The Board has the responsibility for maintaining adequate technical, physical, and security safeguards to prevent unauthorized disclosure or destruction of manual and automatic record systems. These security safeguards shall apply to all systems in which identified personal data are processed or maintained, including all reports and output from such systems that contain identifiable personal information. Such safeguards must be sufficient to prevent negligent, accidental, or unintentional disclosure, modification, or destruction of any personal records or data; must minimize; to the extent practicable, the risk that skilled technicians or knowledgeable persons could improperly obtain access to modify or destroy such records or data; and shall further ensure against such casual entry by unskilled persons without official reasons for access to such records or data.
(a) Manual systems.
(1) Records contained in a system of records as defined in this part may be used, held, or stored only where facilities are adequate to prevent unauthorized access by persons within or outside the Board.
(2) Access to and use of a system of records shall be permitted only to persons whose duties require such access to the information for routine uses or for such other uses as may be provided in this part.
(3) Other than for access by employees or agents of the Board, access to records within a system of records shall be permitted only to the individual to whom the record pertains or upon his or her written request.
(4) The Board shall ensure that all persons whose duties require access to and use of records contained in a system of records are adequately trained to protect the security and privacy of such records.
(5) The disposal and destruction of identifiable personal data records shall be done by shredding and in accordance with rules promulgated by the Archivist of the United States.
(b) Automated systems.
(1) Identifiable personal information may be processed, stored, or maintained by automated data systems only where facilities or conditions are adequate to prevent unauthorized access to such systems in any form.
(2) Access to and use of identifiable personal data associated with automated data systems shall be limited to those persons whose duties require such access. Proper control of personal data in any form associated with automated data systems shall be maintained at all times, including maintenance of accountability records showing disposition of input and output documents.
(3) All persons whose duties require access to processing and maintenance of identifiable personal data and automated systems shall be adequately trained in the security and privacy of personal data.
(4) The disposal and disposition of identifiable personal data and automated systems shall be done by shredding, burning, or, in the case of electronic records, by degaussing or by overwriting with the appropriate security software, in accordance with regulations of the Archivist of the United States or other appropriate authority.