Information Security Policy

 

This policy document sets out the requirements and responsibilities of all employees and contractors engaged by Northern College of Acupuncture (The College) regarding the handling of information/data in the form of documents, computer systems, email or websites relating to the processing of credit and debit card payments.

(Please also refer to the data protection policy).

Review Schedule

This policy is to be reviewed annually to ensure it remains accurate, appropriate and effective.

Customer information

A customer in the context of the College is a student, patient,client, staff member, or participant in a seminar. No person employed or contracted by by The College is permitted to pass customer details, including name, address, telephone number or email address, to third parties outside The College except where it is necessary to do so for delivery or debt collection purposes. 

No person employed or contracted by The College shall record, photocopy email or fax customer’s credit/debit card number, pin number or security code, except for the production of the vendor copy of credit/debit card transaction receipt, which must be handled in accordance with this policy. 

No person employed or contracted by The College shall divulge customer’s credit card or bank details to a third party except where it is necessary to do so for debt collection or fraud investigation purposes.     

Document handling and storage

All printed documents containing customer’s credit/debit card information, such as the vendor copy of card transactions shall remain on College premises at all times except where it is necessary to transport the documents to the contracted accountants/auditors office, which must be done in accordance with this policy.

Except when being worked upon, all printed documents containing customer’s credit/debit card information, such as the vendor copy of card transactions shall be stored in a secure location until they are no longer required at which point they must be destroyed by crosscut shredding or incineration.

Document transport

Where it becomes necessary to transport documents containing customer’s credit/debit card information, such as the vendor copy of card transactions, these documents must be transported in a secure manor, either personally or by use of an approved carrier with appropriate tracking facilities.  

Computer access

All computer systems shall have password protection to restrict access to people employed or contracted by The College in execution of their duty.  Passwords must not be divulged to third parties without the express permission of the Principal.

Access to websites for the purpose of processing customer’s orders and payments shall be restricted and controlled by strong passwords containing a mixture of Uppercase and lowercase characters, numbers and symbols found on the keyboard not defined as numbers or letters.  Such passwords should be at least 8 digits in length, not contain the user name, real name or company name and when changed be significantly different from the previous passwords.

When employees or contractors leave the College all passwords they have used to access systems and websites containing customer information shall be changed to prevent unauthorised access.

College Information

No person employed or contracted by The College shall divulge to third parties, any information about The College’s customers, orders, financial standing, turnover or performance, except with the express permission of the Principal. 

Contractors

All contractors and service providers shall be approved by the Principal and must adhere to this policy as if they were employed by The College.

Date of policy: May 2017 reviewed by: Resources Committee  Next review: May 2020 (unless there is a need to update for GDPR)