(a) In addition to following the security requirements of §293.106 of this part, managers of automated personnel records shall establish administrative, technical, physical, and security safeguards for data about individuals in automated records, including input and output documents, reports, punched cards, magnetic tapes, disks, and on-line computer storage. The safeguards must be in writing to comply with the standards on automated data processing physical security issued by the National Bureau of Standards, U.S. Department of Commerce, and, as a minimum, must be sufficient to:
(1) Prevent careless, accidental, or unintentional disclosure, modification, or destruction of identifiable personal data;
(2) Minimize the risk that skilled technicians or knowledgeable persons could improperly obtain access to, modify, or destroy identifiable personnel data;
(3) Prevent casual entry by unskilled persons who have no official reason for access to such data;
(4) Minimize the risk of an unauthorized disclosure where use is made of identifiable personal data in testing of computer programs;
(5) Control the flow of data into, through, and from agency computer operations;
(6) Adequately protect identifiable data from environmental hazards and unneccessary exposure; and
(7) Assure adequate internal audit procedures to comply with these procedures.
(b) The disposal of identifiable personal data in automated files is to be accomplished in such a manner as to make the data unobtainable to unauthorized personnel. Unneeded personal data stored on reusable media such as magnetic tapes and disks must be erased prior to release of the media for reuse.
