After more than five years since the proposed rule in 2011, the Federal Acquisition Regulatory Council gave federal contractors a surprise holiday gift this year—mandatory privacy training for all employees on contracts and subcontracts issued on or after January 19, 2017 who:

(1) Have access to a system of records;

(2) Create, collect, use, process, store, maintain, disseminate, disclose, dispose, or otherwise handle personally identifiable information on behalf of an agency; or

(3) Design, develop, maintain, or operate a system of records.

FAR 24.301. The rule defines PII as “information that can be used to distinguish or trace an individual’s identity, either alone or when combined with other information that is linked or linkable to a specific individual.” FAR 24.101.

The training requirement listed at the new FAR Subpart 24.3 calls for an “initial privacy training, and annual privacy training thereafter” to cover the following topics:

(i) The provisions of the Privacy Act of 1974 (5 U.S.C. 552a), including penalties for violations of the Act;

(ii) The appropriate handling and safeguarding of personally identifiable information;

(iii) The authorized and official use of a system of records or any other personally identifiable information;

(iv) The restriction on the use of unauthorized equipment to create, collect, use, process, store, maintain, disseminate, disclose, dispose or otherwise access personally identifiable information;

(v) The prohibition against the unauthorized use of a system of records or unauthorized disclosure, access, handling, or use of personally identifiable information; and

(vi) The procedures to be followed in the event of a suspected or confirmed breach of a system of records or the unauthorized disclosure, access, handling, or use of personally identifiable information (see OMB guidance for Preparing for and Responding to a Breach of Personally Identifiable Information).

Contractors must also maintain records of up-to-date training for each subject employee to be made available upon demand to the contracting officer.

This is a very wide-reaching rule. Commercial items and contracts falling under the simplified acquisition threshold did not escape the rule’s ambit.  FAR 52.212-5 & 52.213-4, respectively.

The new privacy training FAR clause 52.224-3 is a mandatory flowdown for all subcontracts that will involve one of the three activities involving PII listed above.  While contractors will generally be able to obtain the training from any source, in some instances an agency may choose to utilize FAR 52.224-3 Alternate I, which allows the agency to make its own training the only acceptable source.