The FAR Councils are proposing to amend the Federal Acquisition Regulations (FAR) to add a new section related to privacy training. It will require contractors to identify employees who require access to a Government system of records, handle personally identifiable information, or design, develop, maintain, or operate a system of records on behalf of the Federal Government, and then to ensure that those employees complete privacy training immediately upon award of the procurement and at least annually thereafter. In addition, contractors are required to keep records indicating that employees have completed the required training and, upon request, provide those records to the Government.
The proposal specifies the minimum privacy training coverage as follows:
- The protection of privacy, in accordance with the Privacy Act (5 USC 552s)
- The handling and safeguarding of personally identifiable information
- The authorized and official use of a Government system of records
- Restrictions on the use of personally-owned equipment to process, access, or store personally identifiable information
- The prohibition against access by unauthorized users, and unauthorized use by authorized users, of personally identifiable information or systems of records on behalf of the Federal Government
- Breach notification procedures (i.e., procedures for notifying appropriate individuals when privacy information is lost, stolen, or compromised) to minimize risk and to ensure prompt and appropriate actions are taken should a breach occur
- Any agency-specific privacy training requirements.
The FAR councils estimate that this requirement will affect about 1,500 small businesses in additions to an unknown number of other firms but does not expect that impacted contractors will find the requirement burdensome.