The FAR Council issued a final rule, effective January 19, 2017, which will broadly require specific privacy training, and annual re-training, for contractor or subcontractor personnel dealing with "personally identifiable information" (PII). Of particular note, the provisions have no exception for commercial items, COTS items (commercially available off-the-shelf items), nor for purchases below the Simplified Acquisition Threshold (SAT). Additionally, the provisions (prescribing clauses at FAR 24.3, and contract clause FAR 52.224-3) apply quite broadly to contractor employees. Specifically, the provisions apply to contractor/subcontractor employees who:
(1) Have access to a system of records;
(2) Create, collect, use, process, store, maintain, disseminate, disclose, dispose, or otherwise handle personally identifiable information on behalf of an agency; or
(3) Design, develop, maintain, or operate a system of records.
Combining the absence of exceptions and the breadth of applicability, this should be of particular concern to commercial companies that either directly engage with the government or engage as subcontractors. Though privacy training is not itself a bad idea and is in fact likely good for any company that is handling PII, performing such training under the formality and supervision of the Federal Government makes it a much more serious matter.
Minimum Content Required for Training
The clauses specify the minimum content required for contractor/subcontractor developed training. Additionally, individual government customers may develop trainings, which are deemed satisfactory under the rule. As described at FAR 52.224-3(c)(1), the minimum requirements are:
(i) The provisions of the Privacy Act of 1974 (5 U.S.C. 552a), including penalties for violations of the Act;
(ii) The appropriate handling and safeguarding of personally identifiable information;
(iii) The authorized and official use of a system of records or any other personally identifiable information;
(iv) The restriction on the use of unauthorized equipment to create, collect, use, process, store, maintain, disseminate, disclose, dispose or otherwise access personally identifiable information;
(v) The prohibition against the unauthorized use of a system of records or unauthorized disclosure, access, handling, or use of personally identifiable information; and
(vi) The procedures to be followed in the event of a suspected or confirmed breach of a system of records or the unauthorized disclosure, access, handling, or use of personally identifiable information (see OMB guidance for Preparing for and Responding to a Breach of Personally Identifiable Information).
Potential Pitfalls and Implementation
As with the clause FAR 52.204-21 "Basic Safeguarding of Covered Contractors Information System" added this past summer, contractors should watch for contracting officers adding the new PII Privacy Training provisions through modification, rather than through new solicitations. Whenever new clauses are added via a modification, contractors should carefully examine the obligations of such modification in relation to the existing contract and determine, with the aid of counsel, if a contract claim or pricing adjustment is merited.
Contractors should also be mindful that in addition to actually performing all the newly required training, they must prepare and maintain documentation of covered personnel completing the training.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
