The Federal Acquisition Regulations were recently updated to include a requirement that certain

federal contractors provide privacy training to some of their employees. The training obligation does not apply to all employees of contractors who are subject to the requirement, and the requirement does not apply to all federal contractors.

Effective January 19, 2017, contracting officers should be adding FAR 52.224-3 to solicitations and contracts in which a contractor would, on behalf of a federal agency,

  • Have access to a system of records;
  • Create, collect, use, process, store, maintain, disseminate, disclose, dispose, or otherwise handle personally identifiable information; or
  • Design, develop, maintain, or operate a system of records.

Personally identifiable information (“PII”) is defined as “information that can be used to distinguish or trace an individual’s identity, either alone or when combined with other information that is linked or linkable to a specific individual.”

Once this contract clause applies to a contractor, it must ensure that its employees involved in any of the processes outlined above receive privacy training before working on the contract and at least annually as long as the contract remains in effect. These requirements apply to subcontractors, as well.

The privacy training must address specific items:

  • The provisions of the Privacy Act, including penalties for violations
  • The appropriate handling and safeguarding of PII
  • The authorized and official use of a system of records or any other PII
  • The restriction on the use of unauthorized equipment to create, collect, use, process, store, maintain, disseminate, disclose, dispose, or otherwise access PII
  • The prohibition against the unauthorized use of a system of records or unauthorized disclosure, access, handling, or use of PII
  • Procedures to be followed in the event of a suspected breach

Unless the contracting officer specifies that the contractor must use agency-provided training, contractors may either provide their own training or use the training of another federal agency. The training must also “be role-based,” have “foundational as well as more advanced levels of training, and have measures in place to test the knowledge level of users.”

If your company is involved in handling PII or related records for the federal government, you should begin to prepare for implementation of this privacy training.