D.C. Mun. Regs. tit. 6-B, § 3105
3105.1 Controls shall be established in accordance with the following:
3105.2 Personnel records shall be stored in metal filing cabinets when the records are not in use, or in a secured room. Alternative methods may be employed if they furnish an equivalent or greater degree of security.
3105.3 Subject to the restrictions and conditions set forth in these regulations, the data subject may have access to his or her personnel records.
3105.4 Only employees whose official duties require access shall be allowed to handle and use personnel records.
3105.5 To the extent feasible, entry into the personnel records storage areas shall be limited.
3105.6 Documentation of the removal of records from the storage area shall be kept to ensure--
3105.7 D.C. Government records shall be disposed of and destroyed in accordance with procedures issued by the D.C. Department of General Services.
3105.8 Federal records shall be disposed of in accordance with the procedures of the U.S. General Services Administration.
3105.9 In addition to following the security requirements of this section, managers of automated personnel records shall establish administrative, technical, physical, and security safeguards on data about individuals in automated records reports, punched cards, magnetic tapes, disks, on-line computer storage, and other records maintained under the authority of the Act. The safeguards shall be in writing and, as a minimum, shall be sufficient to accomplish the following:
improperly obtain access to, modify, or destroy identifiable personal data.
(c) Prevent casual entry by unskilled persons who have no official reason for access to such data.
(d) Minimize the risk of an unauthorized disclosure where use is made of identifiable personal data in testing of computer programs.
(e) Control the flow of data into, through, and from agency computer operations.
(f) Adequately protect identifiable data from environmental hazards and unnecessary exposure.
(g) Ensure adequate internal audit procedures to comply with these safeguards.
(h) Dispose of identifiable personal data in automated files in such a manner as to make the data unobtainable by unauthorized personnel. Unneeded personal data stored in reusable media such as magnetic tapes and disks shall be erased prior to release of the media for reuse.
SOURCE: Final Rulemaking published at 28 DCR 4288 (October 2, 1981).