goal 09
Reduced Inequalities
GOAL 11 Sustainable Cities and Communities

Information Technology

and Privacy Security

icon stakeholder

Investors

icon stakeholder

Business Partners

icon stakeholder

Regulators

icon stakeholder

AOT Employees

icon stakeholder

Shareholders, Investors, and Securities Analysts

icon stakeholder

Communitie and Societies

icon stakeholder

Mass Media and Online Media

Importance

The increasing use of digital technology to support service provision, corporate management, and airport operations has made information technology security, stability of use, and protection of privacy increasingly important. It is because, in the event of data leakage, system disruption, or cyber-attacks, stakeholders may suffer damage and lose confidence in AOT. It may also violate human rights in relation to personal privacy.

Management Policies and Guidelines

AOT has stipulated AOT ICT Security Policy, AOT Cyber Security Policy and AOT Data Privacy Policy which comply with the applicable laws and disseminate such policies to AOT employees and third parties who work for AOT. Aiming those people to be aware of the importance of maintaining security, regarding the use of information technology systems and privacy. Moreover, AOT regularly conducts risk assessments and system security tests and receives the ICT Security Management System Certificate; ISO/IEC 27001:2013.

AOT Information and Communication Technology Security Policy

(AOT ICT Security Policy)

CIA

      AOT ICT Security Policy focuses on ensuring AOT's ICT systems on Confidentiality, Integrity, and Availability covering access to information system, network system, operating system, and software applications. This requires risk monitoring and assessment which includes a preparation of the emergency plan to ensure the continuous availability of information as in normal circumstance.

      These policies are also disclosed to AOT’s employees at all levels and the third parties who work with AOT for acknowledgment and compliance. In addition, the AOT President or assigned senior executive determines

the operational guidelines as well as supervises, controls, inspects, and gives advice for operation. The mentioned policies are reviewed on a regular basis, at least once a year or when necessary. The AOT President is responsible for the incurred risks and damages in case the ICT system or information assets of AOT cause any damages to the organization or any person due to non-compliance to the policies.

The goals of AOT's Information and Communication Technology Security Policy

The Goals of AOT ICT Security Policy_ed

See more details

AOT Cyber Security Policy

In 2021, AOT imposed AOT Cyber Security Policy in order to prevent, cope with, and reduce risks from cyber threats both from inside and outside the country that may impact AOT’s operations or services and affect the security of the state and economic stability. AOT Cyber Security Policy is in accordance with the policy and plan on cyber security of the National Cyber Security Committee.

See more details

AOT Data Privacy Policy

     AOT stipulates AOT Data Privacy Policy in order to ensure the personal information security of electronic transaction users, covering employee information, third parties working with AOT and service users. Such policy is regularly reviewed at least once a year or when significant change occurs. AOT's President or senior executives is/are assigned to formulate policies to support operational guidelines as well as supervision, control, inspection and advice. Violating the AOT’s privacy policy is considered the disciplinary offense of AOT's regulations.

     AOT Data Privacy Policy is consistent with “The Royal Decree Prescribing Rules and Procedures of Electronic Transactions in the Public Sectors B.E.2549 (2006)" "Notification of the Electronic Transactions Commission on Policy and Practice Guidelines for Personal Data Protection of Government Agencies B.E.2553 (2010)" "International Principles on the Protection of Personal Data of the Organization for Economic Co-operation and Development: OECD” and “Guidelines on the Protection of Privacy and Transborder Data Flows of Personal Data,” or OECD Guidelines.

See more details

AOT Personal Data Protection Policy

        In 2022, AOT stipulates AOT Data Privacy Policy in order to ensure that AOT can maintain the confidentiality, accuracy, completeness, and availability of personal information and comply with the Personal Data Protection Act B.E. 2562 (2019). The policy covers topics such as the scope of enforcement, definition, personal data collection, rights of personal data subjects, duration of data collection, service provision by third parties or subcontractors, and personal security. It also establishes channels of contact to express opinions, ask for more information, or exercise legal rights.
       Additionally, the operation guidelines for personal data controllers of AOT are developed and disseminated to relevant employees, including AOT privacy notices and data protection forms, for public communication.

See more details

Information Security and Privacy Management System

        AOT has designated the Information and Communication Technology Strategy Department, Digital and Communication Technology Group to manage information technology and its security. The department also organizes activities in response to the AOT's Information and Communication Technology Security Policy, AOT Data Privacy Policy, and security practices in information and communication technology. The Corporate Strategy Department will be the responsible unit to review operational plans every year and report the results to the Information and Communication Technology Management Committee which is chaired by AOT President.

See more details

Featured Activities

PR Media through AOT Staff System

สมส.ฝกท.-วันที่ 9 มิ.ย.65

AOT prepared information security and privacy media via Line@AOT STAFF system to increase awareness of AOT employees in information technology security and privacy. The topics included are:

  • 10 things we need to know about PDPA
  • What are the rights of the data subject in PDPA
  • Who is who in PDPA
  • Things to know about data privacy
  • Processing of employment-related personal data

Training on Information Technology and Privacy

Preparation activities to support the Personal Data Protection Act B.E. 2562 (2019)

In 2022, AOT has been preparing for The Personal Data Protection Act B.E. 2562 (2019), as follows:

      AOT organized training to raise awareness of personal data protection according to the Personal Data Protection Act B.E. 2562 (2019) for AOT’s executives and employees at the AOT Head Office and 6 responsible airports. In addition, the training aimed to provide knowledge and understanding of personal data protection laws, compliant actions to the requirements of the law, general necessary measures, and information security measures that AOT must implement.

Training courses to prepare for implementation and development of information security management system (ISMS)

      AOT conducted training to prepare and educate employees on AOT’s ISMS system development. The training also raised awareness of information security through the AOT’s ICT Security Management System Consultancy Project on the critical infrastructure and support processes in the work of organizational resources management systems according to ISO/IEC 27001 Standard. The training consisted of 7 courses as follows:

  1. Development of information security management system and requirements according to ISO/IEC 27001 Standard.
  2. Roles of relevant people in the development of information security management system and requirements according to ISO/IEC 27001 Standard.
  3. Information Security Risk Management
  4. Information Security Lead Implementer based on ISO/IEC 27001 Standard.
  5. Information Security Management System Auditor/Lead Auditor based on ISO/IEC 27001 Standard.
  6. Raising awareness on information security for AOT executives and employees in all 7 locations namely AOT Head Office, Don Mueang International Airport, Chiang Mai International Airport, Phuket International Airport, Hat Yai International Airport, Mae Fah Luang – Chiang Rai International Airport and Suvarnabhumi Airport.
  7. Raising awareness on personal data protection in accordance with the Personal Data Protection Act B.E.2562 (2019)

         The objective of the trainings is to educate employees on best practices in managing Information Security Management Systems (ISMS) as outlined in ISO/IEC 27001:2013 Standard, including laws, regulations and ICT security policies and practices so that AOT employees can operate properly and appropriately as well as perceiving legal issues related to information security along with prevention measures and guidelines.

Management Evaluation

AOT stipulates to have ICT security audited by external independent agency based on ISO/IEC 27001:2013 and continuously monitor the number of complaints received from service users, government agencies and external agencies, including cases of data leakage or loss, to report such information to the Information and Communication Technology Management Committee chaired by AOT’s Board member on a quarterly basis. In addition, AOT sets up measures to reduce risks and maintains users’ confidence in data security and privacy and discloses the statistics of operating results in the Sustainable Development Report annually.

Last Updated: August 25, 2023