Data Protection Report - Norton Rose Fulbright

Effective January 19, 2017,  an update to the Federal Acquisition Regulation (FAR) will require certain contractors that provide services to the federal government to train their employees on privacy.  New contracts into which the federal government enters with contractors will include privacy training requirements. In addition, the rule requires contractors to flow down privacy training requirements to their subcontractors.

The rule applies to contractors that:

  1. Handle Personally Identifiable Information;
  2. Have access to a system of records; or
  3. Design, develop, maintain or operate a system of records.

The rule incorporates the Office of Management and Budget’s (OMB) definitions of key terms.  The new rule defines “personally identifiable information” as “information that can be used to distinguish or trace an individual’s identity, either alone or when combined with other information that is linked or linkable to a specific  individual.”

A “system of records”  refers to any system that “contains information that is retrieved by an individual’s name or unique identifier.” The rule authorizes the government’s contracting officer to determine whether a particular contract involves a system of records.

Training Requirements

The privacy training must address, at a minimum:

  • The provisions of the Privacy Act of 1974 (5 U.S.C. § 552a), including penalties for violations of the Act;
  • The appropriate handling and safeguarding of PII;
  • The authorized and official use of a system of records or any other PII;
  • Restrictions on the use of unauthorized equipment to create, collect, use, process, store, maintain, disseminate, disclose, dispose, or otherwise access, or store PII;
  • The prohibition against the unauthorized use of a system of records or unauthorized disclosure, access, handling, or use of PII or systems of records; and
  • Procedures to be followed in the event of a potential or confirmed breach of a system of records or unauthorized disclosure, access, handling, or use of PII.

Contractors are responsible for providing an initial training and annual privacy training refreshers. Contractors must train employees before employees handle PII or have access to a system of records. The rule requires contractors to maintain training records and, upon request, provide evidence to the government that relevant employees completed the required privacy training.

The rule’s access provision mandates that federal contractors comply with the training requirement even if they merely have access to a system of records.  The rule does not provide exemptions for organizations whose use of PII or systems of records are incidental or low risk.

Our Take

The rule is part of the federal government’s growing emphasis on training employees  to handle PII appropriately.   Privacy training is a best practice for every company, and many companies already actively train employees on privacy and information security.  This new regulation is a continuation of a regulatory trend  to codify best practices.  Best practices are well known, and companies can prepare for new regulations by proactively  addressing privacy and information security risk though the organization. Key elements of a mature privacy program include: conducting risk assessments, implementing comprehensive privacy and information security programs, controlling employee and vendor access to information, and being prepared for cyber incidents by taking preventative measures and conducting regular table top exercises.