The case deals with privacy training for contractors, contractors with employees who require access to a Government system of records, handle personally identifiable information, or design, develop, maintain, or operate a system of records on behalf of the Federal Government.
Under the proposed regulation, contractors are responsible for conducting initial privacy training and annual privacy training thereafter. The training shall, at a minimum, address the following seven topics:
- The protection of privacy, in accordance with the Privacy Act
- The handling and safeguarding of personally identifiable information
- The authorized and official use of a Government system of records
- Restrictions on the use of personally-owned equipment to process, access, or store personally identifiable information
- The prohibition against access by unauthorized users and unauthorized use by authorized users, of personally identifiable information or systems of records on behalf of the Federal Government
- Breach notification procedures (i.e. procedures for notifying appropriate individuals when privacy information is lost, stolen, or compromised) to minimize risk and to ensure prompt and appropriate actions are taken should a breach occur; and
- Any agency-specific privacy training requirements.
There are two versions of the applicable contract clause, one for contractor-developed training and the other for Agency-developed training. The option to have the contractor provide the training or the Government to provide the training is up to the Agency. If Government provided, it will be the same training the Government provides to its own employees.