The FAR Council issued a final rule on December 20, 2016, amending the Federal Acquisition Regulation (FAR) to add FAR Subpart 24.3, requiring privacy training for all contractor employees who (1) access a system of records; (2) handle personally identifiable information (PII); or (3) design, develop, maintain, or operate a system of records. A “system of records” is a “group of any records under the control of any agency from which information is retrieved by the name of the individual or by some identifying number, symbol, or other identifying particular assigned to the individual.” 5 U.S.C. § 552a(a)(5); FAR 24.101.
These requirements apply to all contracts and flow down to all subcontracts involving access to a system of records. This includes commercial item contracts, contracts below the simplified acquisition threshold (SAT), and contracts for commercially available off-the-shelf (COTS) items.
At a minimum, the privacy training shall cover:
- Provisions of the Privacy Act of 1974, including penalties for violations;
- Appropriate handling and safeguarding of PII;
- Authorized and official use of a system of records or any other PII;
- Restrictions on the use of unauthorized equipment to create, collect, use, process, store, maintain, disseminate, disclose, dispose, or otherwise access, or store PII;
- Prohibition against the unauthorized use of a system of records or unauthorized disclosure, access, handling, or use of PII or systems of records; and
- Procedures to be followed in the event of a potential or confirmed breach.
This training is required initially and annually thereafter, from a source of the contractor’s choosing – unless the contracting officer incorporates FAR 52.224-3, Alternate I, which requires agency-provided training. Alternate I places the responsibility of providing the initial and annual privacy training on the government for the duration of the contract. All privacy training, regardless of source, is (1) required to be role-based, (2) provide foundational as well as more advanced levels of training, and (3) have measures in place to test the knowledge level of users. Contractors are required to maintain privacy training documentation and provide such documentation upon request.
These new requirements go into effect on January 19, 2017.