Federal Contractor Privacy Training Now Required
On December 20, 2017, the U.S. Department of Defense (DOD), General Services Administration (GSA), and National Aeronautics and Space Administration (NASA), issued a Final Rule that requires federal contractors to follow new privacy training procedures with regard to handling and protecting “personally identifiable information” or “PII.” PII refers to any information that can be used to distinguish or trace an individual’s identity, either alone or when combined with other information that is linked or linkable to a specific individual. The rule went into effect on January 19, 2017.
The training requirement applies to all contracts/subcontracts that require “access to a system of records,” on behalf of the federal agency. The new rule specifically requires contractors to provide annual privacy training to contractor employees who:
- Have access to a system of records;
- Create, collect, use, process, store, maintain, disseminate, disclose, dispose, or otherwise handle personally identifiable information on behalf of the agency; or
- Design, develop, maintain, or operate a system of records
The rule does not apply to employees whose access is only to the contractor’s own HR information.
Content of Training
The training must address the “key elements necessary for ensuring the safeguarding of personally identifiable information or a system of records.” It must be tailored to employees’ particular positions, provide basic foundational education on privacy, as well as more advanced training. The training must also involve some measure to test the knowledge of the participants. At a minimum, the training must cover:
- The provisions of the Privacy Act of 1974, including penalties for violations of the Act;
- The appropriate handling and safeguarding of personally identifiable information;
- The authorized and official use of a system of records or any other personally identifiable information;
- The restriction on the use of unauthorized equipment to create, collect, use, process, store, maintain, disseminate, disclose, dispose, or otherwise access personally identifiable information;
- The prohibition against the unauthorized use of a system of records or unauthorized disclosure, access, handling, or use of personally identifiable information; and
- Procedures to be followed in the event of a suspected or confirmed breach of a system of records or unauthorized disclosure, access, handling, or use of personally identifiable information (see Office of Management and Budget guidance for Preparing for and Responding to a Breach of Personally Identifiable Information).
Contractors are permitted to use their own training or use another agency’s training under certain circumstances. Contractors must keep records related to whatever privacy training they provide.
The contracting officer (from the federal agency) will have to include a specific clause referencing the privacy training requirement in the underlying federal contract to notify the contractor of the obligation. For this reason, contractors should look for this training in any future federal contracts, as well as in any modifications to existing contracts. The rule also requires prime contractors to flow down these privacy training requirements to subcontractors.
This rule is now in effect, so contractors with access to PII on behalf of the federal agency should begin reviewing which employees might have access to PII that would require training. For health care institutions that regularly conduct HIPAA training, it may be possible to roll the contractor privacy training into that process, assuming that the privacy training requirements are met. For contractors who subcontract obligations that may involve PII, they will need to inform the subcontractors of the training obligation.