• Increase font size
  • Default font size
  • Decrease font size
Home News Archive Mandatory Privacy Training

Mandatory Privacy Training

E-mail Print PDF

A recent final rule revised the FAR to require contractors whose employees have access to “a system of records” or that “handle personally identifiable information” (PII) to complete training on privacy. The final rule applies to acquisitions of commercial items and to acquisitions valued below the simplified acquisition threshold (SAT). The privacy training must be “role-based [and provide for] foundational as well as more advanced levels of training” and include tests of the knowledge levels of users.

Training must cover—

  • The provisions of the Privacy Act of 1974 (5 U.S.C. 552a), including penalties for violations of the Act;

  • The appropriate handling and safeguarding of PII;

  • The authorized and official use of a system of records or any other PII;

  • Restrictions on the use of unauthorized equipment to create, collect, use, process, store, maintain, disseminate, disclose, dispose, or otherwise access, or store PII;

  • The prohibition against the unauthorized use of a system of records or unauthorized disclosure, access, handling, or use of PII or systems of records; and

  • Procedures to be followed in the event of a potential or confirmed breach of a system of records or unauthorized disclosure, access, handling, or use of PII.

The requirement is a flow-down, meaning that prime contractors are required to include it in subcontracts, where applicable (i.e., where the subcontractor handles PII).

The contractor (or subcontractor) must maintain documentation evidencing that the privacy training requirements were met, and must provide that documentation upon request.

A new subpart (24.3) is added to the FAR to address the issue.

What is PII? According to the new rule, “Personally identifiable information means information that can be used to distinguish or trace an individual's identity, either alone or when combined with other information that is linked or linkable to a specific individual.”

What do we think of the new rule?

Well, we just finished up a lot of compliance training. And in that training we learned that a company—not just a government contractor, but any publicly traded entity—should have a policy on PII protection and that employees should be trained in that policy, and that compliance with the policy should be tested. So from that point of view, this is something that many companies should already have in place. For them, it will be no big deal.

But we also know that there are many upon many small businesses and other contractors for whom this will be a brand new and disconcerting requirement. For them, it will be a big deal indeed.

We also think that the rule is unnecessarily prescriptive and creates a bureaucratic solution to what is essentially a free market problem. For example, the government could have chosen to create a mandatory source evaluation factor that covered the same requirements. That would have pushed companies toward the same end state without actually prescribing it.

But whatever. Here we are.

If you would like assistance in designing your training program or in training your employees, Apogee Consulting, Inc., is here to help you.

 

Newsflash

Effective January 1, 2019, Nick Sanders has been named as Editor of two reference books published by LexisNexis. The first book is Matthew Bender’s Accounting for Government Contracts: The Federal Acquisition Regulation. The second book is Matthew Bender’s Accounting for Government Contracts: The Cost Accounting Standards. Nick replaces Darrell Oyer, who has edited those books for many years.