A Federal Acquisition Regulation proposed on October 14, 2011 (76 Fed. Reg. 63896, 10/14/11), would require federal contractors to conduct privacy training before being given access to government records or handling personally identifiable information. For many entities, training may already be called for under a federal or state law, or contract provision. However, this regulation raises the bar by effectively halting a contractor’s work until the training is performed. Contractors will need to watch this regulation closely as it may affect their businesses. The public may submit comments on this regulation until Dec. 13, 2011.
Key features of the proposed regulations:
- Contractors would be required to provide initial training and annual training for employees who either —(1) require access to a government system of records; (2) Handle personally identifiable information; or (3) Design, develop, maintain, or operate a system of records on behalf of the federal government.
- Federal agencies are required to provide contractors the training materials unless, on
an exception basis, the contracting officer authorizes a contractor to provide its own privacy training materials. - The contractor is responsible to ensure the training is completed, and must maintain documentation of the training.
- Certain privacy clauses will need to be added to the contract between the contractor and the government.
Training must cover at least the following seven areas:
- The protection of privacy, in accordance with the Privacy Act (5 U.S.C. 552a);
- The handling and safeguarding of personally identifiable information;
- The authorized and official use of government system of records;
- Restrictions on the use of personally-owned equipment to process, access, or store personally identifiable information;
- The prohibition against access by unauthorized users, and unauthorized use by authorized users, of personally identifiable information or systems of records on behalf of the Federal
Government; - Breach notification procedures i.e., procedures for notifying appropriate individuals when privacy information is lost, stolen, or compromised) and
- Any agency-specific privacy training requirements.