Privacy Training Requirements for Federal Contractors

22 May 2017 Labor & Employment Law Perspectives Blog
Author(s): Jeffrey S. Kopp

Under a final rule issued by the Department of Defense (DOD), General Services Administration (GSA), and National Aeronautics and Space Administration (NASA), effective January 19, 2017, federal government contractors must now comply with new privacy training requirements regarding protection of personally identifiable information (PII). The new rule adds Subpart 24.3 (Privacy Training) to the Federal Acquisition Regulation (FAR) and a new standard contract clause (FAR 52.224-3) implementing the new requirements. These changes reflect that security and privacy are crucial elements of a comprehensive, strategic, and continuous risk-based program in Federal agencies.

Under the new rules, annual privacy training is required for employees who:

(1) have access to or design, develop, maintain or operate a system of records; or

(2) create, collect, use, process, store, maintain, disseminate, disclose, dispose, or otherwise handle any PII.

PII is defined as “information that can be used to distinguish or trace an individual’s identity, either alone or when combined with other information that is linked or linkable to a specific individual.” Employees may not have access to PII unless they have had the required privacy training. This would include, for example, HR professionals who maintain or have access to employee records that contain PII.

The new clause FAR 52.224-3 requires that the privacy training address the key elements necessary for ensuring the safeguarding of PII. The rule establishes minimum requirements for the initial and annual privacy training; the rule is also applicable to contracts and subcontracts for commercial-items, including contracts and subcontracts for commercially available off-the-shelf (COTS) items. Prime contractors are required to flow down these privacy training requirements to subcontractors.

The training requirements are described as “role based” and must “provide foundational as well as more advanced levels of training, and have measures in place to test the knowledge level of users.” The Contractor must also maintain and provide documentation regarding the completion of the privacy training upon the request of the Contracting Officer.

At a minimum, the privacy training must cover:

(i) The provisions of the Privacy Act of 1974 (5 U.S.C. 552a), including penalties for violations of the Act;

(ii) The appropriate handling and safeguarding of PII;

(iii) The authorized and official use of a system of records or any PII;

(iv) The restriction on the use of unauthorized equipment to create, collect, use, process, store, maintain, disseminate, disclose, dispose or otherwise access PII;

(v) The prohibition against the unauthorized use of a system of records or unauthorized disclosure, access, handling, or use of PII; and

(vi) The procedures to be followed in the event of a suspected or confirmed breach of a system of records or the unauthorized disclosure, access, handling, or use of PII.

The Contractor is permitted to provide its own training, or use the training of another agency, unless the contracting agency requires that only its own training may be utilized. Contractors must maintain documentation of the completed privacy training, and provide, upon request, this documentation to the contracting agency.

Recommended Next Steps:

  • Contractors should assess their current privacy procedures to determine if any of their employees have access to PII;
  • Current privacy procedures and policy should be reviewed to confirm compliance with the new requirements, and revise them as necessary;
  • Implement a compliant training program to fully train employees handling PII; and
  • Contractors should also review their subcontracts, since the privacy training requirements also apply to subcontractors; the clause must be flowed down if applicable.

If you have any questions about this alert or would like to discuss the topic further, please contact your Foley attorney.

This blog is made available by Foley & Lardner LLP (“Foley” or “the Firm”) for informational purposes only. It is not meant to convey the Firm’s legal position on behalf of any client, nor is it intended to convey specific legal advice. Any opinions expressed in this article do not necessarily reflect the views of Foley & Lardner LLP, its partners, or its clients. Accordingly, do not act upon this information without seeking counsel from a licensed attorney. This blog is not intended to create, and receipt of it does not constitute, an attorney-client relationship. Communicating with Foley through this website by email, blog post, or otherwise, does not create an attorney-client relationship for any legal matter. Therefore, any communication or material you transmit to Foley through this blog, whether by email, blog post or any other manner, will not be treated as confidential or proprietary. The information on this blog is published “AS IS” and is not guaranteed to be complete, accurate, and or up-to-date. Foley makes no representations or warranties of any kind, express or implied, as to the operation or content of the site. Foley expressly disclaims all other guarantees, warranties, conditions and representations of any kind, either express or implied, whether arising under any statute, law, commercial use or otherwise, including implied warranties of merchantability, fitness for a particular purpose, title and non-infringement. In no event shall Foley or any of its partners, officers, employees, agents or affiliates be liable, directly or indirectly, under any theory of law (contract, tort, negligence or otherwise), to you or anyone else, for any claims, losses or damages, direct, indirect special, incidental, punitive or consequential, resulting from or occasioned by the creation, use of or reliance on this site (including information and other content) or any third party websites or the information, resources or material accessed through any such websites. In some jurisdictions, the contents of this blog may be considered Attorney Advertising. If applicable, please note that prior results do not guarantee a similar outcome. Photographs are for dramatization purposes only and may include models. Likenesses do not necessarily imply current client, partnership or employee status.

Related Services