On October 14, 2011, the Department of Defense (DOD), the General Services Administration (GSA), and the National Aeronautics and Space Administration (NASA) published a proposed rule that would amend the Federal Acquisition Regulation (FAR) to strengthen government contractor privacy training. Specifically, the proposed rule would require the employees of federal government contractors who work with government records containing personally identifiable information to undergo privacy training on an annual basis.1 The purpose of this amendment to FAR would be to extend existing Privacy Act training requirements to the employees of government contractors who work with covered systems of records.
The proposed rule would require federal contracting agencies to include a prescribed FAR clause containing the privacy training requirements in all relevant contracts and solicitations. Government contractors whose employees work with government records containing personally identifiable information would then have the primary compliance obligations. Government contractors would be tasked with (1) identifying its employees who are subject to the privacy training requirement, (2) providing the requisite training in accordance with stated minimum standards (unless the federal agency elects to serve as the training provider), and (3) maintaining evidence that the training has been completed. Contractor employees who fail to complete the requisite training will be prohibited from accessing government records containing personally identifiable information. Contractors that fail to comply with the proposed rule, when implemented, could face breach of contract allegations or worse, especially in the event the contractor mishandles personally identifiable information. As a result, we suggest that government contractors whose employees work with government records containing personally identifiable information should carefully review the proposed training requirements and monitor the status of in the proposed rule.
Comments on the proposed rule by interested parties must be submitted no later than December 13, 2011.
Privacy training requirements consistent with the Privacy Act of 1974
The FAR Council is emphasizing that the proposed rule is consistent2 with the mandates of the Privacy Act of 1974, which aims to protect the privacy of individuals by regulating how federal agencies collect, maintain, use, and disclose information about individuals.3 The Privacy Act covers "record[s]" that are contained within a "system of records," meaning that it only applies to personally identifiable information stored in a group of records maintained by a federal agency from which information is retrieved based on the name of the individual or some other identifier assigned to the individual.4 To ensure that the privacy protections it prescribes are carried out, the Privacy Act requires federal agencies to provide training on its provisions to persons who work with a "system of records" or the individual "records" contained within it, stating that the agency must "instruct each such person with respect to such rules and requirements of this section."5
Regarding government contractors, the Privacy Act contains a provision that extends its application to contractors that enter into a contract "for the operation by or on behalf of the agency of a system of records to accomplish an agency function."6 In addition, FAR 24.1 Protection of Individual Privacy, states that when a federal agency "contracts for the design, development, or operation of a system of records on individuals on behalf of the agency to accomplish an agency function, the agency must apply the requirements of the [Privacy] Act to the contractor and its employees working on the contract."7
This proposed rule is seemingly a logical outgrowth of the protections provided by the Privacy Act and appears to be consistent with the existing requirements that government contractors working with government records containing personally identifiable information be subject to the mandates of the Privacy Act, including its training provision.
The requirements of the proposed rule
The proposed rule would amend Parts 24 and 52 of FAR by adding subpart 24.3 Privacy Training, which includes proposed FAR 24.301, Privacy Training, proposed FAR 24.302, Contract Clause, and a proposed clause with two alternates set out at FAR 52.224-XX, Privacy Training. A more extensive review of these provisions follows.
The scope and administration of the privacy training requirement
As an initial matter, proposed FAR 24.301(a) would identify the persons who are subject to the privacy training requirement as those contractor employees who, "(1) Require access to a Government system of records; (2) Handle personally identifiable information; or (3) Design, develop, maintain, or operate a system of records on behalf of the Federal Government."8 FAR's definition of "system of records" is identical to that of the Privacy Act.9
With regard to the administration of the privacy training, proposed FAR 24.301(b) contemplates that the most-common approach will be for the federal agency to provide the government contractor with the training material, "in a format deemed appropriate," so that the contractor can perform the requisite training.10 However, proposed FAR 24.301 paragraphs (b) and (c) give the agency the option of authorizing a contractor to use its own training materials, or in the alternative, of electing to undertake the task of providing training to the contractor employees.11
Regardless of who administers the training, proposed FAR 24.301(c) sets forth the following seven elements that the privacy training, at a minimum, must address:
- protecting privacy in accordance with the mandates of the Privacy Act;
- proper handling and safeguarding of personally identifiable information;
- authorized uses of government records;
- restrictions on the use of personally-owned equipment when working with personally identifiable information;
- prohibitions on unauthorized use of and access to government records and personally identifiable information;
- breach notification procedures; and
- any additional agency-specific privacy training requirements.12
- Proposed FAR 24.301(a) states that each contractor employee subject to the training requirement must complete the training at the time the contract is awarded and at least annually thereafter.13
Government contractor compliance obligations
Proposed FAR 24.301(d) would task government contractors with three primary duties:
- identifying the contractor employees who are subject to the privacy training requirements;
- ensuring that those employees complete the requisite training, either by administering the training directly, or if the agency chooses to provide the training, by requiring attendance to the agency-provided training; and
- maintaining training records so that evidence of completed training can be provided on demand.14
If a contractor employee subject to the privacy training requirements fails to complete the requisite training, proposed FAR 24.301(e) states that the employee will be denied access to government records and any personally identifiable information maintained by the agency.15 In the event of noncompliance, the government presumably would consider its rights and remedies for breach of contract and under other possible legal theories, especially in situations where the contractor mishandles the covered data.
Privacy training contract provisions
Proposed FAR 24.302 would require contracting agencies to include a clause containing the privacy training requirements described above in all contracts and solicitations when contractor employees will work with government records containing personally identifiable information.16 The specific language of the contract clause to be included is set forth in proposed FAR 52.224-XX.17 As noted above, the proposed rule provides for three methods by which the privacy training can be administered, and as a corollary, proposed FAR 52.224-XX contains a default clause plus two alternates.
The most-common approach contemplated by the proposed rules is for the agency to provide the training materials to the government contractor who in turn conducts the training. In this case, proposed FAR 24.302(a) instructs the contracting agency to include the language in proposed FAR 52.224-XX paragraphs (a)-(d) in contracts or solicitations.18 The first alternate arrangement is for the agency to authorize the government contractor to use its own training materials to conduct the training. If this method is chosen, the contracting agency will insert the language in "Alternate I" of proposed FAR 52.224-XX, which includes the seven mandatory elements of the privacy training, in lieu of paragraph (a) of that section.19 The second alternate arrangement is for the agency to conduct the training itself. If this method is chosen, the contracting agency will insert the language in "Alternate II" of proposed FAR 52.224-XX, which includes a statement that the agency will "conduct privacy training in the same format given its own employees," in lieu of paragraph (a) of that section.20
It is important to note that regardless of how the training is administered, all contracts or solicitations subject to this proposed rule must include the language in paragraph (d) of section 52.224-XX, which states that the language from the entire 52.224-XX clause, including paragraph (d), must be included in all subcontracts if the subcontractor employees will work with government data or personally identifiable information.21