Section 6-B3105. SAFEGUARDING INFORMATION ABOUT INDIVIDUALS  

3105.1Controls shall be established in accordance with the following:

(a)The purpose of the controls is to ensure the integrity, security, and confidentiality of personnel records, regardless of form.

(b)The Office of Personnel and each Independent Personnel Authority shall establish and ensure the maintenance of administrative, technical, and physical controls to protect personnel records from unauthorized access, use, modification or disclosure.

(c)Persons whose official duties require access to and use of personnel records are responsible and accountable for safeguarding them and ensuring that the records shall be secured whenever they are not in use or under the direct control of authorized persons.

(d)Personnel records shall be held, processed, or stored only where facilities and conditions are adequate to prevent unauthorized access.

3105.2Personnel records shall be stored in metal filing cabinets when the records are not in use, or in a secured room. Alternative methods may be employed if they furnish an equivalent or greater degree of security.

3105.3Subject to the restrictions and conditions set forth in these regulations, the data subject may have access to his or her personnel records.

3105.4Only employees whose official duties require access shall be allowed to handle and use personnel records.

3105.5To the extent feasible, entry into the personnel records storage areas shall be limited.

3105.6Documentation of the removal of records from the storage area shall be kept to ensure--

(a)That adequate control is maintained; and

(b)That removed records are returned on a timely basis.

3105.7D.C. Government records shall be disposed of and destroyed in accordance with procedures issued by the D.C. Department of General Services.

3105.8Federal records shall be disposed of in accordance with the procedures of the U.S. General Services Administration.

3105.9In addition to following the security requirements of this section, managers of automated personnel records shall establish administrative, technical, physical, and security safeguards on data about individuals in automated records reports, punched cards, magnetic tapes, disks, on-line computer storage, and other records maintained under the authority of the Act. The safeguards shall be in writing and, as a minimum, shall be sufficient to accomplish the following:

(a)Prevent careless, accidental, or unintentional disclosure, modification, or destruction of identifiable 'personal data.

(b)Minimize the risk that skilled technicians or knowledgeable persons could improperly obtain access to, modify, or destroy identifiable personal data.

(c)Prevent casual entry by unskilled persons who have no official reason for access to such data.

(d)Minimize the risk of an unauthorized disclosure where use is made of identifiable personal data in testing of computer programs.

(e)Control the flow of data into, through, and from agency computer operations.

(f)Adequately protect identifiable data from environmental hazards and unnecessary exposure.

(g)Ensure adequate internal audit procedures to comply with these safeguards.

(h)Dispose of identifiable personal data in automated files in such a manner as to make the data unobtainable by unauthorized personnel. Unneeded personal data stored in reusable media such as magnetic tapes and disks shall be erased prior to release of the media for reuse.