Handling of Personal Data
Access to personal information will be limited to
authorized individuals of agencies in the Department of
Defense who have an official need for the record, except
when the information is otherwise releasable under the
disclosure or access provisions of the Privacy Act.
The following practices are suggested for the
handling of personal data:
Prepare a procedures handbook. Describe the
precautions to be used and obligations of
computer facility personnel during the physical
handling of all personal data. Include a reference
regarding the applicability of the procedures to
those government contractors who are subject to
the Privacy Act. Personal information that is
processed, accessed, maintained, or disposed of
by contractors must be handled within the terms
and conditions of Section 7-104.96 of the
Defense Acquisition Regulation.
Label all recording media that contain personal
data. Labeling the media reduces the probability
of accidental abuse of personal data. It also aids
in fixing the blame in the event of negligent or
willfully malicious abuse. If the information
resides on removable storage media, it should be
externally labeled. External warnings must
clearly indicate that the media contain personal
information subject to the Privacy Act; for
example, PERSONAL DATA—PRIVACY
ACT of 1974. Note that abbreviations must not
be used.
Store personal data in a manner that conditions
users to respect its confidentiality. For example,
store personal data under lock and key when not
being used.
If a program generates reports containing
personal data, have the program print clear
warnings of the presence of such data on the
reports.
Color code all computer tape reels, disk pack
covers, and so on, which contain personal data,
so they can be afforded the special protection
required by law.
Keep a record of all categories of personal data
contained in computer-generated reports. This
facilitates compliance with the requirements that
each command identify all personal data files
and their routine uses by the command.
Carefully control products of intermediate
processing steps. For example, control scratch
tapes and disk packs to ensure they do not
contribute to unauthorized disclosure of
personal data.
Maintain an up-to-date hard-copy authorization
list. The list should include all individuals
(computer personnel as well as system users)
allowed to access personal data. It is used in
access control and authorization validation.
Maintain an up-to-date hard-copy data
4-38
dictionary. This dictionary should be the
complete inventory of personal data files within
the computer facility to account for all
obligations and risks.
Maintenance of Records to Trace the
Disposition of Personal Data
The following practices are suggested for the
maintenance of records:
Establish procedures for maintaining correct,
current accounting of all new personal data
brought into the computer facility.
Log each transfer of storage media containing
personal data to or from the computer facility.
Maintain logbooks for terminals used to access
personal data by system users.
Data Processing Practices
The following practices are suggested for data
processing procedures:
Use control numbers to account for personal data
upon receipt and during input, storage, and
processing.
Verify the accuracy of the personal data
acquisition and entry methods employed.
Take both regular and unscheduled inventories
of all tape and disk storage media to ensure
accurate accounting for all personal data.
Use carefully devised backup procedures for
personal data. A copy of the data should be kept
at a second location if its maintenance is required
by law.
Create a records retention timetable covering all
personal data and stating minimally the data
