On January 19, 2017, the Federal Acquisition Regulation council made effective a final rule for government contractors and subcontractors that formalizes privacy training for covered employees.
Privacy training is a best practice for all companies, but now the Federal Government has issued this final rule which makes it a much more serious (and required) matter.
What? New final ruling that requires specific privacy training and annual retraining for contractor or subcontractor personnel dealing with “personally identifiable information” (PII) on behalf of the Government. Contractors must prepare and maintain documentation of covered personnel completing the training.
- What is PII? Information that can be used to trace an individual’s identity, either alone or when combined with other information that is linked or linkable to a specific individual. Examples include name, Social Security Number, biometric records, date and place of birth, and mother’s maiden name.
Why (Now)? Establishes minimum requirements to ensure consistency across the Government. Further, the increasing portability of data and various instances of loss or potential disclosure to protected information have resulted in greater scrutiny regarding the Government’s information collection practices and information security management.
Who should be concerned? Companies with federal government contracts (no exemptions). The rule requires prime contractors to flow these privacy training requirements down to subcontractors.
Who needs to complete the privacy training? Employees that have access to a system of records; that create, collect, use, process, etc. or otherwise handle personally identifiable information on behalf of an agency; or design, develop, maintain, or operate a system of records on behalf of the Government.
- A system of records is a group of records from which information is retrieved by the name of the individual or other unique identifier assigned to that individual.
Notably, the rule does not apply to employees whose access is limited to the contractor’s own human resources information or personal information of other third parties. However, for the covered employees, the rule imposes important new training requirements.
When? Steps should be taken immediately to roll out privacy training for applicable employees. For new employees, training must occur prior to handling PII.
How? The rule allows the contractor “to provide its own training or to use the training of another agency”. At a minimum, the privacy training must cover:
- The provisions of the Privacy Act of 1974 (5 USC § 552a), including penalties for violations
- Appropriate handling and safeguarding of PII
- Authorized and official use of a system of records and PII
- Restrictions on the use of unauthorized equipment to create, collect, use, store, disseminate, or otherwise access PII
- Prohibitions against unauthorized use of a system of records or PII
- Procedures to be followed in the event of a suspected or confirmed breach of a system of records or unauthorized disclosure of PII
The training plan must be customizable such that it is “role-based,” i.e., tailored to the contractor employees’ assigned duties and must offer both foundational and advanced levels of training. The training must also include measures “to test the knowledge level of users.”