Proposed Rule for Privacy Training
October 14, 2011
DoD, GSA, and NASA are proposing to amend the Federal Acquisition Regulation (FAR) to require contractors to complete training that addresses the protection of privacy, in accordance with the Privacy Act of 1974, and the handling and safeguarding of personally identifiable information. Federal Register Volume 76, Number 199 (Friday, October 14, 2011).
Interested parties should submit written comments to the Regulatory Secretariat at one of the addresses shown below on or before December 13, 2011 to be considered in the formation of the final rule.
DoD, GSA, and NASA are proposing to amend the Federal Acquisition Regulation (FAR) to add a new subpart 24.3, entitled ''Privacy Training,'' and related clause to ensure that contractors identify employees who require access to a Government system of records, handle personally identifiable information, or design, develop, maintain, or operate a system of records on behalf of the Federal Government, and who, therefore, are required to complete privacy training initially upon award of the procurement and at least annually thereafter. In addition, contractors are required to keep records indicating that employees have completed the required training and, upon request, provide those records to the Government. This rule does not apply to commercial items.
These requirements are consistent with subsection (e), Agency requirements, and subsection (m), Government contractors, of the Privacy Act of 1974, 5 U.S.C. 552a. Other applicable authorities that address the responsibility for Federal agencies to ensure that Government and contractor personnel are instructed on compliance requirements with the laws, rules, and guidance pertaining to handling and safeguarding personally identifiable information include the E-Government Act of 2002, the Federal Information Security Management Act (FISMA) of 2002, and Federal guidance from the Office of Management and Budget (OMB), e.g., OMB Memorandum M-07-16, entitled ''Safeguarding Against and Responding to the Breach of Personally Identifiable Information,'' issued May 22, 2007; OMB Memorandum M-10-23, entitled ''Guidance for Agency Use of Third-Party Web sites and Applications,'' issued June 25, 2010 (this memorandum contains the most current definition of personally identifiable information, and clarifies the definition provided in M-07-16); and OMB Circular No. A-130, entitled ''Management of Federal Information Resources,'' which address significant requirements for safeguarding and handling personally identifiable information and reporting any theft, loss, or compromise of such information. In addition, FAR subpart 24.1 requires that Federal agencies contracting for the design, development, or operation of a system of records on individuals must extend all Privacy Act safeguards to the contractor and its employees working on the contract.
Minimum requirements for privacy training are proposed for the coverage in order to ensure consistency across the Government. For example, any privacy training must address the protection of privacy, in accordance with the Privacy Act (5 U.S.C. 552a), and the handling and safeguarding of personally identifiable information. The proposed FAR text includes seven mandatory elements of the privacy training, including any agency-specific requirements. Many agencies currently require that designated contractor employees complete agency-developed privacy training, but, in some circumstances, an agency may provide a contractor with the Privacy Act requirements and have the contractor develop the training package. While the use of an agency-developed privacy training package is the most common approach, and the approach embodied in the clause at FAR 52.224-XX, Privacy Training, the proposed FAR language provides an Alternate I to the FAR clause for those cases where the agency prefers to have the contractor create the privacy training package. Additionally, the proposed FAR language provides an Alternate II to the FAR clause for those instances when it's determined to be in the best interest of the Government for a contractor employee to attend agency-provided privacy training.
Under the proposed FAR rule, a contractor employee who requires access to a Government system of records will be granted or allowed to retain such access only if the individual has (1) Completed privacy training and (2) met all other applicable agency requirements.
Submit comments in response to FAR case 2010-013 by any of the following methods:
Regulations.gov: http://www.regulations.gov. Submit comments via the Federal eRulemaking portal by inputting ''FAR Case 2010-013'' under the heading ''Enter Keyword or ID'' and selecting ''Search.'' Select the link ''Submit a Comment'' that corresponds with ''FAR Case 2010-013.'' Follow the instructions provided at the ''Submit a Comment'' screen. Please include your name, company name (if any), and ''FAR Case 2010-013'' on your attached document.
Fax: (202) 501-4067.
Mail: General Services Administration, Regulatory Secretariat (MVCB), ATTN: Hada Flowers, 1275 First Street, NE., 7th Floor, Washington, DC 20417.
Instructions: Please submit comments only and cite FAR Case 2010-013, in all correspondence related to this case. All comments received will be posted without change to http://www.regulations.gov, including any personal and/or business confidential information provided.
FOR FURTHER INFORMATION CONTACT: Mr. Karlos Morgan, Procurement Analyst, at (202) 501-2364 for clarification of content. For information pertaining to status or publication schedules, contact the Regulatory Secretariat at (202) 501-4755. Please cite FAR Case 2010-013.