5 CFR 293.106 - Safeguarding information about individuals.
(a) To ensure the security and confidentiality of personnel records, in whatever form, each agency shall establish administrative, technical, and physical controls to protect information in personnel records from unauthorized access, use, modification, destruction, or disclosure. As a minimum, these controls shall require that all persons whose official duties require access to and use of personnel records be responsible and accountable for safeguarding those records and for ensuring that the records are secured whenever they are not in use or under the direct control of authorized persons. Generally, personnel records should be held, processed, or stored only where facilities and conditions are adequate to prevent unauthorized access.
(b) Personnel records must be stored in metal filing cabinets which are locked when the records are not in use, or in a secured room. Alternative storage facilities may be employed provided they furnish an equivalent or greater degree of security than these methods. Except for access by the data subject, only employees whose official duties require access shall be allowed to handle and use personnel records, in whatever form or media the records might appear. To the extent feasible, entry into personnel record storage areas shall be similarly limited. Documentation of the removal of records from storage areas must be kept so that adequate control procedures can be established to assure that removed records are returned on a timely basis.
(c) Disposal and destruction of personnel records shall be in accordance with the General Record Schedule issued by the General Services Administration for the records or, alternatively, with Office or agency records control schedules approved by the National Archives and Records Service of the General Services Administration.