Thursday, December 22, 2016

Privacy Act Training for Contractor Employees

Beginning in January, you might see a new clause showing up in solicitations and contracts. The new clause will mandate privacy training on contracts where contractor employees will have access to a system of records where they will create, collect, use, process, store, maintain, disseminate, disclose, dispose, or otherwise handle personally identifiable information, or contractor employees will be designing, maintaining, or operating such a system of records.

Personally identifiable information in this context means information that can be used to distinguish or trace an individual's identity, either alone or when combined with other information that is linked or linkable to a specific individual.

The new requirements, to be found in FAR 24.3, contains some very detailed and specific elements to be included in privacy training. It requires initial privacy training and annual privacy training thereafter for all employees having access to personally identifiable information. The training must include the following:

  • The provisions of the Privacy Act of 1974 including penalties for violations of the Act
  • The appropriate handling and safeguarding of personally identifiable information
  • The authorized and official use of a system of records or any other personally identifiable information
  • The restriction on the use of unauthorized equipment to create, collect, use, process, store, maintain, disseminate, disclose, dispose, or otherwise access personally identifiable information
  • The prohibition against the unauthorized use of a system of records or unauthorized disclosure, access, handling, or use of personally identifiable information, and
  • Procedures to be followed in the event of a suspected or confirmed breach of a system of records or unauthorized disclosure, access, handling, or use of personally identifiable information.

Contractors may prepare and provide its own training or use the training of another agency unless the contracting officer specifies that only its agency-provided training is acceptable.

Contractors will be required to maintain and, upon request, provide documentation of completion of privacy training for all applicable employees.

No contractor employee shall be permitted to have or retain access to a system of records, create, collect, use, process, store, maintain, disseminate, disclose, or dispose, or otherwise handle personally identifiable information, or design, develop, maintain, or operate a system of records, unless the employee has completed privacy training that, at a minimum, addresses the elements described above.

In some cases, there may be a very short window between the award of a contract and the need to begin accessing personally identifiable information. In those cases, contractors must have already developed and be prepared to deliver the required training quickly.

Read more about the proposed rule here.

No comments:

Post a Comment