National Association of Government Contractors

FAR Requirement to Train Workers on Privacy

Recent updates to Federal Acquisition Regulations (FAR) includes requirement that certain federal contractors provide privacy training to segments of their workforce. The training obligation does not apply to all employees of contractors who are subject to the requirement, and the requirement does not apply to all federal contractors.

Since January 19, 2017, contracting officers were to begin adding FAR 52.224-3 to solicitations and contracts with certain contractors. Specifically those that would carry out the following, on behalf of a federal agency:

  • Have access to a system of records;
  • Create, collect, use, process, store, maintain, disseminate, disclose, dispose, or otherwise handle personally identifiable information; or
  • Design, develop, maintain, or operate a system of records.
  • Personally identifiable information ("PII") is defined as "information that can be used to distinguish or trace an individual's identity, either alone or when combined with other information that is linked or linkable to a specific individual."

In the event this contract clause applies to a contractor, it attaches, and the contractor must ensure that its employees involved in any of the processes outlined above receive privacy training before working on the contract and at least annually as long as the contract remains in effect. These requirements apply to subcontractors, as well.

The privacy training must address the following:

  • The provisions of the Privacy Act, including penalties for violations
  • The appropriate handling and safeguarding of PII
  • The authorized and official use of a system of records or any other PII
  • The restriction on the use of unauthorized equipment to create, collect, use, process, store, maintain, disseminate, disclose, dispose, or otherwise access PII
  • The prohibition against the unauthorized use of a system of records or unauthorized disclosure, access, handling, or use of PII
  • Procedures to be followed in the event of a suspected breach
  • Unless the contracting officer specifies that the contractor must use agency-provided training, contractors may either provide their own training or use the training of another federal agency.  The training must also "be role-based," have "foundational as well as more advanced levels of training, and have measures in place to test the knowledge level of users."

If your company is involved in handling PII or related records for the federal government, you should be developing plan to offer privacy training.

« Back to News

News & Tips
Government contractor news & industry tips from a source you can trust. Sign up for our weekly updates to stay informed and get involved. Easily unsubscribe at any time.

Our Insider's Guide Series was developed as an easy-to-understand series of guides to assist you through the government procurement process.

National Association of Government Contractors
1250 Connecticut Ave NW
Suite 200
Washington, DC 20036
Phone: 202-465-3750
Toll Free: 1.800.979.NAGC
LinkedIn Facebook Twitter

FedEx Shipping Discount
Office Depot Member Program
American Express
OneMain Financial Loans
Paychex Payroll Processing
NAGC Health

Privacy Policy | Subscriber Agreement & Terms of Use | Purchase Policy | Data & Cookies
Copyright © 2004 - 2018 National Association of Government Contractors.   All Rights Reserved. Geotrust RapidSSL