310.13—Safeguarding personal information.
(a) General responsibilities.
DoD Components shall establish appropriate administrative, technical and physical safeguards to ensure that the records in each system of records are protected from unauthorized access, alteration, or disclosure and that their confidentiality is preserved and protected. Records shall be protected against reasonably anticipated threats or hazards that could result in substantial harm, embarrassment, inconvenience, or unfairness to any individual about whom information is kept.
(b) Minimum standards.
(1)
Tailor system safeguards to conform to the type of records in the system, the sensitivity of the personal information stored, the storage medium used and, to a degree, the number of records maintained.
(2)
Treat all unclassified records that contain personal information that normally would be withheld from the public under Freedom of Information Exemption Numbers 6 and 7 of 286.12, subpart C of 32 CFR part 286 (“DoD Freedom of Information Act Program”) as “For Official Use Only,” and safeguard them accordingly, in accordance with DoD 5200.1-R even if they are not actually marked “For Official Use Only.”
(3)
Personal information that does not meet the criteria discussed in paragraph (b)(2) of this section shall be accorded protection commensurate with the nature and type of information involved.
(4)
Special administrative, physical, and technical procedures are required to protect data that is stored or processed in an information technology system to protect against threats unique to an automated environment (see appendix A).
(c) Records disposal.
(1)
Dispose of records containing personal data so as to prevent inadvertent compromise. Disposal methods are those approved by the Component or the National Institute of Standards and Technology. For paper records, disposal methods, such as tearing, burning, melting, chemical decomposition, pulping, pulverizing, shredding, or mutilation are acceptable. For electronic records, and media, disposal methods, such as overwriting, degaussing, disintegration, pulverization, burning, melting, incineration, shredding or sanding, are acceptable.
(2)
Disposal methods are considered adequate if the personal data is rendered unrecognizable or beyond reconstruction.