Effective January 19, 2017, an update to the Federal Acquisition Regulation (FAR) will require certain contractors that provide services to the federal government to train their employees on privacy. New contracts into which the federal government enters with contractors will include privacy training requirements. In addition, the rule requires contractors to flow down privacy training requirements to their subcontractors.
The rule applies to contractors that:
- Handle Personally Identifiable Information;
- Have access to a system of records; or
- Design, develop, maintain or operate a system of records.
The rule incorporates the Office of Management and Budget’s (OMB) definitions of key terms. The new rule defines “personally identifiable information” as “information that can be used to distinguish or trace an individual’s identity, either alone or when combined with other information that is linked or linkable to a specific individual.”
A “system of records” refers to any system that “contains information that is retrieved by an individual’s name or unique identifier.” The rule authorizes the government’s contracting officer to determine whether a particular contract involves a system of records.
The privacy training must address, at a minimum:
- The provisions of the Privacy Act of 1974 (5 U.S.C. § 552a), including penalties for violations of the Act;
- The appropriate handling and safeguarding of PII;
- The authorized and official use of a system of records or any other PII;
- Restrictions on the use of unauthorized equipment to create, collect, use, process, store, maintain, disseminate, disclose, dispose, or otherwise access, or store PII;
- The prohibition against the unauthorized use of a system of records or unauthorized disclosure, access, handling, or use of PII or systems of records; and
- Procedures to be followed in the event of a potential or confirmed breach of a system of records or unauthorized disclosure, access, handling, or use of PII.
Contractors are responsible for providing an initial training and annual privacy training refreshers. Contractors must train employees before employees handle PII or have access to a system of records. The rule requires contractors to maintain training records and, upon request, provide evidence to the government that relevant employees completed the required privacy training.
The rule’s access provision mandates that federal contractors comply with the training requirement even if they merely have access to a system of records. The rule does not provide exemptions for organizations whose use of PII or systems of records are incidental or low risk.
The rule is part of the federal government’s growing emphasis on training employees to handle PII appropriately. Privacy training is a best practice for every company, and many companies already actively train employees on privacy and information security. This new regulation is a continuation of a regulatory trend to codify best practices. Best practices are well known, and companies can prepare for new regulations by proactively addressing privacy and information security risk though the organization. Key elements of a mature privacy program include: conducting risk assessments, implementing comprehensive privacy and information security programs, controlling employee and vendor access to information, and being prepared for cyber incidents by taking preventative measures and conducting regular table top exercises.