Recent updates to Federal Acquisition Regulations (FAR) includes requirement that certain federal contractors provide privacy training to segments of their workforce. The training obligation does not apply to all employees of contractors who are subject to the requirement, and the requirement does not apply to all federal contractors.
Since January 19, 2017, contracting officers were to begin adding FAR 52.224-3 to solicitations and contracts with certain contractors. Specifically those that would carry out the following, on behalf of a federal agency:
- Have access to a system of records;
- Create, collect, use, process, store, maintain, disseminate, disclose, dispose, or otherwise handle personally identifiable information; or
- Design, develop, maintain, or operate a system of records.
- Personally identifiable information ("PII") is defined as "information that can be used to distinguish or trace an individual's identity, either alone or when combined with other information that is linked or linkable to a specific individual."
In the event this contract clause applies to a contractor, it attaches, and the contractor must ensure that its employees involved in any of the processes outlined above receive privacy training before working on the contract and at least annually as long as the contract remains in effect. These requirements apply to subcontractors, as well.
The privacy training must address the following:
- The provisions of the Privacy Act, including penalties for violations
- The appropriate handling and safeguarding of PII
- The authorized and official use of a system of records or any other PII
- The restriction on the use of unauthorized equipment to create, collect, use, process, store, maintain, disseminate, disclose, dispose, or otherwise access PII
- The prohibition against the unauthorized use of a system of records or unauthorized disclosure, access, handling, or use of PII
- Procedures to be followed in the event of a suspected breach
- Unless the contracting officer specifies that the contractor must use agency-provided training, contractors may either provide their own training or use the training of another federal agency. The training must also "be role-based," have "foundational as well as more advanced levels of training, and have measures in place to test the knowledge level of users."
If your company is involved in handling PII or related records for the federal government, you should be developing plan to offer privacy training.
« Back to News