New Privacy Training Requirements for Companies with Federal Government Contracts

Cooley Alert
January 18, 2017

Effective January 19, 2017, companies awarded federal government contracts will be required to ensure that their employees receive annual privacy training if those employees (1) handle personally identifiable information ("PII"), (2) have access to a system of records or (3) design, develop, maintain or operate a system of records. The Department of Defense, General Services Administration and National Aeronautics and Space Administration recently issued these new rules, adding Subpart 24.3 (Privacy Training) to the Federal Acquisition Regulation ("FAR") and a new standard contract clause (FAR 52.224-3) implementing the new requirements.

Based on the Office of Management and Budget's definition for PII, the new requirements define PII as information that can be used to distinguish or trace an individual's identity, either alone or when combined with other information that is linked or linkable to a specific individual. Examples of PII include an individual's name, Social Security number, biometric records, date and place of birth, and mother's maiden name. A "system of records" is a group of records from which information is retrieved by the name of the individual or other unique identifier assigned to that individual.

Under the new Privacy Training regulations, contractor employees with the specified access to PII and systems of records must receive initial privacy training and additional training annually. The training must be role-based (meaning that the training provided will depend on the assigned duties of the contractor employees), provide both foundational and more advanced levels of instructions, and include measures to test employees' knowledge level. Companies may provide their own training to employees or use training provided by another source, unless the contracting agency specifies that only agency-provided training is acceptable.

At a minimum, the privacy training must cover:

  • The provisions of the Privacy Act of 1974 (5 USC § 552a), including penalties for violations
  • Appropriate handling and safeguarding of PII
  • Authorized and official use of a system of records and PII
  • Restrictions on the use of unauthorized equipment to create, collect, use, store, disseminate, or otherwise access PII
  • Prohibitions against unauthorized use of a system of records or PII
  • Procedures to be followed in the event of a suspected or confirmed breach of a system of records or unauthorized disclosure of PII

Companies will also be required to maintain records of employees' privacy training and provide those records to the contracting agency upon request.

The new regulations apply to all contracts for which contractor employees will handle PII or have access to or design, develop, maintain or operate a system of records. This includes contracts at or below the simplified acquisition threshold and contracts for commercial items or commercially available off-the-shelf items. The clause at FAR 52.224-3 also must be incorporated into all subcontracts for which subcontractor employees will handle PII or have access to or design, develop, maintain or operate a system of records.

Companies with federal government contracts should review their employees' access to PII and systems of records to determine whether the new regulations affect their employee training requirements.

This content is provided for general informational purposes only, and your access or use of the content does not create an attorney-client relationship between you or your organization and Cooley LLP, Cooley (UK) LLP, or any other affiliated practice or entity (collectively referred to as “Cooley”). By accessing this content, you agree that the information provided does not constitute legal or other professional advice. This content is not a substitute for obtaining legal advice from a qualified attorney licensed in your jurisdiction and you should not act or refrain from acting based on this content. This content may be changed without notice. It is not guaranteed to be complete, correct or up to date, and it may not reflect the most current legal developments. Prior results do not guarantee a similar outcome. Do not send any confidential information to Cooley, as we do not have any duty to keep any information you provide to us confidential. This content may be considered Attorney Advertising and is subject to our legal notices.