Nurture your team’s talent

Applications are now open for the coveted Hostplus Hospitality Scholarship supported by Melbourne Food and Wine Festival and your business could benefit from a skilled up superstar on the team.

The scholarship is back for its 5th year and once more offers a deserving up and comer the work-experience opportunity of a lifetime.

Open to all Australian residents aged between 22 and 35 working across the full spectrum of the hospitality industry -from makers and bakers to servers and shakers- Hostplus and Melbourne Food and Wine Festival are offering the chance to learn from the best in the business, whatever that business may be, wherever they may be located.

In addition to a personalised, 2 week, international work experience itinerary in 2018, 3 finalists will be invited to participate in an exclusive development day with Hostplus ambassador and acclaimed Melbourne chef, Shane Delia.

Applications close 5pm AEST Friday 4 May 2018.

Click here for more information on the Hostplus Hospitality Scholarship

GMA Future Directions initiative

Following Graeme Carroll’s announcement that he would be retiring from the role of Executive Officer of GMA NSW in late May 2018, the GMA NSW Board has taken the opportunity to review its current administration model regarding the servicing of GMA NSW members. 

In consultation with GMA (national), GMA NSW is now pleased to announce it will be committing to a ‘services agreement’ with GMA, who will now be responsible for delivering on GMA NSW services and programs over the coming 12 months.

As such, GMA has commenced advertising for a part time ‘GMA – State Operations Manager – NSW’ to deliver on GMA NSW related activities and tasks.   This role will be based in Sydney and will be similar in nature to the role previously undertaken by Graeme, as it will continue to work intimately with the GMA NSW Board and members. 

GMA – State Operations Manager (NSW) job advertisement

While GMA NSW members will notice no change to their benefits in the short term, with both GMA and GMA NSW believing in time this model will enhance the level of servicing and improve support to the NSW based membership.

GMA has been working hard on the future directions of our industry over the past 6 months, and we believe this is an important and significant first step in developing an improved nationally driven GMA delivery model, with greater strategic and operational alignment between the national and state body.

GMA would also like to acknowledge the outstanding contribution Graeme Carroll has made over the past 3 years to GMA NSW, with exciting new chapters both on the horizon for Graeme and the GMA industry.  

Exclusive iSeekGolf Offer to GMA Members

iSeekGolf (ISG) is Australia’s largest tee times website and the FIRST 10 CLUBS that come on board as new ISG venues will receive an attractive package of additional content FREE OF CHARGE.

We would like to invite your club to consider the benefit of listing tee times for sale on which has close to 70,000 email subscribers and, for the month of March, average close to 12,500 page views per day.

In addition to tee time and voucher sales, is also a respected source of golf news both internationally and locally.

ISG’s digital content leader, Henry Peters, produces local video content and new ISG venues will have access to Henry’s video production services for a full day of filming.

New ISG venues will receive:

1-minute Signature Holes video on a hole of the club’s choosing


  • Published in auto video player on ISG homepage for 4 days and on ISG Facebook page (45,000+ likes), Twitter (1,480 followers) and Instagram (3400+ followers)
  • Within 14 days of publication, Signature Holes videos (on ISG homepage alone) average close to 18,500 video impressions & 7,500 video views

90-second Club feature video


  • Published in an auto video player on ISG homepage for 4 days and ISG social media

6-8 one-minute instructional video tips with your local pro


  • Published on ISG as video articles and ISG social media
  • Within 14 days of publication, iSeekGolf-produced instruction video articles average close to 1,500 page views as articles

A collection of 1-2 dozen course photos (if desired) to be published on the club’s ISG club profile page & iSeekGolf’s Facebook (45,000+ likes), Instagram (3400+ followers) and Twitter (1,480 followers) accounts

Your club’s Twitter feed embedded within its iSeekGolf club profile page

An analysis of your club’s tee times sales & yield

Once published on iSeekGolf, all content will be made available to your club as original files for its own use.

The Genesis Golf Link Cup – GMA Members Leaderboard is on again

Australia’s biggest competition for club golfers rewards the game’s most important administrators with the Genesis Golf Link Cup – GMA Members Leaderboard.

This is your chance to be part of a once in a lifetime weekend, vying for the title of Genesis Golf Link Cup – GMA Members champion at one of Australia’s best courses before enjoying a bucket list day at the Australian Open in the Genesis Marquee.

Luxury car maker Genesis and tournament organiser MPower Golf are always looking to grow the already hugely popular Genesis Golf Link Cup and they know one of the best ways to do that is through the club managers at the nation’s golf clubs.

Not only are GMA members at the forefront of the industry, many are also avid golfers themselves and so the GMA Members Leaderboard was born.

In 2017, the Genesis Golf Link Cup was delighted to host Andrew Davis (now Captain of The National Golf Club) and Chris Anderson, General Manager of Mansfield Golf Club at the luxury VIP Genesis experience and at NSW Golf Club to play off for the GMA title. Chris Anderson won the day with a solid 34 pts at the always challenging venue.

Said Chris, “The organisation of the weekend was faultless, and the experiences were truly amazing. From the golf at NSW GC to the accommodation at the InterContinental Sydney Double Bay, all of the finalists (myself included) thoroughly enjoyed their time and appreciate the effort put in to make the weekend a success.”

Andrew continued “A big thank you for taking care of me so well on the weekend, I can’t tell you how much fun I had”.

And the Genesis Golf Link Cup greatly enjoyed hosting them along with the other finalists.

The Genesis Golf Link Cup is played over two series each year with eight golfers from each series winning their way to the National Final. And you can add two GMA members to that list, one from each series.

To qualify for the National Final GMA members need to do two things: sign up a minimum of 50 new registered players to the Genesis Golf Link Cup over the course of the series then amass the most Genesis Golf Link Cup points in the GMA Leaderboard.

With MPower Golf a sponsor and supporter of the GMA all GMA Members are already automatically registered in the event.

Which means that, just like the club members they represent, all their golf scores are automatically counted in the competition without requiring any input from the golfer. You simply play and the Genesis Golf Link Cup does the rest.

The aim of the Genesis Golf Link Cup is to encourage more golfers to play more golf more often at the golf clubs that are the lifeblood of the industry.

Convincing golfers to sign up for the Genesis Golf Link Cup couldn’t be easier. Once entered, the player doesn’t need to do anything but play their regular competition golf and the unique Genesis Golf Link Cup scoring algorithm does the rest.

But even better, all registered players who play six rounds of golf in a series are also automatically in the draw to win a luxury Genesis vehicle in that series.

Genesis Golf Link Cup scores are calculated using a unique algorithm which plots the golfer’s performance against the field that day.

To be eligible for the National Final simply play a minimum of six rounds with the best five and one worst counting towards your score.

The highest score among the GMA Members who added at least 50 new registrations qualifies in each series.

The National Final includes: expenses-paid trip to Sydney from nearest capital city; accommodation, in Sydney; golf at the National Final at a prestigious Sydney course; presentation dinner and Genesis VIP experience at the Australian Open.

Important Links

Genesis Golf Link Cup – Club by Club Leaderboard

Genesis Golf Link Cup – GMA Members Leaderboard

Genesis Golf Link Cup – Team Registration

How we’ll help you qualify for the Genesis Golf Link Cup – GMA Members Leaderboard and the National Final

A range of marketing initiatives supported by the Genesis Golf Link Cup offer GMA members a variety of ways to increase the number of their members registered for the event, ensuring their chance of making the National Final.

Club Leaderboards

Each club has a leaderboard within the Genesis Golf Link Cup. A link to this leaderboard will be provided to all club GM’s for their internal promotional use. It can be sent to their club members or highlighted on their websites.

Posters, Countercards

Each year the Genesis Golf Link Cup sends a series of posters and countercards to clubs to promote the event. These can be placed on noticeboards near comp registration or the locker-room and in the proshop. More are available on request.

Registration and Engagement Emails

The Genesis Golf Link Cup will send personalised content to each club to allow them to resend this from their own email systems, congratulating well-performing players and with a link to register. These will be updated monthly.

Teams Event this year

For the first time this year, the Genesis Golf Link Cup offers 4-ball teams an opportunity to play in the National Final, for an added route to this experience. Each series one team will qualify with the two teams playing off at the Final. Entry fee per team is only $120 per series. Interestingly the team scores are aggregated again from the golf played across the Genesis Golf Link Cup program, meaning team members need not play at the same time or even location.

See Team Registration here

Personalised Social Media banners

The Genesis Golf Link Cup produces personalised weekly winners’ images for use on social media, websites and within e-newsletters. These are emailed to GM’s.

Club winners – what could you do?

Given this is a national event run over two 15-week series each year with no additional work required by the club, how could the club take advantage of an opportunity to connect with its members? At present on average over a quarter of each club’s membership is participating. The nature of the event is that the players that do best are the most improved and most consistent players over the period of a series; could clubs have a presentation to the winning players at the end of each series?

Genesis Golf Link Cup Open Days

Would you like to host a corporate day in conjunction with the Genesis Golf Link Cup? As an addition to the event this year MPower Golf is looking to provide premium golf experiences to Genesis Golf Link Cup players looking for an Open Day. We’ll provide the event structure, supporting materials and run registrations through, and your club gains a busy corporate day. (Note to avoid confusion, the Genesis Golf Link Cup runs across all golf played by members, not just those at organised events such as these Open Days). Contact Nick Thornton GM at MPower Golf if interested.

EOI NOW OPEN: FAM & Professional Development Tour

CGE Golf, through its partnership with GMA, is delighted to announce that ‘Expressions of Interests’ are now open for the GMA/CGE 2018 FAM & Professional Development Tour to China’s Hainan Island.  

With just 10 places available, GMA members keen to attend the FAM and PD Tour are asked to express their interest in attending by putting together a brief submission (no more than two pages) as to why you (and your Club) should be selected to attend the tour.  Submissions should also include what you are looking to achieve by attending the tour, including the possible learning outcomes for you, and the benefits that could be applied to your club.

Submissions need to be sent to GMA Executive Officer, Jim Cail, at, no later than Friday, 4th May 2018.

(Should there be more ‘EOI’ than potential tour positions, a decision of successful applicants will be made by a committee made up of CGE and GMA board representatives). 

Participants will be required to arrange and pay for their own flights and organise their Visa for travel to China, with CGE Golf providing all necessary documentation and any application support ($109.50 for a single-entry trip).  Participants will need to arrive in Haikou on the 2nd September and depart Haikou on the 8th September.  CGE would be happy to advise flight options and introduce participants to CGE’s Flight Centre agent if help is needed.  (While accommodation, golf, transfer costs are all included in the experience, some further spending money around meals will be required).

For further information in relation to the GMA/CGE FAM & Professional Development Tour please contact Kevin or Steve at

2018 GMA/CGE – FAM & Professional Development Tour summary:

The 2018 FAM & PD Tour is scheduled from 2nd to 8th September 2018.

The trip takes GMA members to two great venues – Mission Hills Haikou, the world’s largest golf resort and Sheraton/Dunes Shenzhou Peninsula, site of some spectacular golf.

While there are plenty of opportunities for golf to be played, specific professional development components of the trip include;

  • Resort management
  • The review of food and beverage activities
  • A behind the scenes look at Golf operations
  • Understanding organisational aspects of such tours
  • Developing ideas for your own member tours, which clearly assist in member retention.
  • Experience firsthand the long-term camaraderie and networking opportunities that are developed as a result of group tours

You will be introduced to senior hotel and golf managers, inspect facilities and meet management of other hospitality providers to give you a broad experience.  If you would like to review the testimonials of those managers who enjoyed the 2017 PD tour, simply request a copy via email to

Previous attendee –  

Kevin, the China FAM trip organised by you and the team at CGE Golf was outstanding, the attention to detail in coordinating the trip and all the extra activities we undertook was fantastic. The welcome we received and the way we were looked after by the staff at both Mission Hills and the Sheraton Shenzhou was something special. I would definitely recommend a visit to both resorts and the way that CGE Golf coordinated everything for us meant that every little detail of our trip went smoothly. Once again thank you for your efforts.

Mark Tan
General Manager,  Mt Osmond Golf Club Inc.

EO’s report – CMAA Conference

Report by Jim Cail (Executive Officer, GMA)

During the first week of March, I was lucky enough to travel to San Francisco for the ‘Club Managers Association of America’ National Conference.  With GMA running its first BMI Program in October this year, touching base with our American counterparts to ensure alignment between our programs was an important outcome of the trip.

Further to these discussions was the opportunity to experience firsthand the CMAA National Conference, as part of the planning process for the GMA National Conference to be held in Melbourne in October 2019.  (I unfortunately hadn’t started in the role when the last GMA National Conference was held in Adelaide in 2017).

The CMAA National Conference involves over 2,000 Club Managers from the USA, with the large majority of these coming from private golf clubs.  In addition to this, there are regularly 200 international delegates involved, with this year seven golf club General Managers from Australia also in attendance. 

The conference itself is on a significant scale, as you could imagine, with plenary sessions and breakout sessions available on each of the five days, along with a large Golf Club Expo for corporate partners.  If you are interested in seeing what the program was like, please click on the following link –

CMAA National Conference highlights included:

  • Isaac Lidsky – a former TV star turned $150m business owner, who has overcome adversity including turning blind at the age of 15.  His key message was ‘what you see is based on your perception’.  If your perception of an issue is negative, this may create fear.  He said ‘fear will fill the void of uncertainty, and fear will create inaction”.  Creating a positive perception of issues will assist with creating action and opportunity.
  • Steven Freund – a former GM of ‘The Ritz-Carlton Lodge, Reynolds Plantation’ and now the General Manager of The Landings Club in Georgia.  (This facility has six championship golf courses, 33 tennis courts, seven restaurants….you get the picture).  Steven spoke about restructuring the culture of The Landings Club when he arrived.  He achieved this by taking on the role of not only GM, but “Chief Cultural Officer”.  His views included “the organisation will never be what the people are not” and “the gap between knowing and doing is significantly greater than the gap between ignorance and knowledge”.
  • Curt Cronin – a former Navy SEAL spoke about the strategy of leadership and maximising a teams’ effectiveness.  He spoke about ensuring your team know you care about them as individuals with his key message around “people don’t care how much you know, until they know how much you care”.  He also spoke about the energy within a group, and that “energy used in conflict is lost, but energy used in alignment is maintained”. 

While the content of the conference no doubt provides many learnings, the ability to network with GMs from across the world and discuss challenges and opportunities is also a great highlight.  For those interested, next year’s CMAA National Conference will be held in Nashville, TN, in the last week of February 2019.

GMA will again look to incorporate the best of the CMAA conference into our next national conference, and will continue to support the outstanding work state GMA bodies undertake to support selected members attending the CMAA conference from time to time.

BMI Update

GMA, in partnership with Golf Australia, is pleased to announce the confirmation of two BMI courses scheduled for this year.  The course dates will be as follows:

  • Melbourne – 15th to 19th October 2018
  • Sydney – 22nd to 26th October 2018

We have now had over 40 members expressing interest in attending these courses, however confirmation that both courses will proceed will be based upon final registrations, so those who may be interstate, please do not book flights yet.  Given it is a week-long activity, we are advising of the dates as early as possible to allow you to block out these weeks in your diary. 

Registrations for the BMI will open in April, with indicative costs being around $1,900 (ex. GST) per person, which will include all meals and course costs.  (Travel and accommodation, if required, will be additional, with non-GMA member registration rates being higher). 

Additional information around the BMI will be communicated in coming months, however if you have any questions in the meantime, please feel free to email Jim Cail at

Security Update – MSL Information Security (Part 2)

Information system security (Cybersecurity) is a very real issue for organisations dependent on information technology for their business operations. Clubs hold private information about members within various systems they use for their operations such as membership management, POS, gaming or golf operations. This is part one of a two-part paper designed to increase cybersecurity awareness within clubs.

Part 1 discusses;

  1. Amendments to the Privacy Act came into effect 22 Feb 2018, also known as Notifiable Breach Scheme
  2. MSL security activities for better product and data security

Part 2 discusses;

  1. Advice for clubs to better manage their data; and
  2. Common threats

Part 2

In Part 1 we covered a data breach which was the exposure of Personally Identifiable Information (PII) to an unauthorised entity or person which occurs through accidental or deliberate exposure.

Part 2 of this series on cybersecurity focuses on types of external threats and recommendations on minimising those threats. We discuss ways in which clubs can minimise the risk of an exposure occurring and go into more depth of the different type of threats.

IT systems should never be considered 100% secure. Statistically, they will be hacked at some point in their lifecycle. IT vendors such as MSL can only put in measures and practises that minimise the chance of a hack occurring or accidental exposure through product use.

As part of the MSL Information Security Framework for hosted and internal data management practices, we have adopted a defensive posture in relation to cybersecurity. This means that we plan for the worst in relation to data security and assume that at some stage one of our cloud products will be hacked.

This stance led us to the development  of the MSL Information Security framework based on an ISO 27001 standard as follows;

The process is a continuous improvement cycle that allows MSL to refine and implement security practices as we become aware of risks. The process ensures that we have a defensive posture and that we methodically implement security controls from a risk perspective.

Good data management practices

From a club’s perspective, there are some practices that MSL recommends to minimise your risk of a data breach. Here are some suggestions which are not exhaustive, but should be enough for club managers to consider good practices for data management;

  • Restrict access to critical system to only those who require
  • Have unique accounts(userid) for staff instead of shared id’s
  • Require strong passwords for workstations and systems
  • Ensure you have nightly full backups of all databases. Consider having these backups offsite or on a separate device to the main server
  • Train staff on security awareness, particularly phishing attacks(see below)
  • Ensure IT admin is patching all your computers regularly
  • Ensure you have current Anti-virus software
  • If members are sharing your wifi with your business, ensure adequate security is in place to segregate use

In any implementation of a security control you need to consider it in the context of your business, the sensitivity of the data and risk. For your business it may not be appropriate to put in high security controls to the point where it impedes your business whilst the risk of exposure is low. It’s important that Club Managers and IT Admin’s understand the trade-off decisions they make when implementing these controls.

 Type of threats

  • Web Compromise: Web compromise refers to an attack launched by a threat actor on the web front-end and web enabled services that typically results in unauthorised access, disclosure to information, or unauthorised modification of information. In some cases, exploitation of attack vectors could also impact the availability of systems.
  • Phishing: Phishing is a form of social engineering attack whereby a threat actor sends an email to a systems administrator, database administrator, or user that appears to be from a trusted individual. A phishing email will seem legitimate, and have some urgency to it (e.g. helpdesk has tracked some suspicious activity with the user account). Such emails will also typically request a user to open a malicious attachment or click on a malicious link. When the targeted user opens the attachment, a malicious payload is executed, and the users machine is infected with malware. Alternatively, when a target user clicks on a malicious link, the user is redirected to a legitimate-looking website that requests user credentials to access a file or folder, except the website captures the credentials of unsuspecting users.
  • Ransomware: Ransomware is a form of malicious software that commonly threatens to perpetually block access to a victim’s system(s) or data unless a ransom is paid. Threat actors could utilise a number of attack methods to compromise users’ workstations and deploy ransomware.
  • Distributed Denial of Service (DDoS): A Denial of Service (DoS) attack refers to a cyber-attack that attempts to make an online service unavailable to legitimate users. This is achieved by interrupting or overloading services of server / computing resources with superfluous requests. A DDoS attack refers to a DoS attack that coordinated and originates from multiple compromised resources.
  • Internal threats –those that come from staff, contractors or others with access to the clubs internal systems. This may involve staff inadvertently or deliberately accessing information without authority or legitimacy.

Over the last two years, a number of MSL customers have had ransomware attacks that caused significant business disruption and costs to restore services. Unfortunately, some clubs have paid the ransom to recover their systems.

When we help with recovery we found that some clubs did not have a recent backup which meant that recovery was sub-optimal and took longer than otherwise necessary.

We strongly recommend customers engage a professional IT admin who can implement security controls, effective backups and anti-virus to minimise the risk of being attacked.

In summary, the operation of your business depends on your IT systems and infrastructure. The implementation of security measures suited to your business will not only provide protection for your business, it will also give your members peace of mind and assist with legislation compliance.

The information contained in this article is for general information purposes only. The information is provided by MSL is based on our interpretations of legislation and security practices, we make no representations or warranties of any kind, express or implied, about the completeness, accuracy, reliability, suitability or availability with respect to the article.. Any reliance you place on such information is therefore strictly at your own risk.

Security Update – MSL Information Security (Part 1)

Information system security (Cybersecurity) is a very real issue for organisations dependent on information technology for their business operations. Clubs hold private information about members within various systems they use for their operations such as membership management, POS, gaming or golf operations.

This is part one of a two-part paper designed to increase cybersecurity awareness within clubs.

Part 1 discusses:

  1. Amendments to the Privacy Act came into effect 22 Feb 2018, also known as Notifiable Breach Scheme
  2. MSL security activities for better product and data security

Part 2 discusses:

  1. Advice for clubs to better manage their data; and
  2. Common threats

Part 1

The Notifiable Breach Scheme came into effect 22 Feb 2018 and is part of the Privacy Amendment Act 2017. This change to legislation applies to software vendors (such as MSL) and clubs in the instance where information that personally identifies an individual is processed and stored. For clubs, this is data about members such as residential address, phone numbers, email addresses and even IP address. It also includes transactional data such as member purchases and other activities members do within a club where data is collected. All of this constitutes personally identifiable information (PII).  Some of the data is sensitive and if in the wrong hands could lead to embarrassment to the member, reputational loss for the club and MSL, or worse yet identity theft or other forms of crime.

The Australian government has introduced this legislation to make organisations who manage PII accountable for its legal use and safe storage.  MSL provides products that manage, store and process PII as defined under the legislation is an ‘eligible entity’. Clubs as owners of the data are also in this category.

For more information on the scheme please refer to

This article is distributed to all MSL customers to provide some awareness of the legislation, how it effects clubs, requirements of the act and how MSL have approached our compliance obligations.

We strongly recommend that clubs review their compliance obligations with their legal advisers independently. 

The Office of the Australian Information Commissioner defines a data breach as (in red MSL has provide club contextual examples)

An eligible data breach arises when the following three criteria are satisfied:

  1. There is unauthorised access to or unauthorised disclosure of personal information, or a loss of personal information, that an entity holds
  • Unauthorised access of personal information occurs when personal information that an entity holds is accessed by someone who is not permitted to have access. This includes unauthorised access by an employee of the entity, or an independent contractor, as well as unauthorised access by an external third party (such as by hacking).
    • A club staff member accesses a member record such as member purchase history on POS with no legitimate reason to do so.
    • An unauthorised third party has gained access to member details (name, addresses and phone numbers)
  • Unauthorised disclosure occurs when an entity, whether intentionally or unintentionally, makes personal information accessible or visible to others outside the entity, and releases that information from its effective control in a way that is not permitted by the Privacy Act. This includes an unauthorised disclosure by an employee of the entity.
    • A club staff member by exporting a list of members containing PII inadvertently emails to an unauthorised recipient or publishes on club website
    • A club staff member discloses PII related to a club member to another member without authorisation from the first member
  • Loss refers to the accidental or inadvertent loss of personal information held by an entity, in circumstances where is it is likely to result in unauthorised access or disclosure.
    • A club staff member exports a list of members and saves it to a USB key which is then lost in the public domain
    • A club disposes of old computer hardware containing member PII, without first removing the data or destroying the hard drive.

Most people when they consider cybersecurity naturally assume that it’s an external entity (a hacker) that presents the risk but do not look inside the organisation for potential risks of data exposure. Club staff and contractors represent a risk as well and clubs should review their internal security controls and ensure that access to PII is restricted to only those people who require it. Your computers and software running on them should be treated in the same way as your car. You wouldn’t let anyone drive your car or look inside the bonnet without first knowing who they were and what they were doing. The same security approach needs to be applied to computers.

Before going further, it is important to distinguish two ways in which MSL delivers its products to clubs.

  • in a hosted model (aka cloud) we provide a range of products, such as websites, member portals and various business management applications; or.
  • on-premise applications such as membership management and POS, which are installed in a club controlled environment, generally on-site at the club.

If a breach of PII data was to occur in our cloud products, MSL will follow its internal data breach processes and follow the requirements of the regulation as described below.

However, if the breach occurs in an on-premise environment controlled by the club, MSL would not necessarily know that such a breach has occurred and would rely on being notified by the club before any investigation or product review could occur.

In either case the next steps remain the same for both MSL and clubs. The legislation is not prescriptive in terms of specifying when a breach must be notified to either or all of; individuals, the Privacy Commissioner, or police, it leaves the decision making to the entity, in this case the club. The guidance from the Privacy Commissioner refers to ‘assess the risk of serious harm holistically’. ‘serious harm’ is not defined in the act either and it becomes an internal assessment by the entity to decide whether to make a notification or not based on the information available. The OAIC has provided a good guide here on making these assessments and the process as a whole. The act does not specify when a notification should occur but suggests it should be timely, the intent being to allow an affected individual to take remedial action as soon as possible. Following are some examples of the types of breaches and possible appropriate response;

  • where an email is inadvertently sent to an unauthorised individual containing PII, the club could request for that individual to delete the email and no further action is required.
  • if the data has been hacked or now in the public domain, and it contains for example, member purchases or playing history, it would be the clubs decision to determine if any notification were to occur and to whom.

Furthermore MSL can provide advice to clubs on the sensitivity of the data and potential impacts of its use. Clubs should then decide whether to notify members in accordance with the legislation.

For hosted products, MSL will engage experts to understand how the breach occurred and to put in place measures to prevent a reoccurrence and in some cases, may notify the privacy commissioner or police if warranted, in such circumstances MSL will advise affected clubs.

For on-premises products, infrastructure and network security is the responsibility of the club.

We strongly recommend clubs should seek further advice from privacy experts on their obligations under the act. MSL is not providing any legal advice in this paper and opinions represented in this are just that.

For more information regarding the circumstances on when to notify members please refer to


MSL Security Activities

What has MSL been doing?

MSL takes data security very seriously. Throughout the course of 2017, MSL has been working to determine applicable product vulnerabilities and secure our databases which hold personally identifiable information (PII). This is an extensive exercise and will be ongoing due to; new legislation, technologies, and threats, and new data we collect as our products are enhanced.

MSL is committed to safeguarding this information and minimising the risk of applicable data being exposed, changing our internal culture and procedures to data management. As part of this process, also take our customers on this journey and make them aware of better security and data management practices.

Specifically, we have implemented the following activities:

Security Assessment – MSL engaged an external security firm to review our internal security controls and practices with the view to identifying areas where we could improve our processes from a security perspective to ensure that data was protected. Those outcomes are now being implemented.

Information Security Framework – MSL have implemented an information security framework that sets out policies and procedures for our staff to follow to protect our internal systems, products and managed data.

Vulnerability Testing – MSL have engaged expert testing firms to test our products from a security perspective to identify any potential vulnerabilities that our developers can address. The testing scope has been limited to those products we centrally manage so far. As part of this project, in the coming months we will start assessing those products that are installed on premise in the club, such as membership and POS products.

Facilities Security – All MSL offices have restricted access that only staff can enter.  Servers running cloud products are all in highly secure data centres managed by certified providers. All identifiable data is stored at an Australian location and is compliant with local legislation.

Data Management  – MSL has enacted an internal process for handing PII data. Staff have been provided with a restricted environment where they can work on applicable data for support purposes or when we are migrating data from one product to another. No work is performed on club data without their express authority. Hence you may have noticed in the last six months that clubs have been requested to authorise use prior to completing these activities.

What about integrators and data sharing?

Within the club industry there a vast number of application and service providers that rely on membership data. MSL provides an integration platform that facilities the sharing of information to other providers as authorised by the club. However, from a compliance and security management perspective, once PII data is accessed by an authorised third party product it is no longer under MSL’s control. MSL in 2018 will be updating agreements with third parties to reflect higher data and security management requirements. However clubs need to be aware which providers they have authorised to access the club’s PII data and have separate agreements in place with those providers to ensure compliance with privacy legislation.

MSL’s agreement with authorised providers will only be related to provision of data under authority of the club. MSL will not accept any responsibility for breach of that provider’s product.

Clubs should be aware where their data is being stored and what jurisdiction governs it. Some products that club’s use, particularly those provided via the cloud may store their data off-shore and in countries with lower data protection standards. Our recommendation is that before using any of these products, clubs should assess what data these products will store and it’s sensitivity, the providers security statements and where the data is stored.

MSL is continuously reviewing product security as new information becomes available and we will provide regular security updates as appropriate.

PCI Compliance for on-premise application:

Clubs should be aware that for on-premise applications, the club is largely responsible for PCI compliance. The following are broad requirements that clubs should adopt to remain compliant:

  1. Install and maintain a firewall configuration to protect cardholder data.
  2. Do not use vendor-supplied defaults for system passwords and other security parameters.
  3. Protect stored cardholder data.
  4. Encrypt transmission of cardholder data across open, public networks.
  5. Use and regularly update anti-virus software.
  6. Develop and maintain secure systems and applications.
  7. Restrict access to cardholder data by business need-to-know. Assign a unique ID to each person with computer access. Restrict physical access to cardholder data.
  8. Track and monitor all access to network resources and cardholder data.
  9. Regularly test security systems and processes.
  10. Maintain a policy that addresses information security.

Clubs should note that MSL software provides compliance with requirements 3 and 6, as these are requirements which MSL can control. The other requirements for on-premise applications are the responsibility of the club and your network or IT admin should be able to help you with assessing and achieving compliance.

Further information on PCI can be found here:


MSL is committed to protecting club and member data and have invested heavily in securing our products and the data we manage. Security is a joint effort, and clubs should be conscious of their own security controls and processes and requirements under legislation. MSL will regularly provide updates on security awareness and as new threats are identified. We strongly recommend that now is an opportune time to review your current security settings, not only for software products but physical access to your workstations and servers and the overall network that you have.

The information contained in this article is for general information purposes only. We make no representations or warranties of any kind, express or implied, about the completeness, accuracy, reliability, suitability or availability with respect to this article. Any reliance you place on such information is therefore strictly at your own risk.