New Privacy Training Requirements for Covered Federal Contractor Employees
By Federal Contractor and Privacy & Cybersecurity Practice Groups
A recent rule amending the Federal Acquisition Regulations (“FAR”), effective January 19, 2017, requires federal contractors to provide initial and annual privacy training for three types of employees, namely those who, on behalf of a federal agency: (1) have access to a system of records (“SOR”); (2) design, develop, maintain or operate such a SOR; or (3) create, collect, use, process, store, maintain, disseminate, disclose, dispose or otherwise handle (collectively “Process”) personally identifiable information (“PII”).
Notably, the rule does not apply to employees whose access is limited to the contractor’s own human resources information or personal information of other third parties. However, for the covered employees, the rule imposes important new training requirements.
I. Covered Contracts
Whether contracting officers are required to insert the privacy training contract clause (FAR 52.224-3) in solicitations and contracts will turn on whether contractor employees will Process PII or work on a SOR on behalf of the agency.
Personally Identifiable Information: Under the FAR, PII is information that can be used to distinguish or trace an individual's identity, either alone or when combined with other information that is linked or linkable to a specific individual.
System of Records: The FAR defines a SAR as a group of any records under the control of any agency from which information is retrieved by the name of the individual or by some identifying number, symbol or other identifying particular assigned to the individual.
Notably, because the regulation is promulgated pursuant to the Privacy Act of 1974, which predates statutory exemptions applicable to laws enacted after October 13, 1994, it contains no exceptions for small contracts or contracts for commercial items. Thus, the new regulation applies to contracts and subcontracts that fall below the simplified acquisition threshold (“SAT”) and those for commercially available off-the-shelf (“COTS”) items.
Any contractor whose employees Process PII, or access, design, develop, maintain or operate a SOR on behalf of a federal agency, should carefully review any training requirement provisions added by contracting officers to new solicitations as well as any such provisions added through modification to existing contracts. However, contractors most likely to be covered by the privacy training requirements include financial institutions, insurance companies, law firms, and accounting firms as they are more likely to Process PII of a federal agency. Covered contractors must flow down the privacy training requirement in contracts with any subcontractors who Process PII or work on an SOR on a federal agency’s behalf.
II. Training Requirements
Covered employees must be trained prior to handling PII, and annually thereafter. Unless the agency requires that a contractor’s covered employees receive such training from the agency directly, contractors may provide their own training.
The training must address the key elements for safeguarding PII and SORs. It must be “role based, provide foundational as well as more advanced levels of training” and include some form of testing.
At a minimum, the privacy training must cover the following topics:
Provisions of the Privacy Act of 1974, including penalties for violations of the Act;
Appropriate handling and safeguarding of PII;
Authorized and official use of a SOR or any other PII;
Restriction on the use of unauthorized equipment to Process PII;
Prohibition against the unauthorized use of a SOR or unauthorized Processing of PII; and
Procedures to be followed in the event of a suspected or confirmed breach of a SOR or unauthorized Processing of PII.
Contractors must document the privacy training conducted and be prepared to provide such documentation to the relevant government agency upon request.
Additionally, contractors who opt to conduct their own training should consult legal counsel to ensure that the training satisfies the requirements of the new rule.
If you are interested, Paul Hastings’ Privacy and Cybersecurity Practice Group is developing training that will comply with the new FAR.