Federal Acquisition Regulation; Privacy Training

SUMMARY

DoD, GSA, and NASA are issuing a final rule amending the Federal Acquisition Regulation (FAR) to require that contractors, whose employees have access to a system of records or handle personally identifiable information, complete privacy training.

 
CONTENT

Federal Register, Volume 81 Issue 244 (Tuesday, December 20, 2016)

Federal Register Volume 81, Number 244 (Tuesday, December 20, 2016)

Rules and Regulations

Pages 93476-93481

From the Federal Register Online via the Government Publishing Office www.gpo.gov

FR Doc No: 2016-30213

-----------------------------------------------------------------------

DEPARTMENT OF DEFENSE

GENERAL SERVICES ADMINISTRATION

NATIONAL AERONAUTICS AND SPACE ADMINISTRATION

48 CFR parts 1, 24, and 52

FAC 2005-94; FAR Case 2010-013; Item I; Docket No. 2010-0013; Sequence No. 1

RIN 9000-AM06

Federal Acquisition Regulation; Privacy Training

AGENCY: Department of Defense (DoD), General Services Administration (GSA), and National Aeronautics and Space Administration (NASA).

ACTION: Final rule.

-----------------------------------------------------------------------

SUMMARY: DoD, GSA, and NASA are issuing a final rule amending the Federal Acquisition Regulation (FAR) to require that contractors, whose

Page 93477

employees have access to a system of records or handle personally identifiable information, complete privacy training.

DATES: Effective: January 19, 2017.

FOR FURTHER INFORMATION CONTACT: Mr. Charles Gray, Procurement Analyst, at 703-795-6328 for clarification of content. For information pertaining to status or publication schedules, contact the Regulatory Secretariat Division at 202-501-4755. Please cite FAC 2005-94, FAR Case 2010-013.

SUPPLEMENTARY INFORMATION:

I. Background

DoD, GSA, and NASA published a proposed rule in the Federal Register at 76 FR 63896 on October 14, 2011, to provide guidance to contractors regarding the requirement to complete training that addresses the protection of privacy in accordance with the Privacy Act of 1974, 5 U.S.C. 552a, as amended, and the handling and safeguarding of personally identifiable information (PII). The rule ensures that contractors identify employees who handle PII, have access to a system of records, or design, develop, maintain, or operate a system of records. These employees are required to complete initial privacy training and annual privacy training thereafter. A contractor who has employees involved in these activities is also required to maintain records indicating that its employees have completed the requisite training and provide these records to the contracting officer upon request. In addition, the prime contractor is required to flow-down these requirements to all applicable subcontracts.

Fifteen respondents submitted comments, including comments regarding the Initial Regulatory Flexibility Analysis (IRFA), and the Paperwork Reduction Act (PRA) analysis.

II. Discussion and Analysis

The Civilian Agency Acquisition Council and the Defense Acquisition Regulations Council (the Councils) reviewed the public comments in the development of the final rule. A discussion of the comments and the changes made to the rule as a result of those comments is provided as follows (comments pertaining to the IRFA and PRA analysis are addressed in sections V and VI of this preamble):

A. Summary of Significant Changes

The final rule clarifies the responsibilities for contractors awarded contracts involving access to PII and streamlines the options for providing training. These clarifications include--

Alternate I of the clause is amended to replace the proposed text, which gave the option to agencies to have contractors furnish their own training materials. The final rule no longer contains this option and what was Alternate II in the proposed rule now becomes Alternate I in the final rule; and

The applicability of the rule to commercial items is clarified.

The final rule also provides a number of clarifications consistent with Office of Management and Budget (OMB) Circular A-130, which was revised on July 28, 2016. These clarifications address the substance of the minimal privacy training requirements, to include--

A revised definition for PII;

The requirement for foundational as well as more advanced levels of privacy training;

The requirement for there to be measures in place to test the knowledge level of the employee; and

The requirement for role-based privacy training.

B. Analysis of Public Comments

1. Requests To Withdraw the Proposed Rule

Comment: Several respondents suggested that the proposed rule should be withdrawn, given the ``considerable burden implications and the fact that the proposed rule does not provide compelling justification.'' These respondents stated that withdrawing the rule would ``avoid causing confusion and redundancy.'' The respondents noted that the requirements of the Privacy Act have been in place for 35 years and stated that the Councils did not explain why the Government believes ``that additional protections are now needed.''

Response: There are a number of applicable authorities, beyond the Privacy Act, that address the responsibility for Federal agencies to ensure that Government and contractor personnel are instructed on compliance requirements with the laws, rules, and guidance pertaining to handling and safeguarding PII. This rule establishes minimum requirements consistent with those authorities to ensure consistency across the Government.

Further, the increasing portability of data and various instances of loss or potential disclosure of protected information have resulted in greater scrutiny regarding the Government's information collection practices and information security management.

2. Applicability to Commercial Item Contracts

Comment: Several respondents expressed concern with the applicability to commercial item contracts. The respondents considered that excluding commercial item contracts from the privacy training requirement failed to take into account the Government's increased use of FAR part 12 purchases; that training on the improper release of Privacy Act information should not exempt FAR part 12 contracts; and, overall, the decision to exempt commercial item contracts would not serve the Government's best interests. One respondent had a different perspective on the proposed rule, and complimented the FAR Council for exempting commercial item contracts from the privacy training requirement. However, the respondent noted that this policy was not reflected in the proposed rule's clause or clause prescription. This respondent also recommended that all subcontracts for commercial items be exempted from the privacy training requirement.

Response: The final rule clarifies that the privacy training requirement applies to contracts and subcontracts for commercial items when they involve access to a system of records. Exempting commercial item contracts and subcontracts would exclude a significant portion of Government contracts that involve the design, development, operation, or maintenance of a system of records and would therefore diminish the effectiveness of the rule.

3. Training

Comment: Respondents had multiple concerns related to the content of the required training, such as whether the training would be best developed by the agency or by the contractor and which contractor employees should be required to take the training. Several respondents questioned the efficacy of having contractor employees who work under more than one agency's contracts potentially taking multiple courses. Other respondents questioned who would decide if the training would be provided by the agency or by the contractor, e.g., could the contractor decide to forego an agency course in favor of its own course? One respondent recommended that training include instruction on the Privacy Act's transparency requirements. Another respondent questioned how agencies would be held responsible for providing the training in a timely manner. Other respondents questioned which

Page 93478

contractor employees should be required to complete the training, whether subcontractors would be required to take the training, and whether certain professional positions, such as psychologists, should be exempt from the training based on their professional training.

Response: The final rule allows the contractor flexibility to utilize privacy training from any source that meets the minimum content requirements, unless the agency specifies in the contract that only agency-provided training is acceptable (by using the clause with its Alternate I, as specified at FAR 24.302(b)). This guidance on flexibility is also provided directly in the clause at 52.224-3(c)(2). This is intended to minimize or eliminate duplicative or overlapping training. Initial training is required and annual training thereafter.

Finally, consistent with the revisions made to OMB Circular A-130, the requirements for privacy training at 24.301(b) and the clause at 52.224-3(c) are clarified to ensure privacy training is role-based, provides foundational as well as more advanced levels of training, and that measures are in place to test the knowledge level of users. At a minimum, privacy training shall cover--

The provisions of the Privacy Act of 1974 (5 U.S.C. 552a), including penalties for violations of the Act;

The appropriate handling and safeguarding of PII;

The authorized and official use of a system of records or any other PII;

Restrictions on the use of unauthorized equipment to create, collect, use, process, store, maintain, disseminate, disclose, dispose, or otherwise access, or store PII;

The prohibition against the unauthorized use of a system of records or unauthorized disclosure, access, handling, or use of PII or systems of records; and

Procedures to be followed in the event of a potential or confirmed breach of a system of records or unauthorized disclosure, access, handling, or use of PII.

4. Flowdown

Comment: A respondent noted that, where the prime contractor is covered by the rule, the training requirement will likely flow down to subcontractors and lower tier contractors. Accordingly, the respondent recommended that the mandatory provision at 52.224-3(d) include a provision that exempts from the mandatory flow down any subcontract(s) specific to commercial items.

Response: The requirements of this rule will flow down to all subcontractors involved with the handling and safeguarding of PII. These protections are necessary when the work requires contractor employees and subcontractor employees to have access to systems of records, handling PII, or the design, development, maintenance, or operation of a system of records on behalf of the Federal Government.

5. Definitions

Comment: A respondent recommended including definitions of ``restrictions,'' as used in FAR 24.301(c)(4) and Alternate I, and ``access,'' as used in FAR 24.301, 24.302, and the clause at 52.224-3.

Response: These are not unique words. Therefore, the Councils will use the standard dictionary definitions for these terms.

6. Accountability and Audit

Comment: One respondent recommended that, during an audit, the contractor must produce a list of the individuals who completed training, or have a copy of the employee's training certificate in the employee's personnel records.

Response: The final rule requires the contractor to maintain privacy training documentation and provide it upon request to the Government agency making the request. This may be requested, when necessary, to ensure effective management and oversight of this annual privacy training requirement.

7. Other Comments

Comment: One respondent recommended that FAR 24.302 be revised to clarify who is responsible for determining whether the Statement of Work involves a system of records. Another respondent recommended that, if a final rule were promulgated, it would be appropriate to recognize a specific certification.

Response: As with all clause prescriptions, the contracting officer will determine whether the clause applies. In addition, the FAR covers all options for meeting the training requirement.

Comment: Several respondents submitted editorial comments on the proposed rule. One respondent stated that there is no need to create a separate subpart within FAR part 24. In addition, this respondent provided suggestions on the proper format for citations within the FAR. Another respondent recommended additional coverage regarding the Government-provided training method and also recommended a revision to the last sentence in FAR 24.301(b). A third respondent recommended using the term ``personally identifiable'' in lieu of ``privacy.''

Response: The Councils determined that there is a need for a separate subpart 24.3 and have retained it in the final rule. The required training does not encompass solely the Privacy Act; it is only one of the areas listed that must be addressed as part of privacy training.

Other areas include--

The appropriate handling and safeguarding of PII; the authorized and official use of systems of records or any other PII; restrictions on the use of unauthorized equipment to create, collect, use, process, store, maintain, disseminate, disclose, dispose, or otherwise access, or store PII; the prohibition against unauthorized access, handling, or use of PII or systems of records; and

Procedures to be followed in the event of a suspected or confirmed breach of a system of records or an unauthorized disclosure, access, handling, or use of PII.

This subject matter does not fit within either of the existing subparts of FAR part 24, therefore, a separate subpart 24.3 is needed.

The remaining editorial comments have been considered for inclusion in FAR subpart 24.

III. Applicability to Contracts at or Below the Simplified Acquisition Threshold and for Commercial Items, Including Commercially Available Off-the-Shelf Items

This rule is applicable to contracts and subcontracts at or below the simplified acquisition threshold (SAT) and to contracts and subcontracts for commercial-items, including contracts and subcontracts for commercially available off-the-shelf (COTS) items. The statutory authority for this rule, the Privacy Act of 1974, 5 U.S.C. 552a, predates the exemptions in 41 U.S.C. 1905, 1906, and 1907, which stipulate that a provision of law enacted after October 13, 1994 shall not be made applicable to contracts or subcontracts, unless the FAR Council or the Administrator of the Office of Federal Procurement Policy makes a written determination that such exemption would not be in the best interests of the Federal Government.

IV. Executive Orders 12866 and 13563

Executive Orders (E.O.s) 12866 and 13563 direct agencies to assess all costs and benefits of available regulatory alternatives and, if regulation is necessary, to select regulatory

Page 93479

approaches that maximize net benefits (including potential economic, environmental, public health and safety effects, distributive impacts, and equity). E.O. 13563 emphasizes the importance of quantifying both costs and benefits, of reducing costs, of harmonizing rules, and of promoting flexibility. This is a significant regulatory action and, therefore, was subject to review under Section 6(b) of E.O. 12866, Regulatory Planning and Review, dated September 30, 1993. This rule is not a major rule under 5 U.S.C. 804.

V. Regulatory Flexibility Act

DoD, GSA, and NASA have prepared a final regulatory flexibility analysis (FRFA) consistent with the Regulatory Flexibility Act, 5 U.S.C. 601, et seq. The FRFA is summarized as follows:

The objective of the rule is to ensure that contractor employees complete initial and annual privacy training if the employees have access to a system of records, handle personally identifiable information (PII), or design, develop, maintain, or operate a system of records involving PII on behalf of the Government.

One public comment was received in response to the Initial Regulatory Flexibility Analysis, which was published in the Federal Register at 76 FR 63896 on October 14, 2011:

Comment: The Initial Regulatory Flexibility Analysis (IRFA), which addressed the impact of the rule on small entities, should assess the impact this rule may have on the research community's funding of sponsored research, as this group is likely to be adversely affected by the proposed rule, in the respondent's opinion.

Response: Research institutions are included in the Regulatory Flexibility Act's definition of a small entity and were thus given the same consideration in the IRFA analysis as other small entities. The analysis in this FRFA has been revised to incorporate commercial item contracts. Therefore, the impact on research institutions has been accommodated whether the institution was awarded a negotiated contract or a FAR part 12 commercial item contract. Because the FAR does not address grants or cooperative agreements, the FRFA does not include consideration of such agreements in the analysis. Research institutions, or any other small entities, will not bear any significant impact resulting from this rule, given that the requirements of the Privacy Act, including training on the Act's requirements, have been in place for over 40 years and this rule just establishes minimum requirements for Privacy Act training, to ensure consistency across the Government.

The rule requires all contractors with contracts that require employees to have access to PII to complete training that addresses the statutory requirements for protection of privacy, in accordance with the Privacy Act (5 U.S.C. 552a), and the handling and safeguarding of PII.

In the IRFA, it was estimated that approximately 1,483 small businesses would be impacted. However, because the final rule clarifies its applicability to commercial item contracts, the number of small entities previously estimated to be impacted by this rule has been revised as described in the following paragraphs:

Information obtained from the Federal Procurement Data System (FPDS) for fiscal year (FY) 2015 reveals that approximately 10,607 unique vendors received contracts that most likely entailed the design, development, maintenance or operation of a system of records; required access to a system of records; or handled PII from individuals, on behalf of the Government. The estimated number of subcontractors who likewise will be involved in these activities is 21,214, or double the amount of prime contractors. In all, the total number of contractors and subcontractors (including contracts and subcontracts for commercial items) that may be subject to the requirements of this rule is 31,821. Examination of FY 2015 FPDS data also reveals that approximately 61 percent of these contractors and subcontractors are small business entities. Based on this information, the following analysis was used to determine the number of small businesses that may be impacted by this rule:

Small businesses that may receive

contracts = (10,607 x .61): 6,470

Small businesses that may receive

subcontracts = (21,214 x .61): 12,941

Total number of small businesses

that may be impacted by rule: 19,411

There is minimal recordkeeping associated with this rule. Contractors will likely maintain employee training records for privacy training similar to how they maintain their employees' other training records. There are no required formats or templates for documentation, and documentation will be retained by the contractor in most cases. The Government will likely request a firm's training documentation only when necessary to ensure effective management and oversight.

The final rule addresses several steps to minimize the economic impact on small entities, most notably by clarifying responsibilities and streamlining the options for providing privacy training. This final rule also removes from the clause consideration of agency-specific training elements, while retaining the required minimum training elements. Agency-specific training elements are provided in Alternate I of the clause.

Interested parties may obtain a copy of the FRFA from the Regulatory Secretariat Division. The Regulatory Secretariat Division has submitted a copy of the FRFA to the Chief Counsel for Advocacy of the Small Business Administration.

VI. Paperwork Reduction Act

The Paperwork Reduction Act (44 U.S.C. chapter 35) applies. The rule contains information collection requirements. OMB has cleared the information collection requirement under OMB Control Number 9000-0182, entitled Privacy Training, in the amount of 97,670 public burden hours.

Two respondents submitted comments in response to the initial notice published in the preamble of the Federal Register notice published at 76 FR 63896, on October 14, 2011. Both of the respondents submitted similar comments as follows:

Comment: The respondents stated that the public's Paperwork Reduction Act estimated annual reporting burden was understated. The respondents believed that (a) requiring contractors to conduct their own privacy training and (b) requiring re-training every year created a greater burden on contractors than what was shown in the proposed rule.

Response: The information collection requirement for this rule does not address the burden associated with conducting the initial or subsequent annual privacy training. Rather, it focuses solely on the obligation of Federal contractors to maintain documentation showing that the required privacy training was completed by the employee and, upon request, provide completion documentation to the contracting officer. In this regard, the same philosophy expressed in the preamble for the proposed rule holds true for the final rule as well, i.e., the recordkeeping requirements are considered to be minor and a contracting officer will request documentation only when necessary to ensure effective management and oversight.

However, since the analysis used in the proposed rule did not consider contracts involving the acquisition of commercial items, the methodology used to derive the estimated public burden needed to be adjusted to encompass these contracts. In addition, the estimated public burden hours vary from the estimates in the notice published in the Federal Register at 79 FR 68249, on November 14, 2014, in order to reflect the use of FY 2015 data, rather than FY 2014 data.

List of Subjects in 48 CFR parts 1, 24, and 52

Government procurement.

Dated: December 9, 2016.

William Clark,

Director, Office of Government-wide Acquisition Policy, Office of Acquisition Policy, Office of Government-wide Policy.

Therefore, DoD, GSA, and NASA amend 48 CFR parts 1, 24, and 52 as set forth below:

0

1. The authority citation for 48 CFR parts 1, 24, and 52 continues to read as follows:

Page 93480

Authority: 40 U.S.C. 121(c); 10 U.S.C. chapter 137; and 51 U.S.C. 20113.

PART 1--FEDERAL ACQUISITION REGULATIONS SYSTEM

1.106 Amended

0

2. Amend section 1.106 in the table following the introductory text, by adding in numerical sequence, FAR segments ``24.3'' and ``52.224-3'' and their corresponding OMB Control Number ``9000-0182''.

PART 24--PROTECTION OF PRIVACY AND FREEDOM OF INFORMATION

0

3. Amend section 24.101 by adding in alphabetical order the definition of ``personally identifiable information'' to read as follows:

24.101 Definitions.

* * * * *

Personally identifiable information means information that can be used to distinguish or trace an individual's identity, either alone or when combined with other information that is linked or linkable to a specific individual. (See Office of Management and Budget (OMB) Circular No. A-130, Managing Federal Information as a Strategic Resource).

* * * * *

0

4. Add subpart 24.3 to read as follows:

Subpart 24.3--Privacy Training

Sec.

24.301 Privacy training.

24.302 Contract clause.

Subpart 24.3--Privacy Training

24.301 Privacy training.

(a) Contractors are responsible for ensuring that initial privacy training, and annual privacy training thereafter, is completed by contractor employees who--

(1) Have access to a system of records;

(2) Create, collect, use, process, store, maintain, disseminate, disclose, dispose, or otherwise handle personally identifiable information on behalf of the agency; or

(3) Design, develop, maintain, or operate a system of records (see FAR subpart 24.1 and 39.105).

(b) Privacy training shall address the key elements necessary for ensuring the safeguarding of personally identifiable information or a system of records. The training shall be role-based, provide foundational as well as more advanced levels of training, and have measures in place to test the knowledge level of users. At a minimum, the privacy training shall cover--

(1) The provisions of the Privacy Act of 1974 (5 U.S.C. 552a), including penalties for violations of the Act;

(2) The appropriate handling and safeguarding of personally identifiable information;

(3) The authorized and official use of a system of records or any other personally identifiable information;

(4) The restriction on the use of unauthorized equipment to create, collect, use, process, store, maintain, disseminate, disclose, dispose, or otherwise access personally identifiable information;

(5) The prohibition against the unauthorized use of a system of records or unauthorized disclosure, access, handling, or use of personally identifiable information; and

(6) Procedures to be followed in the event of a suspected or confirmed breach of a system of records or unauthorized disclosure, access, handling, or use of personally identifiable information (see Office of Management and Budget guidance for Preparing for and Responding to a Breach of Personally Identifiable Information).

(c) The contractor may provide its own training or use the training of another agency unless the contracting agency specifies that only its agency-provided training is acceptable (see 24.302(b)).

(d) The contractor is required to maintain and, upon request, to provide documentation of completion of privacy training for all applicable employees.

(e) No contractor employee shall be permitted to have or retain access to a system of records, create, collect, use, process, store, maintain, disseminate, disclose, or dispose, or otherwise handle personally identifiable information, or design, develop, maintain, or operate a system of records, unless the employee has completed privacy training that, at a minimum, addresses the elements in paragraph (b) of this section.

24.302 Contract clause.

(a) The contracting officer shall insert the clause at FAR 52.224-

3, Privacy Training, in solicitations and contracts when, on behalf of the agency, contractor employees will--

(1) Have access to a system of records;

(2) Create, collect, use, process, store, maintain, disseminate, disclose, dispose, or otherwise handle personally identifiable information; or

(3) Design, develop, maintain, or operate a system of records.

(b) When an agency specifies that only its agency-provided training is acceptable, use the clause with its Alternate I.

PART 52--SOLICITATION PROVISIONS AND CONTRACT CLAUSES

0

5. Amend section 52.212-5 by--

0

a. Revising the date of the clause;

0

b. Redesignating paragraphs (b)(47) through (60) as paragraphs (b)(48) through (61), respectively;

0

c. Adding a new paragraph (b)(47);

0

d. Redesignating paragraphs (e)(1)(xix) through (xx) as paragraphs (e)(1)(xx) through (xxi), respectively;

0

e. Adding a new paragraph (e)(1)(xix);

0

(f.) Revising the date of Alternate II;

0

(1.) Redesignating paragraphs (e)(1)(ii)(S) and (T) as paragraphs (e)(1)(ii)(T) and (U), respectively; and

0

(2.) Adding a new paragraph (e)(1)(ii)(S).

The revisions and additions read as follows:

52.212-5 Contract Terms and Conditions Required To Implement Statutes or Executive Orders--Commercial Items.

* * * * *

Contract Terms and Conditions Required To Implement Statues of Executive Orders--Commercial Items (JAN 2017)

* * * * *

(b) * * *

(47)(i) 52.224-3, Privacy Training (JAN 2017) (5 U.S.C. 552a).

(ii) Alternate I (JAN 2017) of 52.224-3.

* * * * *

(e)(1) * * *

(xix)(A) 52.224-3, Privacy Training (JAN 2017) (5 U.S.C. 552a).

(B) Alternate I (JAN 2017) of 52.224-3.

* * * * *

Alternate II (JAN 2017).

* * * * *

(e)(1) * * *

(ii) * * *

(S)(1) 52.224-3, Privacy Training (JAN 2017) (5 U.S.C. 552a).

(2) Alternate I (JAN 2017) of 52.224-3.

* * * * *

0

6. Amend section 52.213-4 by--

0

a. Revising the date of the clause; and

0

b. Revising the date in paragraph (a)(2)(viii).

The revisions read as follows:

52.213-4 Terms and Conditions--Simplified Acquisitions (Other Than Commercial Items).

* * * * *

Terms and Conditions--Simplified Acquisitions (Other Than Commercial Items) (JAN 2017)

* * * * *

(a) * * *

Page 93481

(2) * * *

(viii) 52.244-6, Subcontracts for Commercial Items (JAN 2017).

* * * * *

0

7. Add section 52.224-3 to read as follows:

52.224-3 Privacy Training.

As prescribed in 24.302(a), insert the following clause:

Privacy Training (JAN 2017)

(a) Definition. As used in this clause, personally identifiable information means information that can be used to distinguish or trace an individual's identity, either alone or when combined with other information that is linked or linkable to a specific individual. (See Office of Management and Budget (OMB) Circular A-

130, Managing Federal Information as a Strategic Resource).

(b) The Contractor shall ensure that initial privacy training, and annual privacy training thereafter, is completed by contractor employees who--

(1) Have access to a system of records;

(2) Create, collect, use, process, store, maintain, disseminate, disclose, dispose, or otherwise handle personally identifiable information on behalf of an agency; or

(3) Design, develop, maintain, or operate a system of records (see also FAR subpart 24.1 and 39.105).

(c)(1) Privacy training shall address the key elements necessary for ensuring the safeguarding of personally identifiable information or a system of records. The training shall be role-based, provide foundational as well as more advanced levels of training, and have measures in place to test the knowledge level of users. At a minimum, the privacy training shall cover--

(i) The provisions of the Privacy Act of 1974 (5 U.S.C. 552a), including penalties for violations of the Act;

(ii) The appropriate handling and safeguarding of personally identifiable information;

(iii) The authorized and official use of a system of records or any other personally identifiable information;

(iv) The restriction on the use of unauthorized equipment to create, collect, use, process, store, maintain, disseminate, disclose, dispose or otherwise access personally identifiable information;

(v) The prohibition against the unauthorized use of a system of records or unauthorized disclosure, access, handling, or use of personally identifiable information; and

(vi) The procedures to be followed in the event of a suspected or confirmed breach of a system of records or the unauthorized disclosure, access, handling, or use of personally identifiable information (see OMB guidance for Preparing for and Responding to a Breach of Personally Identifiable Information).

(2) Completion of an agency-developed or agency-conducted training course shall be deemed to satisfy these elements.

(d) The Contractor shall maintain and, upon request, provide documentation of completion of privacy training to the Contracting Officer.

(e) The Contractor shall not allow any employee access to a system of records, or permit any employee to create, collect, use, process, store, maintain, disseminate, disclose, dispose or otherwise handle personally identifiable information, or to design, develop, maintain, or operate a system of records unless the employee has completed privacy training, as required by this clause.

(f) The substance of this clause, including this paragraph (f), shall be included in all subcontracts under this contract, when subcontractor employees will--

(1) Have access to a system of records;

(2) Create, collect, use, process, store, maintain, disseminate, disclose, dispose, or otherwise handle personally identifiable information; or

(3) Design, develop, maintain, or operate a system of records.

(End of clause)

Alternate I (JAN 2017). As prescribed in 24.302(b), if the agency specifies that only its agency-provided training is acceptable, substitute the following paragraph (c) for paragraph (c) of the basic clause:

(c) The contracting agency will provide initial privacy training, and annual privacy training thereafter, to Contractor employees for the duration of this contract.

0

8. Amend section 52.244-6 by--

0

a. Revising the date of the clause;

0

b. Redesignating paragraphs (c)(1)(xv) through (xvii) as paragraphs (c)(1)(xvi) through (xviii), respectively; and

0

c. Adding a new paragraph (c)(1)(xv).

The revisions and additions read as follows:

52.244-6 Subcontracts for Commercial Items.

* * * * *

Subcontracts for Commercial Items (JAN 2017)

* * * * *

(c)(1) * * *

(xv)(A) 52.224-3, Privacy Training (JAN 2017) (5 U.S.C. 552a) if flow down is required in accordance with 52.224-3(f).

(B) Alternate I (JAN 2017) of 52.224-3, if flow down is required in accordance with 52.224-3(f) and the agency specifies that only its agency-provided training is acceptable).

* * * * *

FR Doc. 2016-30213 Filed 12-19-16; 8:45 am

BILLING CODE 6820-EP-P