(a) Student records shall be maintained with appropriate administrative, technical and physical safeguards to insure the security and confidentiality of records and to protect against any anticipated threats or hazards to their security or integrity which could result in substantial harm, embarrassment, inconvenience, or unfairness to any individual on whom information is maintained.
(b) When maintained in manual form, student records shall be maintained, at a minimum, subject to the following safeguards, or safeguards giving comparable protection:
(1) Areas in which the student records are maintained or regularly used shall be posted with an appropriate warning, stating that access to the records is limited to authorized persons. The warning shall also summarize the requirements of §43.23 and state that employees may be subject to a criminal penalty for the unauthorized disclosure of student records.
(2) During working hours, the area in which the student records are maintained or regularly used shall be occupied by authorized personnel, or access to the student records shall be restricted by their storage in locked metal file cabinets or a locked room.
(3) During nonworking hours, access to the student records shall be restricted by their storage in locked metal file cabinets or a locked room.
(4) Where a locked room is the method of security provided for a system, the educational institution responsible for the system shall, no later than December 31, 1978, supplement that security by:
(i) Providing lockable file cabinets or containers for the student records, or
(ii) Changing the lock or locks for the room so that they may not be opened with a master key. For the purpose of this paragraph, a master is a key which may be used to open rooms other than the room containing student records, unless those rooms are used by officials or employees authorized to have access to the student records.
(c) When maintained in computerized form, student records shall be maintained, at a minimum, subject to safeguards based on those recommended in the National Bureau of Standards' booklet, “Computer Security Guidelines for Implementing the Privacy Act of 1974” (May 30, 1975), and any supplements to it, which are adequate and appropriate to assure the integrity of records in the system.
(d) The education institution responsible for a system of student records shall be responsible for assuring that specific procedures are developed to assure that the student records in the system for which it is responsible are maintained with security meeting the regulations in this section. These procedures shall be in writing and shall be posted or otherwise periodically brought to the attention of employees working with the student records contained in the system.