Don’t Overlook New Privacy Training Requirements
March 1, 2017
By: Eric Whytsell
During the end of year crush, some contractors may have missed the December 20, 2016 publication of a final rule requiring contractors whose employees have access to a system of records or handle personally identifiable information (PII) to provide privacy training to those employees. The new rule, which took effect January 19, 2017, provides guidance to contractors concerning the required training to address the protection of privacy in accordance with the Privacy Act of 1974, 5 U.S.C. 552a, as amended, and the handling and safeguarding of PII. If your employees handle PII or have access to or work on or with a system of records, you need to be aware of these new requirements and take steps to comply.
The new rule requires contractors to ensure that initial privacy training, and annual training thereafter, is provided to its employees who, on behalf of a Government agency: “(1) Have access to a system of records; (2) Create, collect, use, process, store, maintain, disseminate, disclose, dispose, or otherwise handle personally identifiable information on behalf of the agency; or (3) Design, develop, maintain, or operate a system of records.” For the purposes of determining whether the rule applies, the term “system of records” means “a group of any records under the control of any agency from which information is retrieved by the name of the individual or by some identifying number, symbol, or other identifying particular assigned to the individual.” FAR 24.101. In addition, the rule revised the definition of PII to mean “information that can be used to distinguish or trace an individual's identity, either alone or when combined with other information that is linked or linkable to a specific individual.” Examples of PII include a person’s name, Social Security number, date and place of birth, mother's maiden name, and biometric information.
The required training must cover the “key elements necessary for ensuring the safeguarding of personally identifiable information or a system of records,” including:
- the provisions of the Privacy Act of 1974, including penalties for violations
- appropriate handling and safeguarding of personally identifiable information
- authorized and official use of a system of records or any other personally identifiable information
- restrictions on the use of unauthorized equipment to create, collect, use, process, store, maintain, disseminate, disclose, dispose, or otherwise access personally identifiable information
- the prohibition against the unauthorized use of a system of records or unauthorized disclosure, access, handling, or use of personally identifiable information
- procedures to be followed in the event of a suspected or confirmed breach of a system of records or unauthorized disclosure, access, handling, or use of personally identifiable information.
The training must “be role-based, provide foundational as well as more advanced levels of training, and have measures in place to test the knowledge level of users.” With respect to breach procedures, the rule cites the recently issued Office of Management and Budget guidance for Preparing for and Responding to a Breach of Personally Identifiable Information.
Contractors can fulfill the new training requirements by developing and using their own training or by using the training of another agency unless the contracting agency specifies that only its agency-provided training is acceptable. Contractor employees may not be permitted to (i) have access to or work with a system or records; or (ii) create, have, or handle PII, until they have completed the required privacy training. Contractors must maintain, and provide to the contracting officer upon request, documentation of completion of privacy training for all applicable employees.
The new contract clause must be flowed down to subcontractors whose employees handle PII or have access to or work on or with a system of records. Significantly, the new rule applies to contracts and subcontracts at or below the simplified acquisition threshold (SAT) and to contracts and subcontracts for commercial-items, including contracts and subcontracts for commercially available off-the-shelf (COTS) items. In other words, there is no exception for small contracts or contracts for any kind of commercial items. This is because the statutory authority for this rule, the Privacy Act of 1974, 5 U.S.C. 552a, predates the statutory exemptions stipulating that provisions of law enacted after October 13, 1994 are not to be made applicable to certain contracts or subcontracts unless a written determination is made that such exemption would not be in the Federal Government’s best interests.
Contractors who have federal contracts (and there subcontractors) should determine whether their employees engage in the specified activities on behalf of Government agencies and, if so, put into place policies and procedures for properly training those employees.
Eric Whytsell is responsible for the contents of this Article.
© 2017 Jackson Kelly PLLC