Following a recent update to the Federal Acquisition Regulation (FAR), some contractors (and their subcontractors) that provide certain services to the federal government, will be required to train their employees on privacy.
The rule applies to contractors that:
- Handle Personally Identifiable Information;
- Have access to a system of records; or
- Design, develop, maintain or operate a system of records.
The rule incorporates the Office of Management and Budget's (OMB) definitions of key terms. The new rule defines “personally identifiable information” as “information that can be used to distinguish or trace an individual's identity, either alone or when combined with other information that is linked or linkable to a specific individual.”
A “system of records” refers to any system that “contains information that is retrieved by an individual's name or unique identifier.” The rule authorizes the government's contracting officer to determine whether a particular contract involves a system of records.
The required privacy training must address:
- Key provisions of the Privacy Act of 1974, and penalties for violations of the Act;
- The appropriate handling and safeguarding of PII;
- The authorized and official use of a system of records or any other PII;
- Restrictions on the use of unauthorized equipment to create, collect, use, process, store, maintain, disseminate, disclose, dispose, or otherwise access, or store PII;
- The prohibition against the unauthorized use of a system of records or unauthorized disclosure, access, handling, or use of PII or systems of records; and
- Procedures to be followed in the event of a potential or confirmed breach of a system of records or unauthorized disclosure, access, handling, or use of PII.
Contractors are responsible for providing an initial training and annual privacy training refreshers. Contractors must train employees before employees handle PII or have access to a system of records. The rule requires contractors to maintain training records and, upon request, provide evidence to the government that relevant employees completed the required privacy training.
« Back to News