Collection, Storage and Destruction of Credit Card Details Policy
For Use by all Ballarat Tennis Club Staff and Committee
- Application of Policy
- Collection of Credit Card Details
- Storage of Credit Card Details
- Destruction of Credit Card Details
- For further information
- Obligations of Staff
- Disciplinary Action
- Change of Policy
- Privacy Legislation
- Further Information and Assistance
Ballarat Tennis Club values the privacy of credit card information and is committed to protecting the credit card details it holds and uses.
This policy outlines how Ballarat Tennis Club intends to collect, store and destroy credit card details.
The policy is based on the following principles:
- Ballarat Tennis Club must take reasonable steps to protect the credit card details it holds from misuse and loss and from unauthorised access, modifications and disclosure.
- It is a necessary condition for Ballarat Tennis Club to provide credit card facilities to individuals for the payment of services and goods provided by Ballarat Tennis Club.
Ballarat Tennis Club may consider the following matters when adopting reasonable steps to protect the credit card information it holds:
- The sensitivity of credit card details and an individual’s expectations that this information will be protected from misuse and loss and from unauthorised access, modifications and disclosure;
- The harm likely to result if there is a breach of security; and
- The form in which the information is stored (eg on paper or electronically) processed and transmitted.
All Ballarat Tennis Club committee and staff.
1.0 Application of Policy
This policy is designed to deal with situations where a person provides details of their credit card to Ballarat Tennis Club. The policy is also designed to ensure that Ballarat Tennis Club will store and destroy credit card details in a manner which protects the credit card details from:
- unauthorised access;
- unauthorised modification; and
- unauthorised disclosure.
2.0 Collection of Credit Card Details
Ballarat Tennis Club is committed to ensuring that credit card details are collected in a secure manner. Ballarat Tennis Club will take reasonable steps to protect the credit card details it holds from misuse and loss and from unauthorised access, modifications and disclosure during collection by adopting the following practices:
- preventing individuals from providing credit card details in an email;
- only collecting credit card details in an appropriate environment, for example not requesting credit card details verbally in a public waiting room; and
- ensuring that when credit card details are collected via facsimile, the facsimile is placed in a secure location.
3.0 Storage of Credit Card Details
3.1 Ballarat Tennis Club is committed to ensuring that credit card details are held securely. Ballarat Tennis Club will take reasonable steps to protect the credit card details it holds from misuse and loss and from unauthorised access, modifications and disclosure by adopting the following practices:
- ensuring that credit card details are stored in a secure and protected manner such as locked filing cabinets;
- where possible, removing any credit card details from Ballarat Tennis Club networked computers;
- ensuring that EFPTOS machines and other devices used to collect credit card details are stored securely, particularly when they are not in use (eg overnight);
- ensuring that appropriate staff only have access to credit card details; and
- ensuring information is transferred securely (for example, not transmitting credit card details via e-mail).
3.2 Credit card details may be stored in hard copy documents. If credit card details are stored as electronic data appropriate security measures must be utilised. Some of the ways Ballarat Tennis Club seeks to protect credit card details include the following:
- confidentiality requirements on the use of information by Ballarat Tennis Club’s employees;
- policies on document storage and security;
- security measures for access to Ballarat Tennis Club;
- controlling access to Ballarat Tennis Club;
- web site protection measures.
3.3 Credit Card details are required to be stored onsite or in an easily accessible location for 12 months for charge back purposes. After 12 months, credit card details may be moved offsite providing the credit card details are stored in a secure location.
3.4 Credit card details must be stored for the length of time prescribed by the Records Disposal Authority.
4.0 Destruction of Credit Card Details
Credit card details will be destroyed in a secure manner when they are no longer needed by Ballarat Tennis Club. Examples of destruction in a secure manner include shredding, pulping or disintegration of paper files, fire, and confidential disposal in accordance with any guidelines provided by Records & Archives, encryption or scrubbing of credit card number or contracting an authorised disposal company for secure disposal.
5.0 For Further Information
For further information about this policy please contact:
P O Box 1058
Ballarat Mail Centre
Telephone: (03) 53335755
6.0 Obligations of Staff
If a staff member or committee member collects credit card details on Ballarat Tennis Club’s behalf, the staff member must meet the relevant requirements of this policy in relation to the storage of credit card details.
7.0 Disciplinary Action
Breach of this policy
If a staff member or committee member breaches this policy, depending on the circumstances it may be regarded as misconduct or poor performance.
8.0 Change of Policy
Ballarat Tennis Club may change this policy from time to time without prior notice.
Relevant Australian legislation, policies & associated documentation
9.0 Privacy Legislation
- Information Privacy Act 2000 (Vic)
- Health Records Act 2001 (Vic)
- Freedom of Information Act 1982 (Vic)
- Electronic Transactions (Victoria) Act 2000
10.0 Further Information and Assistance
Adherence to this policy will generally ensure compliance with Ballarat Tennis Club requirements and relevant legislation. However, there may be instances where inadvertent breaches could occur. When in doubt users requiring assistance with interpretation of the policy, or who wish to report an incident, should contact:
- The Privacy Officer on (03) 53335755
Operative from first full pay period to commence on or after 1st July 2010