Effective immediately, all federal contractors are required to provide privacy training to their employees to safely handle Personally Identifiable Information (PII) defined as “any information that can be used to distinguish or trace an individual’s identity, either alone or when combined with other information that is linked or linkable to a specific individual.” On January 19, 2017, the Department of Defense (DOD), General Services Administration (GSA), and National Aeronautics and Space Administration (NASA) issued this new rule adding Subpart 24.3 (Privacy Training) to the Federal Acquisition Regulation (FAR) to implement these new requirements.
This rule applies to all federal contracts or subcontracts where a contractor’s employee/s have access to or handle PII. If a prime contractor is using the services of subcontractor/s, they are required to “flow-down” these requirements to all covered subcontractors.
Federal contractors and subcontractors need to identify employees who will receive this training. Employees subject to this training will be the ones who:
- Have access to a system of records;
- Create, collect, use, process, store, maintain, disseminate, disclose, dispose, or otherwise handle personally identifiable information on behalf of an agency; or
- Design, develop, maintain, or operate a system of records.
The rule prohibits employees from handling PII unless they have completed the initial privacy training and annually thereafter. At a minimum, the training must address the following:
- The provisions of the Privacy Act of 1974 (5 U.S.C. 552a), including penalties for violations of the Act;
- The appropriate handling and safeguarding of personally identifiable information;
- The authorized and official use of a system of records or any other personally identifiable information;
- The restriction on the use of unauthorized equipment to create, collect, use, process, store, maintain, disseminate, disclose, dispose, or otherwise access personally identifiable information;
- The prohibition against the unauthorized use of a system of records or unauthorized disclosure, access, handling, or use of personally identifiable information; and
- Procedures to be followed in the event of a suspected or confirmed breach of a system of records or unauthorized disclosure, access, handling, or use of personally identifiable information (see Office of Management and Budget Guidance for Preparing for and Responding to a Breach of Personally Identifiable Information).
From a recordkeeping standpoint, federal contractors/subcontractors are required to maintain documentation that all covered employees received the mandatory training and furnish this information upon request.
This rule took effect on January 19, 2017, which means it is not directly impacted by President Trump’s “Regulatory Freeze Pending Review” memo, which requires a 60-day review period for rules that had not taken effect as of January 20, 2017. Because of the requirement to provide proof of training information when requested by federal agencies (48 CFR 52.224.3), the Office of Management and Budget (OMB) received a request to assign a new OMB number for section 52.224.3, among others on January 31, 2017. It is awaiting approval. To stay up-to-date on regulatory changes, be sure to subscribe to this blog, BALANCEview.