On October 14, 2011, the Department of Defense (“DoD”), the General Services Administration (“GSA”), and the National Aeronautics and Space Administration (“NASA”) issued a proposed rule that contemplates requiring federal contractors to conduct privacy training for certain employees. The purpose of the proposed rule is to extend the safeguards of the Privacy Act to contractors who handle sensitive information through covered government record systems.
Under the proposed rule, contractors would be required to provide privacy training to employees who: (1) require access to a government records system; (2) handle personally identifiable information; or (3) design, develop, or maintain, or operate a system of records on behalf of the government. Contractors would not be authorized to grant access to these employees until they complete the privacy training.
Privacy training must be provided at the time these employees are hired (or at the time the contract is awarded) and annually thereafter. This training would be required to, at a minimum, address:
- Protection of privacy under the Privacy Act (5 U.S.C. § 552a);
- Handling and safeguarding personally identifiable information;
- Authorized and official use of government systems of records;
- Restrictions on use of personally-owned equipment to process, access, or store personally identifiable information;
- Prohibition against access by unauthorized users (and use that exceeds authorization) of personally identifiable information and systems of records;
- Notification procedures when information is lost, stolen, or compromised to minimize risk and ensure prompt and appropriate actions; and
- Any specific privacy training requirements identified by the contracting agency.
Contractors would also be required to maintain documentation that such training was conducted.
Under the proposed rule, contracting officers will have discretion to choose among three alternative clauses to insert into covered contracts. Under the first clause, the contracting agency would provide the training materials that the contractor must use to conduct the training. Under the second clause, the contractor would be permitted to use its own training materials and conduct its own training program, as long as it included the minimum standards discussed above. The third clause would require the agency to provide the privacy training materials and conduct the privacy training to contractors’ employees directly.