New FAR Provisions Require Contractor Privacy Training

The FAR Council has published a final rule to require that certain contractor employees complete privacy training.

The final rule requires privacy training for contractor employees who handle personally identifiable information, have access to a system of records, or design, maintain, or operate a system of records.

The final rule has been more than five years in the making: the FAR Council issued a proposed rule regarding privacy training way back on October 14, 2011.  The final rule responds to public comments on the proposal and makes some adjustments, although it’s unclear why the FAR Council required half a decade to do so).

The final rule creates a new FAR Subpart 24.3, which will be named “Privacy Training.”  New FAR 24.301 will specify that “Contractors are responsible for ensuring that initial privacy training, and annual privacy training thereafter” is completed by contractor employees who: (1) Have access to a system of records; (2) Create, collect, use, process, store, maintain, disseminate, disclose, dispose, or otherwise handle personally identifiable information on behalf of the agency; or (3) Design, develop, maintain, or operate a system of records.

The FAR will define “personally identifiable information” as “information that can be used to distinguish or trace an individual’s identity, either alone or when combined with other information that is linked or linkable to a specific individual.”  The definition refers readers to OMB Circular No. A-130 (Managing Federal Information as a Strategic Resource) for additional guidance.  (FAR 24.101 already provides other relevant definitions, such as “operation of a system of records).

FAR 24.301 will specify the minimum “key elements” that privacy training must include.  These include such things as “the appropriate handling and safeguarding of personally identifiable information,” “procedures to be followed in the event of a suspected or confirmed breach of a system of records or unauthorized disclosure, access, handling or use of personally identifiable information,” and several others.  The clause requires the contractor to “maintain, and upon request, to provide documentation of completion of privacy training for all applicable employees.”

The final rule calls for the contracting officer to insert a new clause, FAR 52.224-3 (Privacy Training) in solicitations and contracts when, on behalf of an agency, contractor employees will engage in functions that fall within the privacy training requirement.  The clause must be flowed down to all subcontractors who will engage in covered functions.  The clause also permits agencies to use an alternate version of the clause to specify that only agency-provided training is acceptable.

Earlier this year, the FAR Council finalized FAR 4.19 (Basic Safeguarding of Covered Contractor Information Systems) and its associated clause, FAR 52.204-21.  The final rule builds on this theme, again emphasizing the protection of information held by contractors.  The rule takes effect on January 19, 2017.