Federal Contractors Required to Provide Privacy Training
A new final rule requires federal contractors and subcontractors with contracts involving personally identifiable information (PII) or any “system of records” (that allows for retrieval of information by an individual’s name or other personally identifiable characteristic) to provide privacy training to employees who handle or have access to such information.
PII means “information that can be used to distinguish or trace an individual’s identity, either alone or when combined with other information that is linked or linkable to a specific individual.” The required training, which must be conducted prior to granting the employee access to such information and then annually, must include the following:
- The provisions of the Privacy Act of 1974 (5 U.S.C. 552a), including penalties for violations of the Act;
- The appropriate handling and safeguarding of PII;
- The authorized and official use of a system of records or any other PII;
- Restrictions on the use of unauthorized equipment to create, collect, use, process, store, maintain, disseminate, disclose, dispose, or otherwise access, or store PII;
- The prohibition against the unauthorized use of a system of records or unauthorized disclosure, access, handling, or use of PII or systems of records; and
- Procedures to be followed in the event of a potential or confirmed breach of a system of records or unauthorized disclosure, access, handling, or use of PII.
In addition, the training must be “role-based” (i.e. tailored to the particular employee’s job duties) and must include both foundational and advanced training levels. In addition, the employee’s knowledge level must be tested. Unless the contracting agency specifies that its own training must be used, the training may be developed by the (sub)contractor or the (sub)contractor may use training provided by another agency. (Sub)contractors must retain records of the training, and may be required to produce these to the contracting officer upon request.