(a) Statutory requirement. The Privacy Act requires that records subject to the Act be maintained with appropriate administrative, technical and physical safeguards to insure the security and confidentiality of records and to protect against any anticipated threats or hazards to their security or integrity which could result in substantial harm, embarrassment, inconvenience, or unfairness to any individual on whom information is maintained, 5 U.S.C. 522a(e)(10).
(b) Records maintained in manual form. When maintained in manual form, records subject to the Privacy Act shall be maintained, at a minimum, subject to the following safeguards, or safeguards affording comparable protection:
(1) Areas in which the records are maintained or regularly used shall be posted with an appropriate warning stating that access to the records is limited to authorized persons. The warning shall also summarize the requirements of § 700.265 and state that the Privacy Act contains a criminal penalty for the unauthorized disclosure of records to which it applies.
(2) During working hours,
(i) the area in which the records are maintained or regularly used shall be occupied by authorized personnel or
(ii) access to the records shall be restricted by their storage in locked metal file cabinets or a locked room.
(3) During non-working hours, access to the records shall be restricted by their storage in locked metal file cabinets or a locked room.
(c) Records maintained in computerized form. When maintained in computerized form, records subject to the Privacy Act shall be maintained, at a minimum, subject to safeguards based on those recommended in the National Bureau of Standards booklet “Computer Security Guidelines for Implementing the Privacy Act of 1974” (May 30, 1975), and any supplements thereto, which are adequate and appropriate to assuring the integrity of records in the system.
(d) Civil Service Commission personnel records. A system of records made up of Civil Service Commission personnel records shall be maintained under the security requirements set out in 5 CFR 293.108.