Federal Acquisition Regulation; Privacy Training, 93476-93481 [2016-30213]

Agencies

• DEPARTMENT OF DEFENSE
• General Services Administration
• National Aeronautics and Space Administration

[Federal Register Volume 81, Number 244 (Tuesday, December 20, 2016)]
[Rules and Regulations]
[Pages 93476-93481]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2016-30213]


-----------------------------------------------------------------------

DEPARTMENT OF DEFENSE

GENERAL SERVICES ADMINISTRATION

NATIONAL AERONAUTICS AND SPACE ADMINISTRATION

48 CFR parts 1, 24, and 52

[FAC 2005-94; FAR Case 2010-013; Item I; Docket No. 2010-0013; Sequence 
No. 1]
RIN 9000-AM06


Federal Acquisition Regulation; Privacy Training

AGENCY: Department of Defense (DoD), General Services Administration 
(GSA), and National Aeronautics and Space Administration (NASA).

ACTION: Final rule.

-----------------------------------------------------------------------

SUMMARY: DoD, GSA, and NASA are issuing a final rule amending the 
Federal Acquisition Regulation (FAR) to require that contractors, whose

[[Page 93477]]

employees have access to a system of records or handle personally 
identifiable information, complete privacy training.

DATES: Effective: January 19, 2017.

FOR FURTHER INFORMATION CONTACT: Mr. Charles Gray, Procurement Analyst, 
at 703-795-6328 for clarification of content. For information 
pertaining to status or publication schedules, contact the Regulatory 
Secretariat Division at 202-501-4755. Please cite FAC 2005-94, FAR Case 
2010-013.

SUPPLEMENTARY INFORMATION:

I. Background

    DoD, GSA, and NASA published a proposed rule in the Federal 
Register at 76 FR 63896 on October 14, 2011, to provide guidance to 
contractors regarding the requirement to complete training that 
addresses the protection of privacy in accordance with the Privacy Act 
of 1974, 5 U.S.C. 552a, as amended, and the handling and safeguarding 
of personally identifiable information (PII). The rule ensures that 
contractors identify employees who handle PII, have access to a system 
of records, or design, develop, maintain, or operate a system of 
records. These employees are required to complete initial privacy 
training and annual privacy training thereafter. A contractor who has 
employees involved in these activities is also required to maintain 
records indicating that its employees have completed the requisite 
training and provide these records to the contracting officer upon 
request. In addition, the prime contractor is required to flow-down 
these requirements to all applicable subcontracts.
    Fifteen respondents submitted comments, including comments 
regarding the Initial Regulatory Flexibility Analysis (IRFA), and the 
Paperwork Reduction Act (PRA) analysis.

II. Discussion and Analysis

    The Civilian Agency Acquisition Council and the Defense Acquisition 
Regulations Council (the Councils) reviewed the public comments in the 
development of the final rule. A discussion of the comments and the 
changes made to the rule as a result of those comments is provided as 
follows (comments pertaining to the IRFA and PRA analysis are addressed 
in sections V and VI of this preamble):

A. Summary of Significant Changes

    The final rule clarifies the responsibilities for contractors 
awarded contracts involving access to PII and streamlines the options 
for providing training. These clarifications include--
     Alternate I of the clause is amended to replace the 
proposed text, which gave the option to agencies to have contractors 
furnish their own training materials. The final rule no longer contains 
this option and what was Alternate II in the proposed rule now becomes 
Alternate I in the final rule; and
     The applicability of the rule to commercial items is 
clarified.
    The final rule also provides a number of clarifications consistent 
with Office of Management and Budget (OMB) Circular A-130, which was 
revised on July 28, 2016. These clarifications address the substance of 
the minimal privacy training requirements, to include--
     A revised definition for PII;
     The requirement for foundational as well as more advanced 
levels of privacy training;
     The requirement for there to be measures in place to test 
the knowledge level of the employee; and
     The requirement for role-based privacy training.

B. Analysis of Public Comments

1. Requests To Withdraw the Proposed Rule
    Comment: Several respondents suggested that the proposed rule 
should be withdrawn, given the ``considerable burden implications and 
the fact that the proposed rule does not provide compelling 
justification.'' These respondents stated that withdrawing the rule 
would ``avoid causing confusion and redundancy.'' The respondents noted 
that the requirements of the Privacy Act have been in place for 35 
years and stated that the Councils did not explain why the Government 
believes ``that additional protections are now needed.''
    Response: There are a number of applicable authorities, beyond the 
Privacy Act, that address the responsibility for Federal agencies to 
ensure that Government and contractor personnel are instructed on 
compliance requirements with the laws, rules, and guidance pertaining 
to handling and safeguarding PII. This rule establishes minimum 
requirements consistent with those authorities to ensure consistency 
across the Government.
    Further, the increasing portability of data and various instances 
of loss or potential disclosure of protected information have resulted 
in greater scrutiny regarding the Government's information collection 
practices and information security management.
2. Applicability to Commercial Item Contracts
    Comment: Several respondents expressed concern with the 
applicability to commercial item contracts. The respondents considered 
that excluding commercial item contracts from the privacy training 
requirement failed to take into account the Government's increased use 
of FAR part 12 purchases; that training on the improper release of 
Privacy Act information should not exempt FAR part 12 contracts; and, 
overall, the decision to exempt commercial item contracts would not 
serve the Government's best interests. One respondent had a different 
perspective on the proposed rule, and complimented the FAR Council for 
exempting commercial item contracts from the privacy training 
requirement. However, the respondent noted that this policy was not 
reflected in the proposed rule's clause or clause prescription. This 
respondent also recommended that all subcontracts for commercial items 
be exempted from the privacy training requirement.
    Response: The final rule clarifies that the privacy training 
requirement applies to contracts and subcontracts for commercial items 
when they involve access to a system of records. Exempting commercial 
item contracts and subcontracts would exclude a significant portion of 
Government contracts that involve the design, development, operation, 
or maintenance of a system of records and would therefore diminish the 
effectiveness of the rule.
3. Training
    Comment: Respondents had multiple concerns related to the content 
of the required training, such as whether the training would be best 
developed by the agency or by the contractor and which contractor 
employees should be required to take the training. Several respondents 
questioned the efficacy of having contractor employees who work under 
more than one agency's contracts potentially taking multiple courses. 
Other respondents questioned who would decide if the training would be 
provided by the agency or by the contractor, e.g., could the contractor 
decide to forego an agency course in favor of its own course? One 
respondent recommended that training include instruction on the Privacy 
Act's transparency requirements. Another respondent questioned how 
agencies would be held responsible for providing the training in a 
timely manner. Other respondents questioned which

[[Page 93478]]

contractor employees should be required to complete the training, 
whether subcontractors would be required to take the training, and 
whether certain professional positions, such as psychologists, should 
be exempt from the training based on their professional training.
    Response: The final rule allows the contractor flexibility to 
utilize privacy training from any source that meets the minimum content 
requirements, unless the agency specifies in the contract that only 
agency-provided training is acceptable (by using the clause with its 
Alternate I, as specified at FAR 24.302(b)). This guidance on 
flexibility is also provided directly in the clause at 52.224-3(c)(2). 
This is intended to minimize or eliminate duplicative or overlapping 
training. Initial training is required and annual training thereafter.
    Finally, consistent with the revisions made to OMB Circular A-130, 
the requirements for privacy training at 24.301(b) and the clause at 
52.224-3(c) are clarified to ensure privacy training is role-based, 
provides foundational as well as more advanced levels of training, and 
that measures are in place to test the knowledge level of users. At a 
minimum, privacy training shall cover--
     The provisions of the Privacy Act of 1974 (5 U.S.C. 552a), 
including penalties for violations of the Act;
     The appropriate handling and safeguarding of PII;
     The authorized and official use of a system of records or 
any other PII;
     Restrictions on the use of unauthorized equipment to 
create, collect, use, process, store, maintain, disseminate, disclose, 
dispose, or otherwise access, or store PII;
     The prohibition against the unauthorized use of a system 
of records or unauthorized disclosure, access, handling, or use of PII 
or systems of records; and
     Procedures to be followed in the event of a potential or 
confirmed breach of a system of records or unauthorized disclosure, 
access, handling, or use of PII.
4. Flowdown
    Comment: A respondent noted that, where the prime contractor is 
covered by the rule, the training requirement will likely flow down to 
subcontractors and lower tier contractors. Accordingly, the respondent 
recommended that the mandatory provision at 52.224-3(d) include a 
provision that exempts from the mandatory flow down any subcontract(s) 
specific to commercial items.
    Response: The requirements of this rule will flow down to all 
subcontractors involved with the handling and safeguarding of PII. 
These protections are necessary when the work requires contractor 
employees and subcontractor employees to have access to systems of 
records, handling PII, or the design, development, maintenance, or 
operation of a system of records on behalf of the Federal Government.
5. Definitions
    Comment: A respondent recommended including definitions of 
``restrictions,'' as used in FAR 24.301(c)(4) and Alternate I, and 
``access,'' as used in FAR 24.301, 24.302, and the clause at 52.224-3.
    Response: These are not unique words. Therefore, the Councils will 
use the standard dictionary definitions for these terms.
6. Accountability and Audit
    Comment: One respondent recommended that, during an audit, the 
contractor must produce a list of the individuals who completed 
training, or have a copy of the employee's training certificate in the 
employee's personnel records.
    Response: The final rule requires the contractor to maintain 
privacy training documentation and provide it upon request to the 
Government agency making the request. This may be requested, when 
necessary, to ensure effective management and oversight of this annual 
privacy training requirement.
7. Other Comments
    Comment: One respondent recommended that FAR 24.302 be revised to 
clarify who is responsible for determining whether the Statement of 
Work involves a system of records. Another respondent recommended that, 
if a final rule were promulgated, it would be appropriate to recognize 
a specific certification.
    Response: As with all clause prescriptions, the contracting officer 
will determine whether the clause applies. In addition, the FAR covers 
all options for meeting the training requirement.
    Comment: Several respondents submitted editorial comments on the 
proposed rule. One respondent stated that there is no need to create a 
separate subpart within FAR part 24. In addition, this respondent 
provided suggestions on the proper format for citations within the FAR. 
Another respondent recommended additional coverage regarding the 
Government-provided training method and also recommended a revision to 
the last sentence in FAR 24.301(b). A third respondent recommended 
using the term ``personally identifiable'' in lieu of ``privacy.''
    Response: The Councils determined that there is a need for a 
separate subpart 24.3 and have retained it in the final rule. The 
required training does not encompass solely the Privacy Act; it is only 
one of the areas listed that must be addressed as part of privacy 
training.
    Other areas include--
     The appropriate handling and safeguarding of PII; the 
authorized and official use of systems of records or any other PII; 
restrictions on the use of unauthorized equipment to create, collect, 
use, process, store, maintain, disseminate, disclose, dispose, or 
otherwise access, or store PII; the prohibition against unauthorized 
access, handling, or use of PII or systems of records; and
     Procedures to be followed in the event of a suspected or 
confirmed breach of a system of records or an unauthorized disclosure, 
access, handling, or use of PII.
    This subject matter does not fit within either of the existing 
subparts of FAR part 24, therefore, a separate subpart 24.3 is needed.
    The remaining editorial comments have been considered for inclusion 
in FAR subpart 24.

III. Applicability to Contracts at or Below the Simplified Acquisition 
Threshold and for Commercial Items, Including Commercially Available 
Off-the-Shelf Items

    This rule is applicable to contracts and subcontracts at or below 
the simplified acquisition threshold (SAT) and to contracts and 
subcontracts for commercial-items, including contracts and subcontracts 
for commercially available off-the-shelf (COTS) items. The statutory 
authority for this rule, the Privacy Act of 1974, 5 U.S.C. 552a, 
predates the exemptions in 41 U.S.C. 1905, 1906, and 1907, which 
stipulate that a provision of law enacted after October 13, 1994 shall 
not be made applicable to contracts or subcontracts, unless the FAR 
Council or the Administrator of the Office of Federal Procurement 
Policy makes a written determination that such exemption would not be 
in the best interests of the Federal Government.

IV. Executive Orders 12866 and 13563

    Executive Orders (E.O.s) 12866 and 13563 direct agencies to assess 
all costs and benefits of available regulatory alternatives and, if 
regulation is necessary, to select regulatory

[[Page 93479]]

approaches that maximize net benefits (including potential economic, 
environmental, public health and safety effects, distributive impacts, 
and equity). E.O. 13563 emphasizes the importance of quantifying both 
costs and benefits, of reducing costs, of harmonizing rules, and of 
promoting flexibility. This is a significant regulatory action and, 
therefore, was subject to review under Section 6(b) of E.O. 12866, 
Regulatory Planning and Review, dated September 30, 1993. This rule is 
not a major rule under 5 U.S.C. 804.

V. Regulatory Flexibility Act

    DoD, GSA, and NASA have prepared a final regulatory flexibility 
analysis (FRFA) consistent with the Regulatory Flexibility Act, 5 
U.S.C. 601, et seq. The FRFA is summarized as follows:

    The objective of the rule is to ensure that contractor employees 
complete initial and annual privacy training if the employees have 
access to a system of records, handle personally identifiable 
information (PII), or design, develop, maintain, or operate a system 
of records involving PII on behalf of the Government.
    One public comment was received in response to the Initial 
Regulatory Flexibility Analysis, which was published in the Federal 
Register at 76 FR 63896 on October 14, 2011:
    Comment: The Initial Regulatory Flexibility Analysis (IRFA), 
which addressed the impact of the rule on small entities, should 
assess the impact this rule may have on the research community's 
funding of sponsored research, as this group is likely to be 
adversely affected by the proposed rule, in the respondent's 
opinion.
    Response: Research institutions are included in the Regulatory 
Flexibility Act's definition of a small entity and were thus given 
the same consideration in the IRFA analysis as other small entities. 
The analysis in this FRFA has been revised to incorporate commercial 
item contracts. Therefore, the impact on research institutions has 
been accommodated whether the institution was awarded a negotiated 
contract or a FAR part 12 commercial item contract. Because the FAR 
does not address grants or cooperative agreements, the FRFA does not 
include consideration of such agreements in the analysis. Research 
institutions, or any other small entities, will not bear any 
significant impact resulting from this rule, given that the 
requirements of the Privacy Act, including training on the Act's 
requirements, have been in place for over 40 years and this rule 
just establishes minimum requirements for Privacy Act training, to 
ensure consistency across the Government.
    The rule requires all contractors with contracts that require 
employees to have access to PII to complete training that addresses 
the statutory requirements for protection of privacy, in accordance 
with the Privacy Act (5 U.S.C. 552a), and the handling and 
safeguarding of PII.
    In the IRFA, it was estimated that approximately 1,483 small 
businesses would be impacted. However, because the final rule 
clarifies its applicability to commercial item contracts, the number 
of small entities previously estimated to be impacted by this rule 
has been revised as described in the following paragraphs:
    Information obtained from the Federal Procurement Data System 
(FPDS) for fiscal year (FY) 2015 reveals that approximately 10,607 
unique vendors received contracts that most likely entailed the 
design, development, maintenance or operation of a system of 
records; required access to a system of records; or handled PII from 
individuals, on behalf of the Government. The estimated number of 
subcontractors who likewise will be involved in these activities is 
21,214, or double the amount of prime contractors. In all, the total 
number of contractors and subcontractors (including contracts and 
subcontracts for commercial items) that may be subject to the 
requirements of this rule is 31,821. Examination of FY 2015 FPDS 
data also reveals that approximately 61 percent of these contractors 
and subcontractors are small business entities. Based on this 
information, the following analysis was used to determine the number 
of small businesses that may be impacted by this rule:

 Small businesses that may receive
    contracts = (10,607 x .61): 6,470
 Small businesses that may receive
    subcontracts = (21,214 x .61): 12,941
 Total number of small businesses
    that may be impacted by rule: 19,411

    There is minimal recordkeeping associated with this rule. 
Contractors will likely maintain employee training records for 
privacy training similar to how they maintain their employees' other 
training records. There are no required formats or templates for 
documentation, and documentation will be retained by the contractor 
in most cases. The Government will likely request a firm's training 
documentation only when necessary to ensure effective management and 
oversight.
    The final rule addresses several steps to minimize the economic 
impact on small entities, most notably by clarifying 
responsibilities and streamlining the options for providing privacy 
training. This final rule also removes from the clause consideration 
of agency-specific training elements, while retaining the required 
minimum training elements. Agency-specific training elements are 
provided in Alternate I of the clause.

    Interested parties may obtain a copy of the FRFA from the 
Regulatory Secretariat Division. The Regulatory Secretariat Division 
has submitted a copy of the FRFA to the Chief Counsel for Advocacy of 
the Small Business Administration.

VI. Paperwork Reduction Act

    The Paperwork Reduction Act (44 U.S.C. chapter 35) applies. The 
rule contains information collection requirements. OMB has cleared the 
information collection requirement under OMB Control Number 9000-0182, 
entitled Privacy Training, in the amount of 97,670 public burden hours.
    Two respondents submitted comments in response to the initial 
notice published in the preamble of the Federal Register notice 
published at 76 FR 63896, on October 14, 2011. Both of the respondents 
submitted similar comments as follows:
    Comment: The respondents stated that the public's Paperwork 
Reduction Act estimated annual reporting burden was understated. The 
respondents believed that (a) requiring contractors to conduct their 
own privacy training and (b) requiring re-training every year created a 
greater burden on contractors than what was shown in the proposed rule.
    Response: The information collection requirement for this rule does 
not address the burden associated with conducting the initial or 
subsequent annual privacy training. Rather, it focuses solely on the 
obligation of Federal contractors to maintain documentation showing 
that the required privacy training was completed by the employee and, 
upon request, provide completion documentation to the contracting 
officer. In this regard, the same philosophy expressed in the preamble 
for the proposed rule holds true for the final rule as well, i.e., the 
recordkeeping requirements are considered to be minor and a contracting 
officer will request documentation only when necessary to ensure 
effective management and oversight.
    However, since the analysis used in the proposed rule did not 
consider contracts involving the acquisition of commercial items, the 
methodology used to derive the estimated public burden needed to be 
adjusted to encompass these contracts. In addition, the estimated 
public burden hours vary from the estimates in the notice published in 
the Federal Register at 79 FR 68249, on November 14, 2014, in order to 
reflect the use of FY 2015 data, rather than FY 2014 data.

List of Subjects in 48 CFR parts 1, 24, and 52

    Government procurement.

    Dated: December 9, 2016.
William Clark,
Director, Office of Government-wide Acquisition Policy, Office of 
Acquisition Policy, Office of Government-wide Policy.
    Therefore, DoD, GSA, and NASA amend 48 CFR parts 1, 24, and 52 as 
set forth below:

0
1. The authority citation for 48 CFR parts 1, 24, and 52 continues to 
read as follows:


[[Page 93480]]


    Authority: 40 U.S.C. 121(c); 10 U.S.C. chapter 137; and 51 
U.S.C. 20113.

PART 1--FEDERAL ACQUISITION REGULATIONS SYSTEM


1.106  [Amended]

0
2. Amend section 1.106 in the table following the introductory text, by 
adding in numerical sequence, FAR segments ``24.3'' and ``52.224-3'' 
and their corresponding OMB Control Number ``9000-0182''.

PART 24--PROTECTION OF PRIVACY AND FREEDOM OF INFORMATION

0
3. Amend section 24.101 by adding in alphabetical order the definition 
of ``personally identifiable information'' to read as follows:


24.101  Definitions.

* * * * *
    Personally identifiable information means information that can be 
used to distinguish or trace an individual's identity, either alone or 
when combined with other information that is linked or linkable to a 
specific individual. (See Office of Management and Budget (OMB) 
Circular No. A-130, Managing Federal Information as a Strategic 
Resource).
* * * * *

0
4. Add subpart 24.3 to read as follows:
Subpart 24.3--Privacy Training
Sec.
24.301 Privacy training.
24.302 Contract clause.

Subpart 24.3--Privacy Training


24.301  Privacy training.

    (a) Contractors are responsible for ensuring that initial privacy 
training, and annual privacy training thereafter, is completed by 
contractor employees who--
    (1) Have access to a system of records;
    (2) Create, collect, use, process, store, maintain, disseminate, 
disclose, dispose, or otherwise handle personally identifiable 
information on behalf of the agency; or
    (3) Design, develop, maintain, or operate a system of records (see 
FAR subpart 24.1 and 39.105).
    (b) Privacy training shall address the key elements necessary for 
ensuring the safeguarding of personally identifiable information or a 
system of records. The training shall be role-based, provide 
foundational as well as more advanced levels of training, and have 
measures in place to test the knowledge level of users. At a minimum, 
the privacy training shall cover--
    (1) The provisions of the Privacy Act of 1974 (5 U.S.C. 552a), 
including penalties for violations of the Act;
    (2) The appropriate handling and safeguarding of personally 
identifiable information;
    (3) The authorized and official use of a system of records or any 
other personally identifiable information;
    (4) The restriction on the use of unauthorized equipment to create, 
collect, use, process, store, maintain, disseminate, disclose, dispose, 
or otherwise access personally identifiable information;
    (5) The prohibition against the unauthorized use of a system of 
records or unauthorized disclosure, access, handling, or use of 
personally identifiable information; and
    (6) Procedures to be followed in the event of a suspected or 
confirmed breach of a system of records or unauthorized disclosure, 
access, handling, or use of personally identifiable information (see 
Office of Management and Budget guidance for Preparing for and 
Responding to a Breach of Personally Identifiable Information).
    (c) The contractor may provide its own training or use the training 
of another agency unless the contracting agency specifies that only its 
agency-provided training is acceptable (see 24.302(b)).
    (d) The contractor is required to maintain and, upon request, to 
provide documentation of completion of privacy training for all 
applicable employees.
    (e) No contractor employee shall be permitted to have or retain 
access to a system of records, create, collect, use, process, store, 
maintain, disseminate, disclose, or dispose, or otherwise handle 
personally identifiable information, or design, develop, maintain, or 
operate a system of records, unless the employee has completed privacy 
training that, at a minimum, addresses the elements in paragraph (b) of 
this section.


24.302   Contract clause.

    (a) The contracting officer shall insert the clause at FAR 52.224-
3, Privacy Training, in solicitations and contracts when, on behalf of 
the agency, contractor employees will--
    (1) Have access to a system of records;
    (2) Create, collect, use, process, store, maintain, disseminate, 
disclose, dispose, or otherwise handle personally identifiable 
information; or
    (3) Design, develop, maintain, or operate a system of records.
    (b) When an agency specifies that only its agency-provided training 
is acceptable, use the clause with its Alternate I.

PART 52--SOLICITATION PROVISIONS AND CONTRACT CLAUSES

0
5. Amend section 52.212-5 by--
0
a. Revising the date of the clause;
0
b. Redesignating paragraphs (b)(47) through (60) as paragraphs (b)(48) 
through (61), respectively;
0
c. Adding a new paragraph (b)(47);
0
d. Redesignating paragraphs (e)(1)(xix) through (xx) as paragraphs 
(e)(1)(xx) through (xxi), respectively;
0
e. Adding a new paragraph (e)(1)(xix);
0
(f.) Revising the date of Alternate II;
0
(1.) Redesignating paragraphs (e)(1)(ii)(S) and (T) as paragraphs 
(e)(1)(ii)(T) and (U), respectively; and
0
(2.) Adding a new paragraph (e)(1)(ii)(S).
    The revisions and additions read as follows:


52.212-5  Contract Terms and Conditions Required To Implement Statutes 
or Executive Orders--Commercial Items.

* * * * *

Contract Terms and Conditions Required To Implement Statues of 
Executive Orders--Commercial Items (JAN 2017)

* * * * *
    (b) * * *
    (47)(i) 52.224-3, Privacy Training (JAN 2017) (5 U.S.C. 552a).
    (ii) Alternate I (JAN 2017) of 52.224-3.
* * * * *
    (e)(1) * * *
    (xix)(A) 52.224-3, Privacy Training (JAN 2017) (5 U.S.C. 552a).
    (B) Alternate I (JAN 2017) of 52.224-3.
* * * * *
    Alternate II (JAN 2017).
* * * * *
    (e)(1) * * *
    (ii) * * *
    (S)(1) 52.224-3, Privacy Training (JAN 2017) (5 U.S.C. 552a).
    (2) Alternate I (JAN 2017) of 52.224-3.
* * * * *

0
6. Amend section 52.213-4 by--
0
a. Revising the date of the clause; and
0
b. Revising the date in paragraph (a)(2)(viii).
    The revisions read as follows:


52.213-4  Terms and Conditions--Simplified Acquisitions (Other Than 
Commercial Items).

* * * * *

Terms and Conditions--Simplified Acquisitions (Other Than Commercial 
Items) (JAN 2017)

* * * * *
    (a) * * *

[[Page 93481]]

    (2) * * *
    (viii) 52.244-6, Subcontracts for Commercial Items (JAN 2017).
* * * * *

0
7. Add section 52.224-3 to read as follows:


52.224-3  Privacy Training.

    As prescribed in 24.302(a), insert the following clause:

Privacy Training (JAN 2017)

    (a) Definition. As used in this clause, personally identifiable 
information means information that can be used to distinguish or 
trace an individual's identity, either alone or when combined with 
other information that is linked or linkable to a specific 
individual. (See Office of Management and Budget (OMB) Circular A-
130, Managing Federal Information as a Strategic Resource).
    (b) The Contractor shall ensure that initial privacy training, 
and annual privacy training thereafter, is completed by contractor 
employees who--
    (1) Have access to a system of records;
    (2) Create, collect, use, process, store, maintain, disseminate, 
disclose, dispose, or otherwise handle personally identifiable 
information on behalf of an agency; or
    (3) Design, develop, maintain, or operate a system of records 
(see also FAR subpart 24.1 and 39.105).
    (c)(1) Privacy training shall address the key elements necessary 
for ensuring the safeguarding of personally identifiable information 
or a system of records. The training shall be role-based, provide 
foundational as well as more advanced levels of training, and have 
measures in place to test the knowledge level of users. At a 
minimum, the privacy training shall cover--
    (i) The provisions of the Privacy Act of 1974 (5 U.S.C. 552a), 
including penalties for violations of the Act;
    (ii) The appropriate handling and safeguarding of personally 
identifiable information;
    (iii) The authorized and official use of a system of records or 
any other personally identifiable information;
    (iv) The restriction on the use of unauthorized equipment to 
create, collect, use, process, store, maintain, disseminate, 
disclose, dispose or otherwise access personally identifiable 
information;
    (v) The prohibition against the unauthorized use of a system of 
records or unauthorized disclosure, access, handling, or use of 
personally identifiable information; and
    (vi) The procedures to be followed in the event of a suspected 
or confirmed breach of a system of records or the unauthorized 
disclosure, access, handling, or use of personally identifiable 
information (see OMB guidance for Preparing for and Responding to a 
Breach of Personally Identifiable Information).
    (2) Completion of an agency-developed or agency-conducted 
training course shall be deemed to satisfy these elements.
    (d) The Contractor shall maintain and, upon request, provide 
documentation of completion of privacy training to the Contracting 
Officer.
    (e) The Contractor shall not allow any employee access to a 
system of records, or permit any employee to create, collect, use, 
process, store, maintain, disseminate, disclose, dispose or 
otherwise handle personally identifiable information, or to design, 
develop, maintain, or operate a system of records unless the 
employee has completed privacy training, as required by this clause.
    (f) The substance of this clause, including this paragraph (f), 
shall be included in all subcontracts under this contract, when 
subcontractor employees will--
    (1) Have access to a system of records;
    (2) Create, collect, use, process, store, maintain, disseminate, 
disclose, dispose, or otherwise handle personally identifiable 
information; or
    (3) Design, develop, maintain, or operate a system of records.


(End of clause)

    Alternate I (JAN 2017). As prescribed in 24.302(b), if the agency 
specifies that only its agency-provided training is acceptable, 
substitute the following paragraph (c) for paragraph (c) of the basic 
clause:

    (c) The contracting agency will provide initial privacy 
training, and annual privacy training thereafter, to Contractor 
employees for the duration of this contract.


0
8. Amend section 52.244-6 by--
0
a. Revising the date of the clause;
0
b. Redesignating paragraphs (c)(1)(xv) through (xvii) as paragraphs 
(c)(1)(xvi) through (xviii), respectively; and
0
c. Adding a new paragraph (c)(1)(xv).
    The revisions and additions read as follows:


52.244-6  Subcontracts for Commercial Items.

* * * * *

Subcontracts for Commercial Items (JAN 2017)

* * * * *
    (c)(1) * * *
    (xv)(A) 52.224-3, Privacy Training (JAN 2017) (5 U.S.C. 552a) if 
flow down is required in accordance with 52.224-3(f).
    (B) Alternate I (JAN 2017) of 52.224-3, if flow down is required in 
accordance with 52.224-3(f) and the agency specifies that only its 
agency-provided training is acceptable).
* * * * *
[FR Doc. 2016-30213 Filed 12-19-16; 8:45 am]
 BILLING CODE 6820-EP-P