Effective January 19th, 2017, the final FAR rule requires privacy training for federal contractors and any of their subcontract employees who handle personally identifiable information (PII). PII includes information that can be used to trace an individual’s identity such as date and place of birth, mother’s maiden name, social security number, etc. The contracting officer will insert a privacy training clause in solicitations and contracts if required.
The minimum key components of the required privacy training include:
- appropriate use and handling of PII;
- restrictions on the use of unauthorized equipment to create, collect, use and store PII;
- procedures to follow in the event of a potential or confirmed breach of systems;
- and penalties for violating privacy policies.
Contractors must ensure that employees are trained prior to granting them access to a system of records or to any PII. Following the initial training, employees must receive additional training on an annual basis. Contractors must have available and be able to provide documentation of the completed privacy training upon request.