Under a final rule issued by the Department of Defense (DOD), General Services Administration (GSA), and National Aeronautics and Space Administration (NASA), effective January 19, 2017, federal government contractors must now comply with new privacy training requirements regarding protection of personally identifiable information (PII). The new rule adds Subpart 24.3 (Privacy Training) to the Federal Acquisition Regulation (FAR) and a new standard contract clause (FAR 52.224-3) implementing the new requirements. These changes reflect that security and privacy are crucial elements of a comprehensive, strategic, and continuous risk-based program in Federal agencies.
Under the new rules, annual privacy training is required for employees who:
(1) have access to or design, develop, maintain or operate a system of records; or
(2) create, collect, use, process, store, maintain, disseminate, disclose, dispose, or otherwise handle any PII.
PII is defined as “information that can be used to distinguish or trace an individual’s identity, either alone or when combined with other information that is linked or linkable to a specific individual.” Employees may not have access to PII unless they have had the required privacy training. This would include, for example, HR professionals who maintain or have access to employee records that contain PII.
The new clause FAR 52.224-3 requires that the privacy training address the key elements necessary for ensuring the safeguarding of PII. The rule establishes minimum requirements for the initial and annual privacy training; the rule is also applicable to contracts and subcontracts for commercial-items, including contracts and subcontracts for commercially available off-the-shelf (COTS) items. Prime contractors are required to flow down these privacy training requirements to subcontractors.
The training requirements are described as “role based” and must “provide foundational as well as more advanced levels of training, and have measures in place to test the knowledge level of users.” The Contractor must also maintain and provide documentation regarding the completion of the privacy training upon the request of the Contracting Officer.
At a minimum, the privacy training must cover:
(i) The provisions of the Privacy Act of 1974 (5 U.S.C. 552a), including penalties for violations of the Act;
(ii) The appropriate handling and safeguarding of PII;
(iii) The authorized and official use of a system of records or any PII;
(iv) The restriction on the use of unauthorized equipment to create, collect, use, process, store, maintain, disseminate, disclose, dispose or otherwise access PII;
(v) The prohibition against the unauthorized use of a system of records or unauthorized disclosure, access, handling, or use of PII; and
(vi) The procedures to be followed in the event of a suspected or confirmed breach of a system of records or the unauthorized disclosure, access, handling, or use of PII.
The Contractor is permitted to provide its own training, or use the training of another agency, unless the contracting agency requires that only its own training may be utilized. Contractors must maintain documentation of the completed privacy training, and provide, upon request, this documentation to the contracting agency.
Recommended Next Steps:
- Contractors should assess their current privacy procedures to determine if any of their employees have access to PII;
- Current privacy procedures and policy should be reviewed to confirm compliance with the new requirements, and revise them as necessary;
- Implement a compliant training program to fully train employees handling PII; and
- Contractors should also review their subcontracts, since the privacy training requirements also apply to subcontractors; the clause must be flowed down if applicable.