(a) GAO shall maintain in its personnel records only such information about an individual as is relevant and necessary to accomplish an authorized official purpose. Authority to maintain personnel records does not constitute authority to maintain information in the record merely because a need for it may develop in the future. Both Government-wide and internal agency personnel records shall contain only information concerning an individual that is relevant and necessary to accomplish GAO's personnel management objectives as required by statute, GAO internal directive, or formal agreements between GAO and other Federal agencies.
(b) GAO shall make every reasonable effort to collect information about an individual directly from that individual when the information may result in adverse determinations about the individual's rights, benefits, and privileges under Federal programs. Factors to be considered in determining whether to collect the data from the individual concerned or a third party are:
(1) The nature of the information is such that it can only be obtained from another party;
(2) The cost of collecting the information directly from the individual is unreasonable when compared with the cost of collecting it from another party;
(3) There is virtually no risk that information collected from other parties, if inaccurate, could result in a determination adverse to the individual concerned;
(4) The information supplied by an individual must be verified by another party; or
(5) Provisions are made, to the greatest extent practical, to verify information collected from another party with the individual concerned.
(c) GAO shall inform each individual whom it asks to supply information for a personnel record, on the form which it uses to collect the information or on a separate form that can be retained by the individual, of—
(1) The authority for the solicitation of the information and whether disclosure of such information is mandatory or voluntary;
(2) The principal purpose or purposes for which the information is intended to be used;
(3) The routine uses which may be made of the information, as published pursuant to paragraph (d)(4) of this section; and
(4) The effects, if any, of not providing all or any part of the requested information;
(d) Subject to the provisions of paragraph (i) of this section, GAO shall publish in the Federal Register, upon establishment or revision, a notice of the existence and character of its systems of personnel records. Such notice shall include—
(1) The name and location(s) of each system of personnel records;
(2) The categories of individuals about whom records are maintained in each such system;
(3) The categories of records maintained in each system of personnel records;
(4) Each routine use of the records contained in each system of personnel records, including the categories of users and the purpose(s) of such use;
(5) The policies and practices of GAO regarding storage, retrievability, access controls, retention, and disposal of the records;
(6) The title and business address of the GAO official who is responsible for maintaining each system of personnel records;
(7) GAO procedures whereby an individual can ascertain whether a system of personnel records contains a record pertaining to the individual;
(8) Procedures whereby an individual can request access to any record pertaining to him contained in any system of personnel records, and how the individual may contest its content; and
(9) The categories of sources of records in each system of personnel records.
(e) GAO shall maintain all records which it uses in making any determination about any individual with such accuracy, relevancy, timeliness, and completeness as is reasonably necessary to assure fairness to the individual in the determination;
(f) GAO shall, prior to disseminating any record about an individual to any person other than a Federal agency, make all reasonable efforts to reassure that such records are accurate, complete, timely, and relevant for GAO's purposes;
(g) GAO shall make reasonable efforts to serve notice on an individual or his authorized representative when any personnel record on such individual is being made available to any person under compulsory legal process as soon as practicable after service of the subpoena or other legal process;
(h) GAO shall establish rules of conduct for persons involved in the design, development, operation, or maintenance of any system of personnel records or files or in maintaining any record, and to instruct each person with respect to such rules and requirements of this part, including any other rules and procedures adopted pursuant to this part;
(i)(1) GAO shall establish and maintain appropriate administrative, technical and physical safeguards to ensure the security and confidentiality of personnel records. At a minimum, these controls shall require that all persons whose official duties require access to and use of personnel records be responsible and accountable for safeguarding those records and for ensuring that the records are secured whenever they are not in use or under the direct control of authorized persons. Generally, personnel records should be held, processed, or stored only where facilities and conditions are adequate to prevent unauthorized access;
(2) Except for access by the data subject, only employees whose official duties require and authorize access shall be allowed to handle and use personnel records, in whatever form or media the records might appear. To the extent feasible, entry into personnel record storage areas shall be similarly limited. Documentation of the removal of records from storage areas must be kept so that adequate control procedures can be established to assure that removed records are returned intact on a timely basis and properly controlled during such period of removal.
(3) In addition to following the above security requirements, managers of automated personnel records shall establish and maintain administrative, technical, physical, and security safeguards for data about individuals in automated records, including input and output documents, reports, punched cards, magnetic tapes, disks, and on-line computer storage. As a minimum, the safeguards must be sufficient to:
(i) Prevent careless, accidental, or unintentional disclosure, modification, or destruction of identifiable personal data;
(ii) Minimize the risk of improper access, modification, or destruction of identifiable personnel data;
(iii) Prevent casual entry by persons who have no official reason for access to such data;
(iv) Minimize the risk of unauthorized disclosure where use is made of identifiable personal data in testing of computer programs;
(v) Control the flow of data into, through, and from computer operations;
(vi) Adequately protect identifiable data from environmental hazards and unnecessary exposure; and
(vii) Assure adequate internal audit procedures to comply with these procedures.
(4) The disposal of identifiable personal data in automated files is to be accomplished in such a manner as to make the data unobtainable to unauthorized personnel. Unneeded personal data stored on reusable media, such as magnetic tapes and disks, must be erased prior to release of the media for reuse.
(j) At least 30 days prior to publication of information under paragraph (d)(4) of this section, GAO shall publish in the Federal Register notice of any new use or intended use of the information in the system, and provide an opportunity for interested persons to submit written data, views, or arguments to GAO.