 1 is to ensure that ‘APP entities manage personal information in an open and transparent way’ (APP 1.1). This enhances the accountability of APP entities in relation to their personal information handling practices.

4.92 Under APP 1.3, APP entities must have a clearly expressed and up to date APP privacy policy that explains the entity’s handling of personal information.

4.93 The OAIC reviewed Velocity’s privacy policy against the requirements of APP 1. As part of this review, the OAIC applied a Flesch-Kincaid test to provide a general indication of the complexity and readability of the policy.[10]

Analysis

4.94 APP 1.4 contains a prescriptive list of information that an APP entity must include in its privacy policy,[11] as well as a list of other information that could be included, depending on the circumstances of the entity, to describe how the entity manages personal information.[12]

4.95 In our review, the OAIC found that the Velocity privacy policy meets the prescriptive requirements of APP 1.4. However, the OAIC notes that the Flesch-Kincaid test indicated that the policy would be easily understood by people with an approximate reading age of 19-20 years old. This means that the policy may be too complex for some readers, who are younger or who have a lower literacy level, to understand, and this could affect some Velocity members.

4.96 The OAIC considers that there is room for improvement in the readability of the policy and suggests that Velocity review and, where possible, simplify the language of the policy. Velocity could also consider using graphics, videos and other digital formats as a way of clearly communicating to its members how it handles personal information.

APP 5 — collection notices

Observations

4.97 APP 5 requires APP entities that collect personal information about an individual to take reasonable steps either to notify the individual of certain matters (listed in APP 5.2) or to ensure the individual is aware of those matters.

4.98 Velocity provided the OAIC with a number of collection notices, with the most relevant one being the ‘privacy statement’ displayed to potential new members when joining Velocity online. The OAIC was also provided with sample text that staff are instructed to use, for example by telephone when people call the MCC.

4.99 A link to the primary collection notice, along with a link to the Velocity terms and conditions, is available next to a checkbox that new members must tick before submitting their membership application on Velocity’s website. The OAIC reviewed the primary collection notice against the requirements of APP 5.

Analysis

4.100 The OAIC found that the Velocity collection notice meets the requirements of APP 5, and that it refers readers to the APP privacy policy for further information. However, as with the privacy policy, the language used in the notice is complex, and may be difficult for some readers, who are younger or with a lower literacy level, to understand. The OAIC therefore suggests that Velocity review and, where possible, simplify the language of the notice to enhance its readability.

Part 5: Description of assessment

Objective and scope of the assessment

5.1 This assessment was conducted under s 33C(1)(a) of the Privacy Act, which allows the OAIC to assess whether an entity maintains and handles the personal information it holds in accordance with the APPs.

5.2 The objective of the assessment was to examine whether personal information collected by Velocity is handled in accordance with the Privacy Act.

5.3 The scope of this assessment was limited to the consideration of Velocity’s handling of personal information against the requirements of APP 1 (open and transparent management of personal information) and APP 5 (notification of collection of personal information). Specifically, the assessment examined whether:

• the policies and procedures of Velocity were reasonable in the circumstances to ensure that personal information is managed in an open and transparent manner (APP 1)
• Velocity provides reasonable and adequate notifications to users of its services (Velocity members) when collecting personal information (APP 5).

Privacy risks

5.4 The OAIC did not identify any high or medium risks during the assessment; accordingly, the OAIC has not made any recommendations. There are, however, a number of suggestions that will, in the OAIC’s opinion, help further protect the personal information that Velocity handles. These suggestions are set out in the body of the report.

5.5 The OAIC assessments are conducted as a ‘point in time’ exercise. That is, our observations and opinions are only applicable to the time period during which the assessment was undertaken.

5.6 For more information about privacy risk ratings, refer to the OAIC’s ‘Risk based assessments – privacy risk guidance’ in Appendix A. Further detail on this approach is provided in Chapter 7 of the OAIC’s Guide to privacy regulatory action.

Timing, location and assessment techniques

5.7 The OAIC conducted a risk-based assessment of Velocity and focussed on identifying privacy risks to the effective handling of personal information in accordance with privacy legislation.

5.8 The assessment involved the following:

• review of relevant policies and procedures that Velocity provided
• an analysis of Velocity’s APP 1 privacy policy
• fieldwork, which included interviewing key members of staff of Velocity and Virgin Australia and reviewing further documentation, at the Velocity offices in Sydney on 10 and 11 July 2017.

Reporting

5.9 The OAIC publishes final assessment reports in full, or in an abridged version, on its website. All or part of an assessment report may be withheld from publication due to statutory secrecy provisions, privacy, confidentiality, security or privilege. This report has been published in full.