Federal government contractors are now required to provide annual privacy training for employees who (1) have access to a system of records,1 (2) handle personally identifiable information (PII),1 or (3) design, develop, maintain or operate a system of records (“covered employees”). Effective January 19, 2017, the Federal Acquisition Regulatory Council adopted this new rule, adding Subpart 24.3 (Privacy Training) to the Federal Acquisition Regulation (FAR) and a new standard contract clause (FAR 52.224-3) implementing the new requirements. The rule requires that covered employees are trained on compliance requirements pertaining to handling and safeguarding PII.

Privacy Training Requirements

As an initial matter, the training requirements apply to all contracts and subcontracts involving access to a system of records. This includes commercial item contracts, contracts below the simplified acquisition threshold (SAT), and contracts for commercially available off-the-shelf (COTS) items.

The privacy training must address the “key elements” necessary for ensuring the safeguarding of PII or a system of records. The training is required to be role-based, provide foundational training as well as more advanced levels of training, and have measures in place to test the knowledge level of users. At a minimum, the privacy training must cover the following topics:

  • The provisions of the Privacy Act of 1974 (5 U.S.C. § 552a), including penalties for violations of the Act;
  • The appropriate handling and safeguarding of PII;
  • The authorized and official use of a system of records or any other PII;
  • The restriction on the use of unauthorized equipment to create, collect, use, process, store, maintain, disseminate, disclose, dispose, or otherwise access PII;
  • The prohibition against the unauthorized use of a system of records or unauthorized disclosure, access, handling, or use of PII; and
  • Procedures to be followed in the event of a suspected or confirmed breach of a system of records or unauthorized disclosure, access, handling, or use of PII.

Providing the Training

Covered employees must receive initial privacy training and additional training annually thereafter. Contractors have the flexibility to develop their own training or utilize training from another source, unless the contracting agency specifies that only its agency-provided training is acceptable. Since the cost of developing training material may be prohibitive for certain agencies, contractors will need to monitor whether they need to develop their own compliant training program after reviewing their existing privacy training.

Further, contractors are required to document privacy training for all covered employees, and provide such documentation to the government upon request.

No covered employee may be permitted to have or retain access to a system of records; create, collect, use, process, store, maintain, disseminate, disclose, dispose of, or otherwise handle PII; or design, develop, maintain, or operate a system of records, unless the covered employee has completed privacy training that complies with this rule.

Implications for Federal Government Contractors

Companies with federal government contracts should identify which, if any, of their employees work with PII and systems of records, and, as a result, are required to attend annual privacy training. If the agency does not require the contractor to use agency-provided training, the contractor must either develop its own training program (meeting the minimum content requirements) or engage an outside source to conduct the required training. Contractors also must keep accurate records of their employees’ completion of privacy training, and be prepared to produce such records to the government upon request. While these new requirements create an additional burden on federal government contractors, affected companies should work diligently to comply with the rule and train its covered employees on the prescribed privacy issues. Doing so should help to reduce the risk that PII will be misused or subject to a security breach, potentially damaging the contractor’s relationship with the contracting agency.