(a) Administrative and physical controls. The agency will have administrative and physical controls to prevent unauthorized access to its systems of records, to prevent unauthorized disclosure of records, and to prevent physical damage to or destruction of records. The stringency of these controls corresponds to the sensitivity of the records that the controls protect. At a minimum, these controls are designed to ensure that:
(1) Records are protected from public view;
(2) The area in which records are kept is supervised during business hours in order to prevent unauthorized persons from having access to them;
(3) Records are inaccessible to unauthorized persons outside of business hours; and
(4) Records are not disclosed to unauthorized persons or under unauthorized circumstances in oral, written or any other form.
(b) Restrictive procedures. The agency will implement practices and procedures that restrict access to records to only those individuals within the agency who must have access to those records in order to perform their duties and that prevent inadvertent disclosure of records.