20 January 2010

The Privacy Officer

Qantas Customer Care
Qantas Airways Limited
Level 9, Building B
203 Coward Street
Mascot NSW 2020
via email frequent_flyer@qantas.com.au

Dear Sir or Madam,

Re: Qantas Frequent Flyer membership number

Privacy access request and complaint

I am writing to you today for two reasons:

 To seek access to all personal information Qantas Airways Limited (Qantas) and all related
bodies corporate hold on me and
 To make a complaint about the security of the personal information I have provided to
Qantas as part of the Qantas Frequent Flyer (QFF) program.

You may respond to the two items separately if this is more suitable to you.

Request for access to all personal information

Please supply me with a copy of all personal and health information which Qantas may hold on me.
It is my preference to receive this information in electronic form (all commonly used formats and
media are acceptable to me).

If you wish to clarify something about my letter, or make suggestions regarding the scope of my
request, please write to me at the address shown above.

Your response
It would be appreciated if you could respond within 30 days from the receipt of this letter by you.
This timeframe is in accordance with guidelines set by the Office of the Federal
Privacy Commissioner.

Note that if you are posting such material it may be appropriate that you do this via Registered Post
given that there may be a large amount of material and that sensitive information may be part of
what you release and that all of this has greater potential for getting lost via ordinary post.
Complaint about the security of personal information held by Qantas
On two occasions I have noticed that someone has been changing the “IDD Country” for one of the
entries listed under “Phone Contacts” in my QFF profile.

Whilst I don’t recall the exact time, I would guess over a year ago, I noticed that someone had
changed “Macedonia” to “Greece”. I thought that this was strange but accepted that it may have
been some computer system anomaly. I corrected this entry back to what it should have been.

As I have recently been considering some travel, I thought to verify that all of the QFF profile contact
information was correct. Today I logged in to my QFF account and, to my shock, again I found that
“Macedonia” had been changed “Greece”, but not by me. I again corrected this.

To exemplify, this is what I saw when I logged in today (I have redacted the telephone numbers):

This is how my personal information appeared after I applied the correction:

It is especially concerning that Macedonia has been changed to Greece, considering that there is an
ongoing name dispute between the two countries. This is not the place to discuss the politics of such
issues – more information is readily available should this be of interest to you. It is, however,
relevant to say that Greece considers that it has rights to the name and that one of the commonly
used slogans by Greeks is “Macedonia is Greece”. The change to the “IDD Country” in my profile is
deeply concerning given the name dispute.

For the record, I am of Macedonian descent.

I have a duty to provide you with my current contact information and you have a duty to protect
that information. I expect that you might use that information for safety and security relating to any
flights I may have booked with you – and if I am in Macedonia I would expect that you would contact
me on my Macedonian telephone number. Of course, you can’t do that if you don’t hold the correct
details.

Given that the change from Macedonia to Greece has now occurred on two separate occasions I am
concerned that you may have a rogue employee who is accessing my records without proper
purpose – accessing my contact information which includes email address and residential address.

I am further concerned that you may have an employee who is making modifications to my personal
information – modifications which might place me at risk in the event of any issue occurring whilst
travelling. As detailed earlier, these changes could be politically motivated.

The above suggests to me that you have not taken proper steps to protect my personal information
from misuse, unauthorised access and modification. This has caused me distress.

Resolution of this issue

I am seeking that you:

 Thoroughly investigate my complaint and confirm, in writing, that you have done so.
 Detail to me when and how the changes to my contact information were made.
 Detail what steps you have taken to prevent a repeat of such changes to my QFF profile.
 Detail to me the steps you have taken to prevent employees from accessing my QFF without
proper authority and purpose.
 Apologise to me for distress this matter has caused.
 Provide your considered reply within thirty days from receipt of this letter.
o This timeframe is in accordance with guidelines set by the Office of the Federal
Privacy Commissioner.

Any questions about this matter should be addressed to me in writing. You should also be aware
that whether I pursue this matter further will be largely dependent on whether I consider you have
properly handled every aspect of this complaint.

Yours sincerely,