The FAR Council Wishes Contractors a Happy New ‘Privacy Training’

Bass, Berry & Sims PLC

Bass, Berry & Sims PLC

The FAR Council issued a final rule on December 20, 2016, amending the Federal Acquisition Regulation (FAR) to add FAR Subpart 24.3, requiring privacy training for all contractor employees who (1) access a system of records; (2) handle personally identifiable information (PII); or (3) design, develop, maintain, or operate a system of records. A “system of records” is a “group of any records under the control of any agency from which information is retrieved by the name of the individual or by some identifying number, symbol, or other identifying particular assigned to the individual.” 5 U.S.C. § 552a(a)(5); FAR 24.101.

These requirements apply to all contracts and flow down to all subcontracts involving access to a system of records. This includes commercial item contracts, contracts below the simplified acquisition threshold (SAT), and contracts for commercially available off-the-shelf (COTS) items.

At a minimum, the privacy training shall cover:

  1. Provisions of the Privacy Act of 1974, including penalties for violations;
  2. Appropriate handling and safeguarding of PII;
  3. Authorized and official use of a system of records or any other PII;
  4. Restrictions on the use of unauthorized equipment to create, collect, use, process, store, maintain, disseminate, disclose, dispose, or otherwise access, or store PII;
  5. Prohibition against the unauthorized use of a system of records or unauthorized disclosure, access, handling, or use of PII or systems of records; and
  6. Procedures to be followed in the event of a potential or confirmed breach.

This training is required initially and annually thereafter, from a source of the contractor’s choosing – unless the contracting officer incorporates FAR 52.224-3, Alternate I, which requires agency-provided training. Alternate I places the responsibility of providing the initial and annual privacy training on the government for the duration of the contract. All privacy training, regardless of source, is (1) required to be role-based, (2) provide foundational as well as more advanced levels of training, and (3) have measures in place to test the knowledge level of users. Contractors are required to maintain privacy training documentation and provide such documentation upon request.

These new requirements go into effect on January 19, 2017.

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Bass, Berry & Sims PLC | Attorney Advertising

Written by:

Bass, Berry & Sims PLC

Bass, Berry & Sims PLC on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide