Wednesday, December 23, 2015

Privacy Training for Contractor Employees

Twice a year the FAR Councils issue a regulatory agenda summarizing regulations under development. The Report issued last week lists two regulations at the "proposed rule stage", 15 items at the "final rule stage" and three items considered "completed actions". We have reported on most of these upcoming changes at one time or another but there was one item that we had forgotten about. We didn't realize that it was still an active case. The public comment period to the proposed rule ended four years ago, December 2011.

The case deals with privacy training for contractors, contractors with employees who require access to a Government system of records, handle personally identifiable information, or design, develop, maintain, or operate a system of records on behalf of the Federal Government.

Under the proposed regulation, contractors are responsible for conducting initial privacy training and annual privacy training thereafter. The training shall, at a minimum, address the following seven topics:

  1. The protection of privacy, in accordance with the Privacy Act
  2. The handling and safeguarding of personally identifiable information
  3. The authorized and official use of a Government system of records
  4. Restrictions on the use of personally-owned equipment to process, access, or store personally identifiable information
  5. The prohibition against access by unauthorized users and unauthorized use by authorized users, of personally identifiable information or systems of records on behalf of the Federal Government
  6. Breach notification procedures (i.e. procedures for notifying appropriate individuals when privacy information is lost, stolen, or compromised) to minimize risk and to ensure prompt and appropriate actions are taken should a breach occur; and 
  7. Any agency-specific privacy training requirements.

There are two versions of the applicable contract clause, one for contractor-developed training and the other for Agency-developed training. The option to have the contractor provide the training or the Government to provide the training is up to the Agency.  If Government provided, it will be the same training the Government provides to its own employees.

No comments:

Post a Comment