On October 14, 2011, the FAR Council issued a proposed rule (76 Fed. Reg. 63,896) to amend the Federal Acquisition Regulation (FAR) to require privacy training for contractor employees. This is a new training requirement that must be met in order for contractor employees to have access to a Government system of records, handle personally-identifiable information or design, develop, maintain, or operate a systems of records on behalf of the Federal Government. Under current rules (FAR 24.1), there is no explicit privacy training requirement; nor is access contingent upon meeting a privacy training requirement. Currently, contractors must agree to comply with the Privacy Act of 1974 (5 U.S.C. § 552a); they also are notified that violation of the Privacy Act may result in criminal penalties imposed upon officers or employees of the agency and that, when the contract is to operate a Government system of records, the contractor is considered an employee of the agency for purposes of the Privacy Act.
Under the proposed rule, which was published October 14, the contractor would have to identify employees "who require access to a Government system of records, handle personally identifiable information or design, develop, maintain, or operate a system of records on behalf of the Federal Government" and provide initial privacy training to these employees upon award and annually thereafter. Access to such systems and personally-identifiable information will be contingent upon completing this training. Contractors will also have to maintain records evidencing this training and be able to provide such records to the Government upon request.
The proposed rule also mandates that the privacy training address "at a minimum" seven areas:
- Protection of privacy in accordance with the Privacy Act;
- Handling and safeguarding of personally identifiable information;
- Authorized and official use of a Government systems of records;
- Restrictions on the use of personally-owned equipment to process, access, or store personally-identifiable information;
- Prohibition against access by unauthorized users, and unauthorized use by authorized users, of personally-identifiable information;
- Breach notification procedures;
- Any agency-specific privacy training procedures.
Under the proposed rule, contractors would provide this training using agency-provided materials. However, the contracting officer may on "an exception basis" authorize the contractor to provide its own privacy training or may authorize contractor employees to attend agency privacy training with other agency employees. Such training would still have to address the seven areas described above. This new privacy training requirement would apply to subcontractors that "will have access to a Government system of records, handle personally identifiable information, or design, develop, maintain, or operate a system of records on behalf of the Federal Government." The proposed rule would not apply to commercial item contracts.
Comments on the proposed rule are due December 13, 2011.