Changes went into effect on January 19, 2017
Contractors subject to the Federal Acquisition Regulations (FAR) will now be required, effective January 19, 2017, to ensure that their employees receive annual privacy training for employees who (1) handle personally identifiable information ("PII"), (2) have access to a system of records or (3) design, develop, maintain or operate a system of records. Companies must also maintain records of the privacy training and provided the records, upon request, to the contracting agency. This requirement has been added to FAR Subpart 24.3 (Privacy Training) and FAR 52.224-3 and applies to all contracts which contractor employees handle PII or have access to or design, develop, maintain or operate a system of records.
This includes contracts at or below the simplified acquisition threshold and contracts for commercial items or commercially available off-the-shelf items. Additionally, the clause at FAR 52.224-3 must be incorporated into all subcontracts for which subcontractor employees will handle PII or have access to or design, develop, maintain or operate a system of records.
The training has to be role-based addressing the duties of the contractor employees, provide both foundational and more advanced levels of instructions, and include measures to test employees’ knowledge level. Training can be provided by the contractor or another source unless the contracting agency specifies that only agency-provided training is acceptable. At a minimum, the privacy training must cover: • The provisions of the Privacy Act of 1974 (5 USC § 552a), including penalties for violations • Appropriate handling and safeguarding of PII • Authorized and official use of a system of records and PII • Restrictions on the use of unauthorized equipment to create, collect, use, store, disseminate, or otherwise access PII • Prohibitions against unauthorized use of a system of records or PII • Procedures to be followed in the event of a suspected or confirmed breach of a system of records or unauthorized disclosure of PII
The OMB defines PII as information that can be used to distinguish or trace an individual's identity, either alone or when combined with other information that is linked or linkable to a specific individual. Examples of PII include an individual's name, Social Security number, biometric records, date and place of birth, and mother's maiden name. A "system of records" is a group of records from which information is retrieved by the name of the individual or other unique identifier assigned to that individual. We suggest that all contractors review their employees’ access to this type of information and/or systems to assess whether the new regulations apply to you.