Federal government contractors must comply with new privacy training procedures as a result of a final rule issued by the U.S. Department of Defense (DOD), General Services Administration (GSA), and National Aeronautics and Space Administration (NASA). As of January 19, 2017, federal contractors are required to meet training obligations to address the protection of privacy in accordance with the Privacy Act of 1974 and the handling and safeguarding of personally identifiable information (PII). The new rule added Subpart 24.3 (Privacy Training) to the Federal Acquisition Regulation (FAR) and a new standard contract clause (FAR 52.224-3) implementing the new requirements. Here are five frequently asked questions on the new privacy training requirement.
1. What Is Personally Identifiable Information?
The rule defines “personally identifiable information” as “information that can be used to distinguish or trace an individual’s identity, either alone or when combined with other information that is linked or linkable to a specific individual.”
2. Which Contracts Are Covered?
The new rule applies to all contracts or subcontracts with contractor employees who handle or have access to PII. It also applies to contracts “at or below the simplified acquisition threshold (SAT) and to contracts and subcontracts for commercial-items, including contracts and subcontracts for commercially available off-the-shelf (COTS) items.” The rule requires prime contractors to flow down these privacy training requirements to subcontractors.
3. Which Employees Are Covered?
The final rule requires contractors to ensure that their employees complete initial privacy training and annual privacy training. The rule applies to employees who:
- “Have access to a system of records;
- Create, collect, use, process, store, maintain, disseminate, disclose, dispose, or otherwise handle personally identifiable information on behalf of an agency; or
- Design, develop, maintain, or operate a system of records.”
4. What Must Be Included in the Training?
According to the final rule, contractor employees may not handle PII unless they have completed privacy training. The training must “address the key elements necessary for ensuring the safeguarding of personally identifiable information or a system of records,” including, at a minimum, the following:
- “The provisions of the Privacy Act of 1974 (5 U.S.C. 552a), including penalties for violations of the Act;
- The appropriate handling and safeguarding of personally identifiable information;
- The authorized and official use of a system of records or any other personally identifiable information;
- The restriction on the use of unauthorized equipment to create, collect, use, process, store, maintain, disseminate, disclose, dispose, or otherwise access personally identifiable information;
- The prohibition against the unauthorized use of a system of records or unauthorized disclosure, access, handling, or use of personally identifiable information; and
- Procedures to be followed in the event of a suspected or confirmed breach of a system of records or unauthorized disclosure, access, handling, or use of personally identifiable information (see Office of Management and Budget guidance for Preparing for and Responding to a Breach of Personally Identifiable Information).”
The training plan must be customizable such that it is “role-based,” i.e., tailored to the contractor employees’ assigned duties and must offer both foundational and advanced levels of training. The training must also include measures “to test the knowledge level of users.”
Contractors are permitted to use their own training or use another agency’s training under certain circumstances.
5. What Are the Rule’s Recordkeeping Requirements?
The new rule requires contractors to maintain documentation of the privacy training that their employees have completed. Contractors must also provide, upon request, documentation of the completion of privacy training for all applicable employees.
What should government contractors do? Federal government contractors should consider which of their employees, if any, handle or have access to PII. In addition, contractors should consider whether their subcontractors will need to comply with the new privacy training requirements. The relevant employees under covered contracts will need to be trained under the new requirements that are already in effect. In addition, contractors should ensure that they maintain records as required by the final rule.