Effective January 19, 2017, companies awarded federal government contracts will be required to ensure that their employees receive annual privacy training if those employees (1) handle personally identifiable information ("PII"), (2) have access to a system of records or (3) design, develop, maintain or operate a system of records. The Department of Defense, General Services Administration and National Aeronautics and Space Administration recently issued these new rules, adding Subpart 24.3 (Privacy Training) to the Federal Acquisition Regulation ("FAR") and a new standard contract clause (FAR 52.224-3) implementing the new requirements.
Based on the Office of Management and Budget's definition for PII, the new requirements define PII as information that can be used to distinguish or trace an individual's identity, either alone or when combined with other information that is linked or linkable to a specific individual. Examples of PII include an individual's name, Social Security number, biometric records, date and place of birth, and mother's maiden name. A "system of records" is a group of records from which information is retrieved by the name of the individual or other unique identifier assigned to that individual.
Under the new Privacy Training regulations, contractor employees with the specified access to PII and systems of records must receive initial privacy training and additional training annually. The training must be role-based (meaning that the training provided will depend on the assigned duties of the contractor employees), provide both foundational and more advanced levels of instructions, and include measures to test employees' knowledge level. Companies may provide their own training to employees or use training provided by another source, unless the contracting agency specifies that only agency-provided training is acceptable.
At a minimum, the privacy training must cover:
- The provisions of the Privacy Act of 1974 (5 USC § 552a), including penalties for violations
- Appropriate handling and safeguarding of PII
- Authorized and official use of a system of records and PII
- Restrictions on the use of unauthorized equipment to create, collect, use, store, disseminate, or otherwise access PII
- Prohibitions against unauthorized use of a system of records or PII
- Procedures to be followed in the event of a suspected or confirmed breach of a system of records or unauthorized disclosure of PII
Companies will also be required to maintain records of employees' privacy training and provide those records to the contracting agency upon request.
The new regulations apply to all contracts for which contractor employees will handle PII or have access to or design, develop, maintain or operate a system of records. This includes contracts at or below the simplified acquisition threshold and contracts for commercial items or commercially available off-the-shelf items. The clause at FAR 52.224-3 also must be incorporated into all subcontracts for which subcontractor employees will handle PII or have access to or design, develop, maintain or operate a system of records.
Companies with federal government contracts should review their employees' access to PII and systems of records to determine whether the new regulations affect their employee training requirements.