Effective immediately, federal contractors will need to comply with privacy training rules intended to ensure that their workforces protect personally identifiable information (PII). The rules also define PII as any information that can be used to distinguish or trace an individual’s identity, either alone or when combined with other information that is linked or linkable to a specific individual.
Federal contractors will need to follow a five-step plan to comply with the new rules issued by the Department of Defense, General Services Administration, and National Aeronautics and Space Administration.
Step One: Identify
The first step in the process requires you to identify those individuals who are now subject to the privacy training rules. These include workers who:
- Access a system of records;
- Create, collect, use, process, store, maintain, disseminate, disclose, dispose, or otherwise handle “personally identifiable information” on behalf of the agency; or
- Design, develop, maintain, or operate a system of records.
Step Two: Train
Identified individuals will require training on privacy obligations to ensure the safeguarding of PII or a system of records. The training must be role-based, and must provide both foundational and more advanced levels of training. It also must be measurable, including a system to test the knowledge level of those receiving the training. Training is expected to be provided annually.
- The rules include the following minimum topics to be included for the training:
- The provisions of the Privacy Act of 1974, including penalties for violations of the Act;
- The appropriate handling and safeguarding of PII;
- The authorized and official use of a system of records or any other personally identifiable information;
- The restriction on the use of unauthorized equipment to create, collect, use, process, store, maintain, disseminate, disclose, dispose, or otherwise access PII;
- The prohibition against the unauthorized use of a system of records or unauthorized disclosure, access, handling, or use of PII; and
- Procedures to be followed in the event of a suspected or confirmed breach of a system of records or unauthorized disclosure, access, handling, or use of PII.
Contractors can administer the training themselves or can use the training from another agency, unless the contracting agency specifies that only its training is acceptable for its purposes.
Step Three: Maintain Records
The rules require contractors to maintain records to prove that all identified employees received the mandatory training.
Step Four: Flow-Down
If you are a prime contractor using the services of subcontractors, the rules require you to flow-down these requirements to all applicable subcontractors.
Step Five: Prohibit
Contractors must prohibit any and all of their employees who have not completed the privacy training from performing certain tasks. They are required to ensure that these employees do not have or retain access to a system of records.
We’re Here to Help
While GSA does not serve as a subcontractor we are available to field questions and guide clients through the application of these privacy training requirements.
If you have questions regarding the rule as it pertains to your contract, call us at 1.800.250.2741 or email us at firstname.lastname@example.org.