Time for School: Effective January 19, 2017, surprise rule requires privacy training for prime contractor and subcontractor employees accessing personally identifiable information under certain federal contracts and subcontracts.

On December 20, 2016, DoD, GSA, and NASA announced a final Privacy Training Rule that requires contractors and subcontractors to provide privacy security training to employees who handle Personally Identifiable Information (“PII”) under certain federal contracts and subcontracts. The Privacy Training Rule, which goes into effect on January 19, 2017, was first proposed over five years ago, in a Federal Register announcement in October 2011.

The objective of the Privacy Training Rule is well intentioned -- to ensure stronger protection for individual data. The rule creates a new FAR subpart 24.3 establishing privacy training requirements.

The reality, however, may well be increased burden of implementation on prime contractors and subcontractors and, at a minimum, will require quick action by contractors accepting newly-issued awards to implement compliant systems and to modify subcontractor flowdowns, with equivalent implementation impact on subcontractors.

What is PII?

The Privacy Training Rule defines PII as “information that can be used to distinguish or trace an individual’s identity, either alone or when combined with other information that is linked or linkable to a specific individual.” FAR 24.101.

When is privacy training required?

Whenever contractor or subcontractor employees will have access to any “system of records” that is “under the control of any agency” containing PII, the new rule requires privacy training. FAR 24.101, 24.301.

What contracts and subcontracts are covered by the Privacy Training Rule?

The new rule applies to all contracts, with no exceptions for small businesses, including contracts below the simplified acquisition threshold, and contracts for commercial items and even for commercial-off-the-shelf procurements. It also flows down to subcontractors at all levels. Therefore, this broad definition of PII will apply privacy training requirements to a wide range of contracts and subcontracts, and will require training for many contractor employees.

What are the training requirements?

Under the Privacy Training rule, contractors must, for employees who have access to PII:

• Conduct initial and subsequent annual privacy training.
• Provide role-based training addressing the Privacy Act of 1974, appropriate protections for PII, and authorized uses of a system of records.
• Offer both foundational and advanced levels of training.
• Train employees on the prohibited uses of a system of records and PII, as well as on the procedures to be followed in the event of a breach.
• Test employee knowledge of privacy protections and procedures.
• Maintain and provide (upon request) documentation of completion of the required privacy training for all covered employees.

See generally FAR 24.301. The rule permits contractors to use their own training or agency-provided training, unless the Government determines that only the agency’s training meets the Government’s security needs. Id. at 24.301(c).

What does all of this mean for contractors and subcontractors?

The new privacy training requirements will apply to many new contracts and subcontracts, and may be onerous for small businesses and for contractors and subcontractors that have not previously been subject to stringent security standards. The Privacy Training Rule will apply to any contracts issued after January 19, 2017, so contractors should review new awards carefully to determine whether they have now become responsible for providing privacy training and flowing these requirements down to their subcontractors. In addition, it will be critical for contractors and subcontractors to document compliance.

Bottom line: the surprise Privacy Training Rule imposes new requirements and new burdens on contractors and subcontractors. Implementing the requirements will likely send contractors, subcontractors, and their employees to school.

This alert was written by Daniel S. Koch and Sarah C. Miller, lawyers in the Government Contracts practice group at Miles & Stockbridge.

Any opinions expressed and any legal positions asserted in the article are those of the author(s) and do not necessarily reflect the opinions or positions of Miles & Stockbridge P.C. or its other lawyers. This article is for general information purposes and is not intended to be and should not be taken as legal advice on any particular matter. It is not intended to and does not create any attorney-client relationship. Because legal advice must vary with individual circumstances, do not act or refrain from acting on the basis of this article without consulting professional legal counsel. If you would like additional information on the subject matter of this article, please feel free to contact any of the lawyers listed above. If you communicate with us, whether through email or other means, your communication does not establish an attorney-client relationship with either Miles & Stockbridge P.C. or any of the firm's lawyers. At Miles & Stockbridge P.C., an attorney-client relationship can be formed only by personal contact with an individual lawyer, not by email, and requires our agreement to act as your legal counsel together with your execution of a written engagement agreement with Miles & Stockbridge P.C.