Effective January 19, 2017, companies with federal agency contracts that involve the handling of “personally identifiable information” (“PII”) have new obligations. Federal contractors must identify employees who handle PII, or who have access to a government system of records, or who design, develop, maintain, or operate a government system of records on behalf of the agency and then provide employees with annual training on protecting the privacy of this information. This new rule was added to Subpart 24.1 of the Federal Acquisition Regulation (FAR) by the Department of Defense, General Services Administration, and National Aeronautics and Space Administration. In addition, there will be a new standard clause added to all federal contracts to implement the new regulations.
What does this mean for federal contractors?
Contractors accessing, handling, or using a government system of records must identify employees who have access to PII and provide them initial training on protecting and safeguarding the information, and must continue thereafter to train their employees annually. Contractors must keep records of the privacy training provided to employees.
Does this apply to all contractors?
The FAR requirements apply to all contracts and subcontracts that involve the handling of PII or any access to a system of records maintained by a federal agency. This includes commercial contracts, contracts below the simplified acquisition threshold (SAT), and contracts for commercial available off-the-shelf (COTS) items.
What is PII?
Part 24 of the FAR describes “personally identifiable information” as “information that can be used to distinguish or trace an individual’s identity, either alone or when combined with other information that is linked or linkable to a specific individual.” PII includes information such as an individual’s name, date and place of birth, or mother’s maiden name; biometric data such as a fingerprint, a cornea scan, or a hand scan; Social Security number, driver’s license number, passport number, etc.
Which employees must be trained?
The rule is actually very broad. It covers any employee who:
- Has access to a group of records under the contractor’s control, known as a “system of records”;
- Designs, develops, maintains, or operates a system of records containing PII;
- Handles personal records. “Handling” records includes creating, collecting, using, processing, storing, maintaining, disseminating, disclosing, or disposing of a system of records.
Subject employees likely include human resources specialists; payroll specialists; managers; supervisors; IT personnel involved in the management, design, development, operation and use of IT systems; or other staff who work with PII.
When must the training occur?
Training must occur when an employee is initially hired, ideally before he or she has any access to PII. Training should be provided in the initial employee orientation or onboarding, along with the initial anti-harassment training. Contractors must then provide additional training annually. The contractor may provide its own training or may use the training of another agency, unless the contracting agency specifies that only its agency-provided training is acceptable.
What is the training requirement?
Contractors must provide “role-based” training that is specific to the employee’s exact job functions and access of PII. For example, training for a human resources employee will cover, among other topics, the handling and protection of employment records that contain PII, access to those records, retention of the records, and the proper response to unauthorized access to such records. Training for employees will emphasize different areas appropriate to their role and access to PII. Another example: training for IT personnel will emphasize technological safeguards for online sources of PII, issues such as protection from hacking, and password requirements for sensitive computer files.
Training must cover basic and advanced topics. The regulations set out key elements that must be covered, including:
- The Privacy Act of 1974, including penalties for violation of the Act;
- The appropriate way to handle and safeguard PII;
- The authorized and official use of a system of records or any other PII;
- Restrictions on the use of unauthorized equipment to create, collect, use, process, store, maintain, disseminate, disclose, dispose of, or otherwise access PII;
- Prohibitions against unauthorized use of a system of records or the unauthorized disclosure, access, handling or use of PII; and
- Procedures in the event of a suspected or confirmed breach of a system of records or unauthorized disclosure, access, handling or use of PII.
Takeaways: This rule affects only those government contractors and subcontractors whose employees have access to an agency or government system of records, or who must maintain a system of records as part of the contract. The best practice is to incorporate the training program as part of the employee onboarding process for those employees who will have access to a system of records as part of their job functions. Ongoing annual training can be combined with other important employee training, such as anti-harassment training. If you have questions about this requirement, or would like assistance in providing the training, the attorneys in Schwabe’s Privacy group can assist.